Commit 34da3be8 authored by Vicențiu Ciorbaru's avatar Vicențiu Ciorbaru

MDEV-10463: Granted as a whole to roles, databases are not show in SHOW DATABASES

The problem lies in not checking role privileges as well during SHOW
DATABASES command. This problem is also apparent for SHOW CREATE
DATABASE command.

Other SHOW COMMANDS make use of check_access, which in turn makes use of
acl_get for both priv_user and priv_role parts, which allows them to
function correctly.
parent 2579b252
drop database if exists db;
Warnings:
Note 1008 Can't drop database 'db'; database doesn't exist
create role r1;
create user beep@'%';
create database db;
create table db.t1 (i int);
create table db.t2 (b int);
grant select on db.* to r1;
grant r1 to beep@'%';
show databases;
Database
information_schema
test
show create database db;
ERROR 42000: Access denied for user 'beep'@'localhost' to database 'db'
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
table_schema table_name
set role r1;
show databases;
Database
db
information_schema
test
show create database db;
Database Create Database
db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
table_schema table_name
db t1
db t2
create role r2;
create user beep2@'%';
grant update on db.* to r2;
grant r2 to beep2;
show databases;
Database
information_schema
test
show create database db;
ERROR 42000: Access denied for user 'beep2'@'localhost' to database 'db'
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
table_schema table_name
set role r2;
show databases;
Database
db
information_schema
test
show create database db;
Database Create Database
db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
table_schema table_name
db t1
db t2
drop database db;
drop role r1;
drop user beep;
drop role r2;
drop user beep2;
source include/not_embedded.inc;
drop database if exists db;
create role r1;
create user beep@'%';
create database db;
create table db.t1 (i int);
create table db.t2 (b int);
grant select on db.* to r1;
grant r1 to beep@'%';
--connect (con1,localhost,beep,,)
show databases;
--error ER_DBACCESS_DENIED_ERROR
show create database db;
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
set role r1;
show databases;
show create database db;
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
connection default;
create role r2;
create user beep2@'%';
grant update on db.* to r2;
grant r2 to beep2;
--connect (con2,localhost,beep2,,)
show databases;
--error ER_DBACCESS_DENIED_ERROR
show create database db;
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
set role r2;
show databases;
show create database db;
select table_schema, table_name from information_schema.tables
where table_schema = 'db';
connection default;
drop database db;
drop role r1;
drop user beep;
drop role r2;
drop user beep2;
......@@ -1167,8 +1167,13 @@ bool mysqld_show_create_db(THD *thd, LEX_STRING *dbname,
if (test_all_bits(sctx->master_access, DB_ACLS))
db_access=DB_ACLS;
else
db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
sctx->master_access);
{
db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
sctx->master_access;
if (sctx->priv_role[0])
db_access|= acl_get("", "", sctx->priv_role, dbname->str, 0);
}
if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname->str))
{
status_var_increment(thd->status_var.access_denied_errors);
......@@ -5118,8 +5123,10 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
}
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) ||
!check_grant_db(thd, db_name->str))
acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, false) ||
(sctx->priv_role[0] ?
acl_get("", "", sctx->priv_role, db_name->str, false) : 0) ||
!check_grant_db(thd, db_name->str))
#endif
{
load_db_opt_by_name(thd, db_name->str, &create);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment