Bug#28948915 DEFAULT ROLE IS NOT LOGGED INTO THE BINARY LOG

RahulSisondia · RahulSisondia · commit d278a87f5e18 · 2019-07-12T08:08:53.000+02:00
Description:
------------
Right before committing the ACL statement, we rewrite the ACL statement for
binary log. We missed to write the 'DEFAULT ROLE' clause in the rewritten
CREATE USER statement. Hence, this information was getting missed in the
binary log.

Fix:
---
We were already adding 'default role' clause in the rewritten the query for
SHOW CREATE USER statement. We now use the same method to rewirte both the
CREATE USER and SHOW CREATE USER statements.

Test:
-----
 - Added tests in the rpl.rpl_roles.test file
 - PB2 testing
    - push id: 15036507
    - 2019-07-11 13:08:23

Review:
-------
RB#22500
diff --git a/mysql-test/suite/rpl/r/rpl_roles.result b/mysql-test/suite/rpl/r/rpl_roles.result
@@ -89,10 +89,91 @@ FROM_HOST	FROM_USER	TO_HOST	TO_USER	WITH_ADMIN_OPTION
 [connection slave]
 START SLAVE IO_THREAD;
 include/wait_for_slave_io_to_start.inc
+
+# Verify if 'DEFAULT ROLE' clause is bin-logged.
+
+[connection master]
+connection master;
+CREATE USER u2@localhost DEFAULT ROLE r1, r2;
+CREATE USER u3@localhost DEFAULT ROLE r1;
+
+SHOW GRANTS FOR u2@localhost;
+Grants for u2@localhost
+GRANT USAGE ON *.* TO `u2`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u2`@`localhost`
+
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%` TO `u3`@`localhost`
+include/sync_slave_sql_with_master.inc
+connection master;
+connection slave;
+connection slave;
+SHOW GRANTS FOR u2@localhost;
+Grants for u2@localhost
+GRANT USAGE ON *.* TO `u2`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u2`@`localhost`
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%` TO `u3`@`localhost`
+
+SHOW CREATE USER u2@localhost;
+CREATE USER for u2@localhost
+CREATE USER 'u2'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r1`@`%`,`r2`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+SHOW CREATE USER u3@localhost;
+CREATE USER for u3@localhost
+CREATE USER 'u3'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r1`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+[connection master]
+connection master;
+
+ALTER USER u2@localhost DEFAULT ROLE NONE;
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%` TO `u3`@`localhost`
+ALTER USER u2@localhost DEFAULT ROLE r1;
+GRANT r2 TO u3@localhost;
+ALTER USER u3@localhost DEFAULT ROLE ALL;
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u3`@`localhost`
+ALTER USER u3@localhost DEFAULT ROLE r2;
+SHOW GRANTS FOR u2@localhost;
+Grants for u2@localhost
+GRANT USAGE ON *.* TO `u2`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u2`@`localhost`
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u3`@`localhost`
+
+include/sync_slave_sql_with_master.inc
+connection master;
+connection slave;
+connection slave;
+SHOW GRANTS FOR u2@localhost;
+Grants for u2@localhost
+GRANT USAGE ON *.* TO `u2`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u2`@`localhost`
+SHOW GRANTS FOR u3@localhost;
+Grants for u3@localhost
+GRANT USAGE ON *.* TO `u3`@`localhost`
+GRANT `r1`@`%`,`r2`@`%` TO `u3`@`localhost`
+
+SHOW CREATE USER u2@localhost;
+CREATE USER for u2@localhost
+CREATE USER 'u2'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r1`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+SHOW CREATE USER u3@localhost;
+CREATE USER for u3@localhost
+CREATE USER 'u3'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r2`@`%` REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
+
 # Cleanup Statement
 [connection master]
 DROP ROLE r1, r2, r3,r4;
-DROP USER u1@localhost;
+DROP USER u1@localhost, u2@localhost, u3@localhost;
 include/sync_slave_sql_with_master.inc
 SELECT * FROM mysql.default_roles;
 HOST	USER	DEFAULT_ROLE_HOST	DEFAULT_ROLE_USER
@@ -115,8 +196,15 @@ slave-bin.000001	#	Query	#	#	use `test`; CREATE ROLE r4
 slave-bin.000001	#	Query	#	#	use `test`; GRANT REPLICATION SLAVE ON *.* TO 'r4'@'%'
 slave-bin.000001	#	Query	#	#	use `test`; GRANT r4 to u1@localhost
 slave-bin.000001	#	Query	#	#	use `test`; ALTER USER u1@localhost DEFAULT ROLE ALL
+slave-bin.000001	#	Query	#	#	use `test`; CREATE USER 'u2'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r1`@`%`,`r2`@`%`
+slave-bin.000001	#	Query	#	#	use `test`; CREATE USER 'u3'@'localhost' IDENTIFIED WITH 'caching_sha2_password' DEFAULT ROLE `r1`@`%`
+slave-bin.000001	#	Query	#	#	use `test`; ALTER USER u2@localhost DEFAULT ROLE NONE
+slave-bin.000001	#	Query	#	#	use `test`; ALTER USER u2@localhost DEFAULT ROLE r1
+slave-bin.000001	#	Query	#	#	use `test`; GRANT r2 TO u3@localhost
+slave-bin.000001	#	Query	#	#	use `test`; ALTER USER u3@localhost DEFAULT ROLE ALL
+slave-bin.000001	#	Query	#	#	use `test`; ALTER USER u3@localhost DEFAULT ROLE r2
 slave-bin.000001	#	Query	#	#	use `test`; DROP ROLE r1, r2, r3,r4
-slave-bin.000001	#	Query	#	#	use `test`; DROP USER u1@localhost
+slave-bin.000001	#	Query	#	#	use `test`; DROP USER u1@localhost, u2@localhost, u3@localhost
 include/stop_slave.inc
 CHANGE MASTER TO MASTER_USER='root';
 Warnings:
diff --git a/mysql-test/suite/rpl/t/rpl_roles.test b/mysql-test/suite/rpl/t/rpl_roles.test
@@ -85,10 +85,51 @@ SELECT * FROM mysql.role_edges;
 START SLAVE IO_THREAD;
 --source include/wait_for_slave_io_to_start.inc
 
+--echo
+--echo # Verify if 'DEFAULT ROLE' clause is bin-logged.
+--echo
+--enable_connect_log
+--source include/rpl_connection_master.inc
+CREATE USER u2@localhost DEFAULT ROLE r1, r2;
+CREATE USER u3@localhost DEFAULT ROLE r1;
+--echo
+SHOW GRANTS FOR u2@localhost;
+--echo
+SHOW GRANTS FOR u3@localhost;
+--source include/sync_slave_sql_with_master.inc
+# Check if roles are granted to the users on slave
+SHOW GRANTS FOR u2@localhost;
+SHOW GRANTS FOR u3@localhost;
+--echo
+SHOW CREATE USER u2@localhost;
+SHOW CREATE USER u3@localhost;
+--source include/rpl_connection_master.inc
+--echo
+ALTER USER u2@localhost DEFAULT ROLE NONE;
+SHOW GRANTS FOR u3@localhost;
+ALTER USER u2@localhost DEFAULT ROLE r1;
+GRANT r2 TO u3@localhost;
+ALTER USER u3@localhost DEFAULT ROLE ALL;
+SHOW GRANTS FOR u3@localhost;
+ALTER USER u3@localhost DEFAULT ROLE r2;
+# Now, u2 and u3 should have only one role on master
+SHOW GRANTS FOR u2@localhost;
+SHOW GRANTS FOR u3@localhost;
+--echo
+--source include/sync_slave_sql_with_master.inc
+# u2 and u3 should have only one role on slave as well
+SHOW GRANTS FOR u2@localhost;
+SHOW GRANTS FOR u3@localhost;
+--echo
+SHOW CREATE USER u2@localhost;
+SHOW CREATE USER u3@localhost;
+--disable_connect_log
+
+--echo
 --echo # Cleanup Statement
 --source include/rpl_connection_master.inc
 DROP ROLE r1, r2, r3,r4;
-DROP USER u1@localhost;
+DROP USER u1@localhost, u2@localhost, u3@localhost;
 --source include/sync_slave_sql_with_master.inc
 SELECT * FROM mysql.default_roles;
 SELECT * FROM mysql.role_edges;
diff --git a/sql/auth/sql_user.cc b/sql/auth/sql_user.cc
@@ -2141,7 +2141,7 @@ bool mysql_create_user(THD *thd, List<LEX_USER> &list, bool if_not_exists,
         fail the statement. If the role exists but isn't granted, this statement
         performs an implicit GRANT.
       */
-      if (thd->lex->default_roles != 0 &&
+      if (thd->lex->default_roles != nullptr &&
           thd->lex->sql_command == SQLCOM_CREATE_USER) {
         List_of_auth_id_refs default_roles;
         List_iterator<LEX_USER> role_it(*(thd->lex->default_roles));
diff --git a/sql/sql_rewrite.cc b/sql/sql_rewrite.cc
@@ -386,7 +386,8 @@ Rewriter_user::Rewriter_user(THD *thd, Consumer_type type)
 bool Rewriter_user::rewrite() const {
   LEX *lex = m_thd->lex;
   String *rlb = &m_thd->rewritten_query;
-
+  rewrite_users(lex, rlb);
+  rewrite_default_roles(lex, rlb);
   rewrite_ssl_properties(lex, rlb);
   rewrite_user_resources(lex, rlb);
   rewrite_password_expired(lex, rlb);
@@ -615,6 +616,27 @@ void Rewriter_user::rewrite_users(LEX *lex, String *str) const {
   }
 }
 
+/**
+  Append the DEFAULT ROLE clause for users iff it is specified
+
+  @param [in]       lex     LEX struct to check if clause is specified
+  @param [in, out]  str     The string in which clause is suffixed
+*/
+void Rewriter_user::rewrite_default_roles(const LEX *lex, String *str) const {
+  bool comma = false;
+  if (lex->default_roles && lex->default_roles->elements > 0) {
+    str->append(" DEFAULT ROLE ");
+    lex->default_roles->sort(&lex_user_comp);
+    List_iterator<LEX_USER> role_it(*(lex->default_roles));
+    LEX_USER *role;
+    while ((role = role_it++)) {
+      if (comma) str->append(',');
+      str->append(create_authid_str_from(role).c_str());
+      comma = true;
+    }
+  }
+}
+
 Rewriter_create_user::Rewriter_create_user(THD *thd, Consumer_type type)
     : Rewriter_user(thd, type) {}
 
@@ -632,7 +654,6 @@ bool Rewriter_create_user::rewrite() const {
   if (lex->create_info->options & HA_LEX_CREATE_IF_NOT_EXISTS)
     rlb->append("IF NOT EXISTS ");
 
-  rewrite_users(lex, rlb);
   parent::rewrite();
   return true;
 }
@@ -708,7 +729,6 @@ bool Rewriter_alter_user::rewrite() const {
 
   if (lex->drop_if_exists) rlb->append("IF EXISTS ");
 
-  rewrite_users(lex, rlb);
   parent::rewrite();
   return true;
 }
@@ -791,12 +811,9 @@ Rewriter_show_create_user::Rewriter_show_create_user(THD *thd,
   @retval true  the query is rewritten
 */
 bool Rewriter_show_create_user::rewrite() const {
-  LEX *lex = m_thd->lex;
   String *rlb = &m_thd->rewritten_query;
   rlb->mem_free();
   rlb->append("CREATE USER ");
-  rewrite_users(lex, rlb);
-  rewrite_default_roles(lex, rlb);
   parent::rewrite();
   return true;
 }
@@ -873,27 +890,6 @@ void Rewriter_show_create_user::append_user_auth_info(LEX_USER *user,
     }
   }
 }
-/**
-  Append the DEFAULT ROLE clause for users iff it is specified
-
-  @param [in]       lex     LEX struct to check if clause is specified
-  @param [in, out]  str     The string in which clause is suffixed
-*/
-void Rewriter_show_create_user::rewrite_default_roles(const LEX *lex,
-                                                      String *str) const {
-  bool comma = false;
-  if (lex->default_roles && lex->default_roles->elements > 0) {
-    str->append(" DEFAULT ROLE ");
-    lex->default_roles->sort(&lex_user_comp);
-    List_iterator<LEX_USER> role_it(*(lex->default_roles));
-    LEX_USER *role;
-    while ((role = role_it++)) {
-      if (comma) str->append(',');
-      str->append(create_authid_str_from(role).c_str());
-      comma = true;
-    }
-  }
-}
 
 Rewriter_set::Rewriter_set(THD *thd, Consumer_type type)
     : I_rewriter(thd, type) {}
diff --git a/sql/sql_rewrite.h b/sql/sql_rewrite.h
@@ -181,6 +181,8 @@ class Rewriter_user : public I_rewriter {
   void rewrite_password_expired(const LEX *lex, String *str) const;
   /* Append the PASSWORD REQUIRE CURRENT clause for users */
   void rewrite_password_require_current(LEX *lex, String *str) const;
+  /* Append the DEFAULT ROLE OPTIONS clause */
+  void rewrite_default_roles(const LEX *lex, String *str) const;
 };
 /** Rewrites the CREATE USER statement. */
 class Rewriter_create_user final : public Rewriter_user {
@@ -228,8 +230,6 @@ class Rewriter_show_create_user final : public Rewriter_user {
                              String *str) const override;
   void rewrite_password_history(const LEX *lex, String *str) const override;
   void rewrite_password_reuse(const LEX *lex, String *str) const override;
-  /* Append the DEFAULT ROLE OPTIONS clause */
-  void rewrite_default_roles(const LEX *lex, String *str) const;
   Show_user_params *show_params_;
 };
 /** Rewrites the SET statement. */
