MDEV-10463: Granted as a whole to roles, databases are not show in SHOW DATABASES

The problem lies in not checking role privileges as well during SHOW DATABASES command. This problem is also apparent for SHOW CREATE DATABASE command. Other SHOW COMMANDS make use of check_access, which in turn makes use of acl_get for both priv_user and priv_role parts, which allows them to function correctly.

MDEV-10463: Granted as a whole to roles, databases are not show in SHOW DATABASES
The problem lies in not checking role privileges as well during SHOW DATABASES command. This problem is also apparent for SHOW CREATE DATABASE command. Other SHOW COMMANDS make use of check_access, which in turn makes use of acl_get for both priv_user and priv_role parts, which allows them to function correctly.
34da3be8 · Vicențiu Ciorbaru · 2579b252 · 34da3be8 · 34da3be8 · 34da3be8
Commit 34da3be8 authored May 22, 2017 by Vicențiu Ciorbaru
3 changed files
--- a/mysql-test/suite/roles/show_create_database-10463.result
+++ b/mysql-test/suite/roles/show_create_database-10463.result
+drop database if exists db;
+Warnings:
+Note	1008	Can't drop database 'db'; database doesn't exist
+create role r1;
+create user beep@'%';
+create database db;
+create table db.t1 (i int);
+create table db.t2 (b int);
+grant select on db.* to r1;
+grant r1 to beep@'%';
+show databases;
+Database
+information_schema
+test
+show create database db;
+ERROR 42000: Access denied for user 'beep'@'localhost' to database 'db'
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+set role r1;
+show databases;
+Database
+db
+information_schema
+test
+show create database db;
+Database	Create Database
+db	CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+db	t1
+db	t2
+create role r2;
+create user beep2@'%';
+grant update on db.* to r2;
+grant r2 to beep2;
+show databases;
+Database
+information_schema
+test
+show create database db;
+ERROR 42000: Access denied for user 'beep2'@'localhost' to database 'db'
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+set role r2;
+show databases;
+Database
+db
+information_schema
+test
+show create database db;
+Database	Create Database
+db	CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+db	t1
+db	t2
+drop database db;
+drop role r1;
+drop user beep;
+drop role r2;
+drop user beep2;
--- a/mysql-test/suite/roles/show_create_database-10463.test
+++ b/mysql-test/suite/roles/show_create_database-10463.test
+source include/not_embedded.inc;
+drop database if exists db;
+create role r1;
+create user beep@'%';
+create database db;
+create table db.t1 (i int);
+create table db.t2 (b int);
+grant select on db.* to r1;
+grant r1 to beep@'%';
+--connect (con1,localhost,beep,,)
+show databases;
+--error ER_DBACCESS_DENIED_ERROR
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+set role r1;
+show databases;
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+connection default;
+create role r2;
+create user beep2@'%';
+grant update on db.* to r2;
+grant r2 to beep2;
+--connect (con2,localhost,beep2,,)
+show databases;
+--error ER_DBACCESS_DENIED_ERROR
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+set role r2;
+show databases;
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+connection default;
+drop database db;
+drop role r1;
+drop user beep;
+drop role r2;
+drop user beep2;
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -1167,8 +1167,13 @@ bool mysqld_show_create_db(THD *thd, LEX_STRING *dbname,
  if (test_all_bits(sctx->master_access, DB_ACLS))
    db_access=DB_ACLS;
  else
-    db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
+  {
-		sctx->master_access);
+    db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
+               sctx->master_access;
+    if (sctx->priv_role[0])
+      db_access|= acl_get("", "", sctx->priv_role, dbname->str, 0);
+  }
  if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname->str))
  {
    status_var_increment(thd->status_var.access_denied_errors);
@@ -5118,8 +5123,10 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
    }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
    if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-	acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) ||
+        acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, false) ||
-	!check_grant_db(thd, db_name->str))
+        (sctx->priv_role[0] ?
+             acl_get("", "", sctx->priv_role, db_name->str, false) : 0) ||
+        !check_grant_db(thd, db_name->str))
 #endif
    {
      load_db_opt_by_name(thd, db_name->str, &create);