executor: grant table level privilege should check table exist

executor/grant.go

@@ -67,6 +67,29 @@ func (e *GrantExec) Next(ctx context.Context, req *chunk.Chunk) error {
 	if len(dbName) == 0 {
 		dbName = e.ctx.GetSessionVars().CurrentDB
 	}
+
+	// Make sure the table exist.
+	if e.Level.Level == ast.GrantLevelTable {
+		dbNameStr := model.NewCIStr(dbName)
+		schema := infoschema.GetInfoSchema(e.ctx)
+		tbl, err := schema.TableByName(dbNameStr, model.NewCIStr(e.Level.TableName))
+		if err != nil {
+			return err
+		}
+		err = infoschema.ErrTableNotExists.GenWithStackByArgs(dbName, e.Level.TableName)
+		// Note the table name compare is case sensitive here.
+		if tbl.Meta().Name.String() != e.Level.TableName {
+			return err
+		}
+		if len(e.Level.DBName) > 0 {
+			// The database name should also match.
+			db, succ := schema.SchemaByName(dbNameStr)
+			if !succ || db.Name.String() != dbName {
+				return err
+			}
+		}
+	}
+
 	// Grant for each user
 	for idx, user := range e.Users {
 		// Check if user exists.

executor/grant_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/pingcap/parser/mysql"
 	"github.com/pingcap/parser/terror"
 	"github.com/pingcap/tidb/executor"
+	"github.com/pingcap/tidb/infoschema"
 	"github.com/pingcap/tidb/util/testkit"
 )
 
@@ -192,6 +193,8 @@ func (s *testSuite3) TestColumnScope(c *C) {
 func (s *testSuite3) TestIssue2456(c *C) {
 	tk := testkit.NewTestKit(c, s.store)
 	tk.MustExec("CREATE USER 'dduser'@'%' IDENTIFIED by '123456';")
+	tk.MustExec("CREATE DATABASE `dddb_%`;")
+	tk.MustExec("CREATE table `dddb_%`.`te%` (id int);")
 	tk.MustExec("GRANT ALL PRIVILEGES ON `dddb_%`.* TO 'dduser'@'%';")
 	tk.MustExec("GRANT ALL PRIVILEGES ON `dddb_%`.`te%` to 'dduser'@'%';")
 }
@@ -307,3 +310,26 @@ func (s *testSuite3) TestMaintainRequire(c *C) {
 	_, err = tk.Exec(`CREATE USER 'u9'@'%' require x509 x509`)
 	c.Assert(err, NotNil)
 }
+
+func (s *testSuite3) TestGrantOnNonExistTable(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec("create user genius")
+	tk.MustExec("use test")
+	_, err := tk.Exec("select * from nonexist")
+	c.Assert(terror.ErrorEqual(err, infoschema.ErrTableNotExists), IsTrue)
+	_, err = tk.Exec("grant Select,Insert on nonexist to 'genius'")
+	c.Assert(terror.ErrorEqual(err, infoschema.ErrTableNotExists), IsTrue)
+
+	tk.MustExec("create table if not exists xx (id int)")
+	// Case sensitive
+	_, err = tk.Exec("grant Select,Insert on XX to 'genius'")
+	c.Assert(terror.ErrorEqual(err, infoschema.ErrTableNotExists), IsTrue)
+	// The database name should also case sensitive match.
+	_, err = tk.Exec("grant Select,Insert on Test.xx to 'genius'")
+	c.Assert(terror.ErrorEqual(err, infoschema.ErrTableNotExists), IsTrue)
+
+	_, err = tk.Exec("grant Select,Insert on xx to 'genius'")
+	c.Assert(err, IsNil)
+	_, err = tk.Exec("grant Select,Update on test.xx to 'genius'")
+	c.Assert(err, IsNil)
+}

executor/simple_test.go

@@ -625,7 +625,7 @@ func (s *testSuite3) TestIssue9111(c *C) {
 	c.Check(err, IsNil)
 
 	tk.MustExec("revoke create user on *.* from 'user_admin'@'localhost';")
-	tk.MustExec("grant insert, delete on mysql.User to 'user_admin'@'localhost';")
+	tk.MustExec("grant insert, delete on mysql.user to 'user_admin'@'localhost';")
 
 	_, err = se.Execute(ctx, `create user test_create_user`)
 	c.Check(err, IsNil)

planner/core/integration_test.go

@@ -343,6 +343,7 @@ func (s *testIntegrationSuite) TestErrNoDB(c *C) {
 	_, err := tk.Exec("grant select on test1111 to test@'%'")
 	c.Assert(errors.Cause(err), Equals, core.ErrNoDB)
 	tk.MustExec("use test")
+	tk.MustExec("create table test1111 (id int)")
 	tk.MustExec("grant select on test1111 to test@'%'")
 }
 

privilege/privileges/privileges_test.go

@@ -361,7 +361,8 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
 	c.Assert(err, IsNil)
 	c.Assert(gs, HasLen, 3)
 	mustExec(c, se, `GRANT INSERT, DELETE ON test.test TO 'r2'`)
-	mustExec(c, se, `GRANT UPDATE ON a.b TO 'testrole'@'localhost'`)
+	mustExec(c, se, `create table test.b (id int)`)
+	mustExec(c, se, `GRANT UPDATE ON test.b TO 'testrole'@'localhost'`)
 	gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "testrole", Hostname: "localhost"}, roles)
 	c.Assert(err, IsNil)
 	c.Assert(gs, HasLen, 5)

session/session_test.go

@@ -2906,8 +2906,10 @@ func (s *testSessionSuite2) TestGrantViewRelated(c *C) {
 	err = tkUser.ExecToErr("create view v_version29_c as select * from v_version29;")
 	c.Assert(err, NotNil)
 
-	tkRoot.MustExec(`grant create view on v_version29_c to 'u_version29'@'%'`)
+	tkRoot.MustExec("create view v_version29_c as select * from v_version29;")
+	tkRoot.MustExec(`grant create view on v_version29_c to 'u_version29'@'%'`) // Can't grant privilege on a non-exist table/view.
 	tkRoot.MustQuery("select table_priv from mysql.tables_priv where host='%' and db='test' and user='u_version29' and table_name='v_version29_c'").Check(testkit.Rows("Create View"))
+	tkRoot.MustExec("drop view v_version29_c")
 
 	tkRoot.MustExec(`grant select on v_version29 to 'u_version29'@'%'`)
 	tkUser.MustQuery("select current_user();").Check(testkit.Rows("u_version29@%"))