Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privilege,executor: update DBIsVisible() function for RBAC #10261

Merged
merged 3 commits into from May 8, 2019

Conversation

@tiancaiamao
Copy link
Contributor

commented Apr 25, 2019

What problem does this PR solve?

	CREATE DATABASE app_db
	CREATE ROLE 'app_developer'
	GRANT ALL ON app_db.* TO 'app_developer
	CREATE USER 'dev'@'localhost
	GRANT 'app_developer' TO 'dev'@'localhost'
	SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'

login as 'dev'@'localhost'

Before:

  mysql> use app_db
  ERROR 1044 (42000): Access denied for user 'dev'@'localhost' to database 'app_db'

After:

  mysql> use app_db;
  Database changed

What is changed and how it works?

USE DB check privileges using the DBIsVisible() function, that function should take role into consideration

Check List

Tests

  • Unit test
privilege,executor: update DBIsVisible() function for RBAC
`USE DB` check privileges using the DBIsVisible function, that function should
take role into consideration

	CREATE DATABASE app_db
	CREATE ROLE 'app_developer'
	GRANT ALL ON app_db.* TO 'app_developer
	CREATE USER 'dev'@'localhost
	GRANT 'app_developer' TO 'dev'@'localhost'
	SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'

login as 'dev'@'localhost'
Before:
  mysql> use app_db
  ERROR 1044 (42000): Access denied for user 'dev'@'localhost' to database 'app_db'

After:
  mysql> use app_db;
  Database changed
@tiancaiamao

This comment has been minimized.

Copy link
Contributor Author

commented Apr 25, 2019

@codecov

This comment has been minimized.

Copy link

commented Apr 26, 2019

Codecov Report

❗️ No coverage uploaded for pull request base (master@e56a14b). Click here to learn what that means.
The diff coverage is 66.6666%.

@@             Coverage Diff             @@
##             master     #10261   +/-   ##
===========================================
  Coverage          ?   77.3838%           
===========================================
  Files             ?        412           
  Lines             ?      85713           
  Branches          ?          0           
===========================================
  Hits              ?      66328           
  Misses            ?      14352           
  Partials          ?       5033
@tiancaiamao

This comment has been minimized.

Copy link
Contributor Author

commented Apr 28, 2019

@jackysp
Copy link
Member

left a comment

LGTM

@jackysp jackysp requested review from imtbkcat and lysu Apr 29, 2019

@jackysp

This comment has been minimized.

Copy link
Member

commented Apr 29, 2019

/run-all-tests

if SkipWithGrant {
return true
}
mysqlPriv := p.Handle.Get()
return mysqlPriv.DBIsVisible(p.user, p.host, db)
if mysqlPriv.DBIsVisible(p.user, p.host, db) {

This comment has been minimized.

Copy link
@imtbkcat

imtbkcat Apr 29, 2019

Contributor

If r_1 has privilege, r_2 doesn't have, and has relationship like r_1 -> r_2 -> user, user should have privilege to visit db.

This comment has been minimized.

Copy link
@tiancaiamao

tiancaiamao Apr 30, 2019

Author Contributor

Do you mean user has role r_2
r_2 has role r_1 ?

I think activeRoles contains both r_1 and r_2 ? @imtbkcat

This comment has been minimized.

Copy link
@imtbkcat

imtbkcat May 5, 2019

Contributor

ctx.ActiveRoles just contain r_1, you could use MySQLPrivileges.FindAllRole to get r_1 and r_2.

This comment has been minimized.

Copy link
@tiancaiamao

tiancaiamao May 8, 2019

Author Contributor

Done.
PTAL @imtbkcat

@tiancaiamao tiancaiamao force-pushed the tiancaiamao:db-visible-role branch from 8e5e12d to 9d2a773 May 8, 2019

@imtbkcat

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

/run-all-tests

@imtbkcat
Copy link
Contributor

left a comment

LGTM

@tiancaiamao tiancaiamao added status/LGT2 and removed status/LGT1 labels May 8, 2019

@imtbkcat imtbkcat merged commit 1690912 into pingcap:master May 8, 2019

8 checks passed

ci/circleci Your tests passed on CircleCI!
Details
codecov/patch 66.6666% of diff hit (target 0%)
Details
codecov/project No report found to compare against
Details
idc-jenkins-ci-tidb/build Jenkins job succeeded.
Details
idc-jenkins-ci-tidb/build_check_race Jenkins job succeeded.
Details
idc-jenkins-ci-tidb/check_dev Jenkins job succeeded.
Details
idc-jenkins-ci-tidb/check_dev_2 Jenkins job succeeded.
Details
license/cla Contributor License Agreement is signed.
Details

@tiancaiamao tiancaiamao deleted the tiancaiamao:db-visible-role branch May 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.