Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

domain: run FLUSH PRIVILEGES synchronous on GRANT #8886

Merged
merged 2 commits into from
Dec 31, 2018
Merged

domain: run FLUSH PRIVILEGES synchronous on GRANT #8886

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1eeb7c4
domain: run FLUSH PRIVILEGES synchronous on GRANT
morgo Dec 29, 2018
b92bf0b
Merge branch 'master' into flush
morgo Dec 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions domain/domain.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ import (
"github.com/pingcap/tidb/sessionctx/variable"
"github.com/pingcap/tidb/statistics"
"github.com/pingcap/tidb/util"
"github.com/pingcap/tidb/util/sqlexec"
log "github.com/sirupsen/logrus"
"google.golang.org/grpc"
"google.golang.org/grpc/keepalive"
Expand Down Expand Up @@ -957,6 +958,11 @@ func (do *Domain) NotifyUpdatePrivilege(ctx sessionctx.Context) {
log.Warn("notify update privilege failed:", err)
}
}
// update locally
_, _, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, `FLUSH PRIVILEGES`)
if err != nil {
log.Errorf("Unable to update privileges: %s", err)
}
}

func recoverInDomain(funcName string, quit bool) {
Expand Down
29 changes: 2 additions & 27 deletions privilege/privileges/privileges_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,45 +104,38 @@ func (s *testPrivilegeSuite) TearDownTest(c *C) {
func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "testcheck", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsTrue)
}

func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "test1", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsFalse)

mustExec(c, rootSe, `GRANT Index ON test.test TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsTrue)
}

Expand All @@ -151,7 +144,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
ctx, _ := se.(sessionctx.Context)
mustExec(c, se, `CREATE USER 'show'@'localhost' identified by '123';`)
mustExec(c, se, `GRANT Index ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
pc := privilege.GetPrivilegeManager(se)

gs, err := pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
Expand All @@ -160,31 +152,27 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(gs[0], Equals, `GRANT Index ON *.* TO 'show'@'localhost'`)

mustExec(c, se, `GRANT Select ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Index ON *.* TO 'show'@'localhost'`)

// The order of privs is the same with AllGlobalPrivs
mustExec(c, se, `GRANT Update ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Update,Index ON *.* TO 'show'@'localhost'`)

// All privileges
mustExec(c, se, `GRANT ALL ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT ALL PRIVILEGES ON *.* TO 'show'@'localhost'`)

// Add db scope privileges
mustExec(c, se, `GRANT Select ON test.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 2)
Expand All @@ -193,7 +181,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT Index ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -203,7 +190,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT ALL ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -214,7 +200,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {

// Add table scope privileges
mustExec(c, se, `GRANT Update ON test.test TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 4)
Expand All @@ -229,7 +214,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
mustExec(c, se, `REVOKE Select on test.* FROM 'show'@'localhost'`)
mustExec(c, se, `REVOKE ALL ON test1.* FROM 'show'@'localhost'`)
mustExec(c, se, `REVOKE UPDATE on test.test FROM 'show'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
Expand All @@ -239,7 +223,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
// Which we need privileges to do so!
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"}
mustExec(c, se, `DROP USER 'show'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

// This should now return an error
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
Expand All @@ -257,7 +240,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'drop'@'localhost';`)
mustExec(c, se, `GRANT Select ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

// ctx.GetSessionVars().User = "drop@localhost"
c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue)
Expand All @@ -268,7 +250,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"}
mustExec(c, se, `GRANT Drop ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "drop", Hostname: "localhost"}
Expand All @@ -283,16 +264,15 @@ func (s *testPrivilegeSuite) TestSetPasswdStmt(c *C) {
mustExec(c, se, "CREATE USER 'superuser'")
mustExec(c, se, "CREATE USER 'nobodyuser'")
mustExec(c, se, "GRANT ALL ON *.* TO 'superuser'")
mustExec(c, se, "FLUSH PRIVILEGES")

c.Assert(se.Auth(&auth.UserIdentity{Username: "superuser", Hostname: "localhost", AuthUsername: "superuser", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "SET PASSWORD for 'nobodyuser' = 'newpassword'")
mustExec(c, se, "SET PASSWORD for 'nobodyuser' = ''")

// low privileged user trying to set password for other user (fails)
c.Assert(se.Auth(&auth.UserIdentity{Username: "nobodyuser", Hostname: "localhost", AuthUsername: "nobodyuser", AuthHostname: "%"}, nil, nil), IsTrue)
_, err := se.Execute(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'")
c.Assert(err, NotNil)

}

func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
Expand All @@ -302,7 +282,7 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se, `CREATE USER 'u2'@'localhost' identified by 'abc';`)
mustExec(c, se, `CREATE USER 'u3@example.com'@'localhost';`)
mustExec(c, se, `CREATE USER u4@localhost;`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
salt := []byte{85, 92, 45, 22, 58, 79, 107, 6, 122, 125, 58, 80, 12, 90, 103, 32, 90, 10, 74, 82}
Expand All @@ -316,7 +296,6 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se1, "drop user 'u2'@'localhost'")
mustExec(c, se1, "drop user 'u3@example.com'@'localhost'")
mustExec(c, se1, "drop user u4@localhost")
mustExec(c, se1, `FLUSH PRIVILEGES;`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsFalse)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
Expand All @@ -331,7 +310,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
mustExec(c, se, "CREATE USER 'usesuper'")
mustExec(c, se, "CREATE USER 'usenobody'")
mustExec(c, se, "GRANT ALL ON *.* TO 'usesuper'")
mustExec(c, se, "FLUSH PRIVILEGES")
c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "use mysql")
// low privileged user
Expand All @@ -342,7 +320,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
// try again after privilege granted
c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "GRANT SELECT ON mysql.* TO 'usenobody'")
mustExec(c, se, "FLUSH PRIVILEGES")
c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue)
_, err = se.Execute(context.Background(), "use mysql")
c.Assert(err, IsNil)
Expand Down Expand Up @@ -391,7 +368,6 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
// This test tests no privilege check for INFORMATION_SCHEMA database.
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'u1'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `select * from information_schema.tables`)
mustExec(c, se, `select * from information_schema.key_column_usage`)
Expand All @@ -401,7 +377,6 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
mustExec(c, se, `CREATE TABLE t(a int)`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)
Expand Down