Commit 7fb978c7 authored by Sergei Golubchik's avatar Sergei Golubchik

auto-grant a role to its admin on CREATE ROLE

parent 46622dbe
...@@ -2,9 +2,14 @@ create user foo@localhost; ...@@ -2,9 +2,14 @@ create user foo@localhost;
create role role1; create role role1;
create role role2 with admin current_user; create role role2 with admin current_user;
create role role3 with admin current_role; create role role3 with admin current_role;
ERROR 0L000: Invalid definer
create role role3 with admin role1;
create role role4 with admin root@localhost; create role role4 with admin root@localhost;
create role role5 with admin foo@localhost; create role role5 with admin foo@localhost;
create role role6 with admin foo@bar; create role role6 with admin foo@bar;
ERROR HY000: The user specified as a definer ('foo'@'bar') does not exist
create user foo@bar;
create role role6 with admin foo@bar;
create user bar with admin current_user; create user bar with admin current_user;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin current_user' at line 1 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin current_user' at line 1
grant role1 to foo@localhost with admin option; grant role1 to foo@localhost with admin option;
...@@ -18,11 +23,14 @@ Grants for foo@localhost ...@@ -18,11 +23,14 @@ Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost' GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
GRANT role2 TO 'foo'@'localhost' GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1; show grants for role1;
Grants for role1 Grants for role1
GRANT USAGE ON *.* TO 'role1' GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2' GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT role2 TO 'role1' GRANT role2 TO 'role1'
GRANT role3 TO 'role1' WITH ADMIN OPTION
show grants for role4; show grants for role4;
Grants for role4 Grants for role4
GRANT USAGE ON *.* TO 'role3' GRANT USAGE ON *.* TO 'role3'
...@@ -31,20 +39,29 @@ GRANT role3 TO 'role4' WITH ADMIN OPTION ...@@ -31,20 +39,29 @@ GRANT role3 TO 'role4' WITH ADMIN OPTION
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
Host User Role Admin_option Host User Role Admin_option
role1 role2 N role1 role2 N
role1 role3 Y
role4 role3 Y role4 role3 Y
bar foo role6 Y
localhost foo role1 Y localhost foo role1 Y
localhost foo role2 N localhost foo role2 N
localhost foo role5 Y
localhost root role1 Y
localhost root role2 Y
localhost root role4 Y
flush privileges; flush privileges;
show grants for foo@localhost; show grants for foo@localhost;
Grants for foo@localhost Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost' GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
GRANT role2 TO 'foo'@'localhost' GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1; show grants for role1;
Grants for role1 Grants for role1
GRANT USAGE ON *.* TO 'role1' GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2' GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT role2 TO 'role1' GRANT role2 TO 'role1'
GRANT role3 TO 'role1' WITH ADMIN OPTION
show grants for role4; show grants for role4;
Grants for role4 Grants for role4
GRANT USAGE ON *.* TO 'role3' GRANT USAGE ON *.* TO 'role3'
...@@ -58,11 +75,14 @@ show grants for foo@localhost; ...@@ -58,11 +75,14 @@ show grants for foo@localhost;
Grants for foo@localhost Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost' GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT role2 TO 'foo'@'localhost' GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1; show grants for role1;
Grants for role1 Grants for role1
GRANT USAGE ON *.* TO 'role1' GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2' GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT role2 TO 'role1' WITH ADMIN OPTION GRANT role2 TO 'role1' WITH ADMIN OPTION
GRANT role3 TO 'role1' WITH ADMIN OPTION
show grants for role4; show grants for role4;
Grants for role4 Grants for role4
GRANT USAGE ON *.* TO 'role3' GRANT USAGE ON *.* TO 'role3'
...@@ -71,22 +91,31 @@ GRANT role3 TO 'role4' ...@@ -71,22 +91,31 @@ GRANT role3 TO 'role4'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
Host User Role Admin_option Host User Role Admin_option
role1 role2 Y role1 role2 Y
role1 role3 Y
role4 role3 N role4 role3 N
bar foo role6 Y
localhost foo role2 N localhost foo role2 N
localhost foo role5 Y
localhost root role1 Y
localhost root role2 Y
localhost root role4 Y
flush privileges; flush privileges;
show grants for foo@localhost; show grants for foo@localhost;
Grants for foo@localhost Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost' GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT role2 TO 'foo'@'localhost' GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1; show grants for role1;
Grants for role1 Grants for role1
GRANT USAGE ON *.* TO 'role1' GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2' GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT role2 TO 'role1' WITH ADMIN OPTION GRANT role2 TO 'role1' WITH ADMIN OPTION
GRANT role3 TO 'role1' WITH ADMIN OPTION
show grants for role4; show grants for role4;
Grants for role4 Grants for role4
GRANT USAGE ON *.* TO 'role3' GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4' GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4' GRANT role3 TO 'role4'
drop role role1, role2, role3, role4, role5, role6; drop role role1, role2, role3, role4, role5, role6;
drop user foo@localhost; drop user foo@localhost, foo@bar;
...@@ -6,9 +6,15 @@ create user foo@localhost; ...@@ -6,9 +6,15 @@ create user foo@localhost;
create role role1; create role role1;
create role role2 with admin current_user; create role role2 with admin current_user;
--error ER_MALFORMED_DEFINER
create role role3 with admin current_role; create role role3 with admin current_role;
create role role3 with admin role1;
create role role4 with admin root@localhost; create role role4 with admin root@localhost;
create role role5 with admin foo@localhost; create role role5 with admin foo@localhost;
--error ER_NO_SUCH_USER
create role role6 with admin foo@bar;
create user foo@bar;
create role role6 with admin foo@bar; create role role6 with admin foo@bar;
--error ER_PARSE_ERROR --error ER_PARSE_ERROR
...@@ -62,5 +68,5 @@ show grants for role4; ...@@ -62,5 +68,5 @@ show grants for role4;
# cleanup # cleanup
######################################## ########################################
drop role role1, role2, role3, role4, role5, role6; drop role role1, role2, role3, role4, role5, role6;
drop user foo@localhost; drop user foo@localhost, foo@bar;
...@@ -5404,9 +5404,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke) ...@@ -5404,9 +5404,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
DBUG_RETURN(TRUE); /* purecov: deadcode */ DBUG_RETURN(TRUE); /* purecov: deadcode */
} }
MEM_ROOT temp_root;
init_alloc_root(&temp_root, ACL_ALLOC_BLOCK_SIZE, 0, MYF(0));
while ((user= user_list++)) while ((user= user_list++))
{ {
role_as_user= NULL; role_as_user= NULL;
...@@ -5452,9 +5449,9 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke) ...@@ -5452,9 +5449,9 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
username= user->user.str; username= user->user.str;
} }
ROLE_GRANT_PAIR *hash_entry, *mapping= new (&temp_root) ROLE_GRANT_PAIR; ROLE_GRANT_PAIR *hash_entry, *mapping= new (thd->mem_root) ROLE_GRANT_PAIR;
if (mapping->init(&temp_root, username, hostname, rolename, if (mapping->init(thd->mem_root, username, hostname, rolename,
thd->lex->with_admin_option)) thd->lex->with_admin_option))
continue; continue;
...@@ -5549,8 +5546,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke) ...@@ -5549,8 +5546,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
} }
} }
free_root(&temp_root, MYF(0));
mysql_mutex_unlock(&acl_cache->lock); mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant); mysql_rwlock_unlock(&LOCK_grant);
...@@ -8949,7 +8944,7 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role) ...@@ -8949,7 +8944,7 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
{ {
int result; int result;
String wrong_users; String wrong_users;
LEX_USER *user_name; LEX_USER *user_name, *admin;
List_iterator <LEX_USER> user_list(list); List_iterator <LEX_USER> user_list(list);
TABLE_LIST tables[GRANT_TABLES]; TABLE_LIST tables[GRANT_TABLES];
bool some_users_created= FALSE; bool some_users_created= FALSE;
...@@ -8963,6 +8958,32 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role) ...@@ -8963,6 +8958,32 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
mysql_rwlock_wrlock(&LOCK_grant); mysql_rwlock_wrlock(&LOCK_grant);
mysql_mutex_lock(&acl_cache->lock); mysql_mutex_lock(&acl_cache->lock);
if (handle_as_role)
{
if (thd->lex->definer)
admin= get_current_user(thd, thd->lex->definer, false);
else
admin= create_default_definer(thd, false);
if (!admin)
{
mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant);
DBUG_RETURN(TRUE);
}
bool exists;
if (admin->is_role())
exists= find_acl_role(admin->user.str);
else
exists= find_user_no_anon(admin->host.str, admin->user.str, TRUE);
if (!exists)
{
my_error(ER_NO_SUCH_USER, MYF(0), admin->user.str, admin->host.str);
mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant);
DBUG_RETURN(TRUE);
}
}
while ((user_name= user_list++)) while ((user_name= user_list++))
{ {
if (!user_name->host.str) if (!user_name->host.str)
...@@ -8985,6 +9006,27 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role) ...@@ -8985,6 +9006,27 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
{ {
append_user(&wrong_users, user_name); append_user(&wrong_users, user_name);
result= TRUE; result= TRUE;
continue;
}
// every created role is automatically granted to its creator-admin
if (handle_as_role)
{
ROLE_GRANT_PAIR *pair= new (thd->mem_root) ROLE_GRANT_PAIR;
if (pair->init(thd->mem_root, admin->user.str, admin->host.str,
user_name->user.str, true))
{
result= TRUE;
break;
}
add_role_user_mapping(pair);
if (replace_roles_mapping_table(tables[6].table, pair, NULL, false))
{
append_user(&wrong_users, user_name);
remove_role_user_mapping(pair);
result= TRUE;
}
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment