Commit 5f06a456 authored by thek@adventure.(none)'s avatar thek@adventure.(none)

Bug#24988 FLUSH PRIVILEGES causes brief unavailability

- A race condition caused brief unavailablility when trying to acccess
  a table. 
- The variable 'grant_option' was removed to resolve the race condition and
  to simplify the design pattern. This flag was originally intended to optimize
  grant checks.
parent 1bccb382
...@@ -1678,7 +1678,7 @@ extern ulong log_output_options; ...@@ -1678,7 +1678,7 @@ extern ulong log_output_options;
extern my_bool opt_log_queries_not_using_indexes; extern my_bool opt_log_queries_not_using_indexes;
extern bool opt_disable_networking, opt_skip_show_db; extern bool opt_disable_networking, opt_skip_show_db;
extern my_bool opt_character_set_client_handshake; extern my_bool opt_character_set_client_handshake;
extern bool volatile abort_loop, shutdown_in_progress, grant_option; extern bool volatile abort_loop, shutdown_in_progress;
extern uint volatile thread_count, thread_running, global_read_lock; extern uint volatile thread_count, thread_running, global_read_lock;
extern my_bool opt_sql_bin_update, opt_safe_user_create, opt_no_mix_types; extern my_bool opt_sql_bin_update, opt_safe_user_create, opt_no_mix_types;
extern my_bool opt_safe_show_db, opt_local_infile, opt_myisam_use_mmap; extern my_bool opt_safe_show_db, opt_local_infile, opt_myisam_use_mmap;
......
...@@ -3136,7 +3136,6 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table_list, ...@@ -3136,7 +3136,6 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table_list,
} }
} }
} }
thd->mem_root= old_root; thd->mem_root= old_root;
pthread_mutex_unlock(&acl_cache->lock); pthread_mutex_unlock(&acl_cache->lock);
...@@ -3310,7 +3309,6 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc, ...@@ -3310,7 +3309,6 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
continue; continue;
} }
} }
thd->mem_root= old_root; thd->mem_root= old_root;
pthread_mutex_unlock(&acl_cache->lock); pthread_mutex_unlock(&acl_cache->lock);
if (!result && !no_error) if (!result && !no_error)
...@@ -3458,7 +3456,6 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list, ...@@ -3458,7 +3456,6 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
void grant_free(void) void grant_free(void)
{ {
DBUG_ENTER("grant_free"); DBUG_ENTER("grant_free");
grant_option = FALSE;
hash_free(&column_priv_hash); hash_free(&column_priv_hash);
hash_free(&proc_priv_hash); hash_free(&proc_priv_hash);
hash_free(&func_priv_hash); hash_free(&func_priv_hash);
...@@ -3493,8 +3490,6 @@ my_bool grant_init() ...@@ -3493,8 +3490,6 @@ my_bool grant_init()
delete thd; delete thd;
/* Remember that we don't have a THD */ /* Remember that we don't have a THD */
my_pthread_setspecific_ptr(THR_THD, 0); my_pthread_setspecific_ptr(THR_THD, 0);
/* Set the grant option flag so we will check grants */
grant_option= TRUE;
DBUG_RETURN(return_val); DBUG_RETURN(return_val);
} }
...@@ -3553,7 +3548,6 @@ static my_bool grant_load(TABLE_LIST *tables) ...@@ -3553,7 +3548,6 @@ static my_bool grant_load(TABLE_LIST *tables)
if (!(mem_check=new (memex_ptr) GRANT_TABLE(t_table,c_table))) if (!(mem_check=new (memex_ptr) GRANT_TABLE(t_table,c_table)))
{ {
/* This could only happen if we are out memory */ /* This could only happen if we are out memory */
grant_option= FALSE;
goto end_unlock; goto end_unlock;
} }
...@@ -3576,7 +3570,6 @@ static my_bool grant_load(TABLE_LIST *tables) ...@@ -3576,7 +3570,6 @@ static my_bool grant_load(TABLE_LIST *tables)
else if (my_hash_insert(&column_priv_hash,(byte*) mem_check)) else if (my_hash_insert(&column_priv_hash,(byte*) mem_check))
{ {
delete mem_check; delete mem_check;
grant_option= FALSE;
goto end_unlock; goto end_unlock;
} }
} }
...@@ -3593,7 +3586,6 @@ static my_bool grant_load(TABLE_LIST *tables) ...@@ -3593,7 +3586,6 @@ static my_bool grant_load(TABLE_LIST *tables)
if (!(mem_check=new (&memex) GRANT_NAME(p_table))) if (!(mem_check=new (&memex) GRANT_NAME(p_table)))
{ {
/* This could only happen if we are out memory */ /* This could only happen if we are out memory */
grant_option= FALSE;
goto end_unlock; goto end_unlock;
} }
...@@ -3632,7 +3624,6 @@ static my_bool grant_load(TABLE_LIST *tables) ...@@ -3632,7 +3624,6 @@ static my_bool grant_load(TABLE_LIST *tables)
else if (my_hash_insert(hash, (byte*) mem_check)) else if (my_hash_insert(hash, (byte*) mem_check))
{ {
delete mem_check; delete mem_check;
grant_option= FALSE;
goto end_unlock; goto end_unlock;
} }
} }
...@@ -4004,8 +3995,6 @@ bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant, ...@@ -4004,8 +3995,6 @@ bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
want_access &= ~grant->privilege; want_access &= ~grant->privilege;
if (!want_access) if (!want_access)
return 0; // Already checked return 0; // Already checked
if (!grant_option)
goto err2;
rw_rdlock(&LOCK_grant); rw_rdlock(&LOCK_grant);
...@@ -4195,18 +4184,15 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name, ...@@ -4195,18 +4184,15 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
bool is_proc) bool is_proc)
{ {
bool no_routine_acl= 1; bool no_routine_acl= 1;
if (grant_option) GRANT_NAME *grant_proc;
{ Security_context *sctx= thd->security_ctx;
GRANT_NAME *grant_proc; rw_rdlock(&LOCK_grant);
Security_context *sctx= thd->security_ctx; if ((grant_proc= routine_hash_search(sctx->priv_host,
rw_rdlock(&LOCK_grant); sctx->ip, db,
if ((grant_proc= routine_hash_search(sctx->priv_host, sctx->priv_user,
sctx->ip, db, name, is_proc, 0)))
sctx->priv_user, no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
name, is_proc, 0))) rw_unlock(&LOCK_grant);
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
rw_unlock(&LOCK_grant);
}
return no_routine_acl; return no_routine_acl;
} }
...@@ -6400,12 +6386,6 @@ void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, ...@@ -6400,12 +6386,6 @@ void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
/* db privileges */ /* db privileges */
grant->privilege|= acl_get(sctx->host, sctx->ip, sctx->priv_user, db, 0); grant->privilege|= acl_get(sctx->host, sctx->ip, sctx->priv_user, db, 0);
if (!grant_option)
{
DBUG_PRINT("info", ("privilege 0x%lx", grant->privilege));
DBUG_VOID_RETURN;
}
/* table privileges */ /* table privileges */
rw_rdlock(&LOCK_grant); rw_rdlock(&LOCK_grant);
if (grant->version != grant_version) if (grant->version != grant_version)
......
...@@ -1448,7 +1448,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch) ...@@ -1448,7 +1448,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
if (!force_switch && if (!force_switch &&
!(db_access & DB_ACLS) && !(db_access & DB_ACLS) &&
(!grant_option || check_grant_db(thd, new_db_file_name.str))) check_grant_db(thd, new_db_file_name.str))
{ {
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
sctx->priv_user, sctx->priv_user,
......
...@@ -189,15 +189,12 @@ static int check_insert_fields(THD *thd, TABLE_LIST *table_list, ...@@ -189,15 +189,12 @@ static int check_insert_fields(THD *thd, TABLE_LIST *table_list,
return -1; return -1;
} }
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (grant_option) Field_iterator_table field_it;
{ field_it.set_table(table);
Field_iterator_table field_it; if (check_grant_all_columns(thd, INSERT_ACL, &table->grant,
field_it.set_table(table); table->s->db.str, table->s->table_name.str,
if (check_grant_all_columns(thd, INSERT_ACL, &table->grant, &field_it))
table->s->db.str, table->s->table_name.str, return -1;
&field_it))
return -1;
}
#endif #endif
clear_timestamp_auto_bits(table->timestamp_field_type, clear_timestamp_auto_bits(table->timestamp_field_type,
TIMESTAMP_AUTO_SET_ON_INSERT); TIMESTAMP_AUTO_SET_ON_INSERT);
......
This diff is collapsed.
...@@ -706,7 +706,7 @@ bool mysqld_show_create_db(THD *thd, char *dbname, ...@@ -706,7 +706,7 @@ bool mysqld_show_create_db(THD *thd, char *dbname,
else else
db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) | db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname, 0) |
sctx->master_access); sctx->master_access);
if (!(db_access & DB_ACLS) && (!grant_option || check_grant_db(thd,dbname))) if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname))
{ {
my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
sctx->priv_user, sctx->host_or_ip, dbname); sctx->priv_user, sctx->host_or_ip, dbname);
...@@ -2649,7 +2649,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond) ...@@ -2649,7 +2649,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
&thd->col_access, 0, 1, with_i_schema) || &thd->col_access, 0, 1, with_i_schema) ||
sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
acl_get(sctx->host, sctx->ip, sctx->priv_user, base_name,0) || acl_get(sctx->host, sctx->ip, sctx->priv_user, base_name,0) ||
(grant_option && !check_grant_db(thd, base_name))) !check_grant_db(thd, base_name))
#endif #endif
{ {
List<char> files; List<char> files;
...@@ -2849,7 +2849,7 @@ int fill_schema_shemata(THD *thd, TABLE_LIST *tables, COND *cond) ...@@ -2849,7 +2849,7 @@ int fill_schema_shemata(THD *thd, TABLE_LIST *tables, COND *cond)
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
acl_get(sctx->host, sctx->ip, sctx->priv_user, file_name,0) || acl_get(sctx->host, sctx->ip, sctx->priv_user, file_name,0) ||
(grant_option && !check_grant_db(thd, file_name))) !check_grant_db(thd, file_name))
#endif #endif
{ {
load_db_opt_by_name(thd, file_name, &create); load_db_opt_by_name(thd, file_name, &create);
......
...@@ -936,7 +936,7 @@ reopen_tables: ...@@ -936,7 +936,7 @@ reopen_tables:
if (check_access(thd, want_privilege, if (check_access(thd, want_privilege,
tl->db, &tl->grant.privilege, 0, 0, tl->db, &tl->grant.privilege, 0, 0,
test(tl->schema_table)) || test(tl->schema_table)) ||
(grant_option && check_grant(thd, want_privilege, tl, 0, 1, 0))) check_grant(thd, want_privilege, tl, 0, 1, 0))
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
} }
......
...@@ -322,11 +322,11 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, ...@@ -322,11 +322,11 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
*/ */
if ((check_access(thd, CREATE_VIEW_ACL, view->db, &view->grant.privilege, if ((check_access(thd, CREATE_VIEW_ACL, view->db, &view->grant.privilege,
0, 0, is_schema_db(view->db)) || 0, 0, is_schema_db(view->db)) ||
grant_option && check_grant(thd, CREATE_VIEW_ACL, view, 0, 1, 0)) || check_grant(thd, CREATE_VIEW_ACL, view, 0, 1, 0)) ||
(mode != VIEW_CREATE_NEW && (mode != VIEW_CREATE_NEW &&
(check_access(thd, DROP_ACL, view->db, &view->grant.privilege, (check_access(thd, DROP_ACL, view->db, &view->grant.privilege,
0, 0, is_schema_db(view->db)) || 0, 0, is_schema_db(view->db)) ||
grant_option && check_grant(thd, DROP_ACL, view, 0, 1, 0)))) check_grant(thd, DROP_ACL, view, 0, 1, 0))))
{ {
res= TRUE; res= TRUE;
goto err; goto err;
...@@ -379,7 +379,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, ...@@ -379,7 +379,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
{ {
if (check_access(thd, SELECT_ACL, tbl->db, if (check_access(thd, SELECT_ACL, tbl->db,
&tbl->grant.privilege, 0, 0, test(tbl->schema_table)) || &tbl->grant.privilege, 0, 0, test(tbl->schema_table)) ||
grant_option && check_grant(thd, SELECT_ACL, tbl, 0, 1, 0)) check_grant(thd, SELECT_ACL, tbl, 0, 1, 0))
{ {
res= TRUE; res= TRUE;
goto err; goto err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment