Commit 4e987b1c authored by Anel Husakovic's avatar Anel Husakovic

MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role

Reviewed-by: serg@mariadb.com
parent 64fe9d6d
......@@ -39,3 +39,35 @@ connection default;
disconnect u1;
drop user u1@localhost;
drop database mysqltest1;
CREATE ROLE test_role;
CREATE USER test_user;
GRANT test_role TO test_user;
SET DEFAULT ROLE test_role FOR test_user;
SHOW GRANTS FOR test_user;
Grants for test_user@%
GRANT test_role TO 'test_user'@'%'
GRANT USAGE ON *.* TO 'test_user'@'%'
SET DEFAULT ROLE test_role FOR 'test_user'@'%'
SET DEFAULT ROLE NONE for test_user;
SHOW GRANTS FOR test_user;
Grants for test_user@%
GRANT test_role TO 'test_user'@'%'
GRANT USAGE ON *.* TO 'test_user'@'%'
SET ROLE test_role;
SET DEFAULT ROLE test_role;
SHOW GRANTS;
Grants for root@localhost
GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
GRANT USAGE ON *.* TO 'test_role'
SET DEFAULT ROLE test_role FOR 'root'@'localhost'
SET DEFAULT ROLE NONE;
SHOW GRANTS;
Grants for root@localhost
GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
GRANT USAGE ON *.* TO 'test_role'
DROP USER test_user;
DROP ROLE test_role;
......@@ -17,6 +17,7 @@ Grants for test_user@localhost
GRANT test_role TO 'test_user'@'localhost'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT SELECT ON *.* TO 'test_role'
SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
select user, host, default_role from mysql.user where user='test_user';
user host default_role
test_user localhost test_role
......
......@@ -21,6 +21,7 @@ Grants for user_a@localhost
GRANT role_a TO 'user_a'@'localhost'
GRANT USAGE ON *.* TO 'user_a'@'localhost'
GRANT SELECT ON *.* TO 'role_a'
SET DEFAULT ROLE role_a FOR 'user_a'@'localhost'
select user, host, default_role from mysql.user where user like 'user_%';
user host default_role
user_a localhost role_a
......@@ -42,6 +43,7 @@ Grants for user_b@localhost
GRANT role_b TO 'user_b'@'localhost'
GRANT USAGE ON *.* TO 'user_b'@'localhost'
GRANT INSERT, UPDATE ON *.* TO 'role_b'
SET DEFAULT ROLE role_b FOR 'user_b'@'localhost'
select user, host, default_role from mysql.user where user like 'user_%';
ERROR 42000: SELECT command denied to user 'user_b'@'localhost' for table 'user'
insert ignore into mysql.user (user, host) values ('someuser', 'somehost');
......
......@@ -24,6 +24,7 @@ Grants for test_user@localhost
GRANT test_role TO 'test_user'@'localhost'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT SELECT ON *.* TO 'test_role'
SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
select user, host, default_role from mysql.user where user='test_user';
user host default_role
test_user localhost test_role
......@@ -71,6 +72,7 @@ GRANT r1 TO 'b'@'%'
GRANT r2 TO 'b'@'%'
GRANT USAGE ON *.* TO 'b'@'%'
GRANT SELECT ON `mysql`.* TO 'b'@'%'
SET DEFAULT ROLE r2 FOR 'b'@'%'
SET DEFAULT ROLE r1 FOR a;
ERROR 42000: Access denied for user 'b'@'%' to database 'mysql'
SELECT CURRENT_ROLE;
......@@ -96,6 +98,7 @@ GRANT r1 TO 'b'@'%'
GRANT r2 TO 'b'@'%'
GRANT USAGE ON *.* TO 'b'@'%'
GRANT SELECT, UPDATE ON `mysql`.* TO 'b'@'%'
SET DEFAULT ROLE r2 FOR 'b'@'%'
SET DEFAULT ROLE r1 FOR a;
ERROR OP000: User `a@%` has not been granted role `r1`
SET DEFAULT ROLE invalid_role;
......
......@@ -23,6 +23,7 @@ Grants for test_user@localhost
GRANT test_role TO 'test_user'@'localhost'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT SELECT ON *.* TO 'test_role'
SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
select user, host, default_role from mysql.user where user = 'test_user';
user host default_role
test_user localhost test_role
......@@ -51,6 +52,7 @@ Grants for test_user@localhost
GRANT test_role TO 'test_user'@'localhost'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT SELECT ON *.* TO 'test_role'
SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
select user, host, default_role from mysql.user where user = 'test_user';
user host default_role
test_user localhost test_role
......
......@@ -52,6 +52,24 @@ disconnect u1;
drop user u1@localhost;
drop database mysqltest1;
#
# MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role
#
CREATE ROLE test_role;
CREATE USER test_user;
GRANT test_role TO test_user;
SET DEFAULT ROLE test_role FOR test_user;
SHOW GRANTS FOR test_user;
SET DEFAULT ROLE NONE for test_user;
SHOW GRANTS FOR test_user;
SET ROLE test_role;
SET DEFAULT ROLE test_role;
SHOW GRANTS;
SET DEFAULT ROLE NONE;
SHOW GRANTS;
DROP USER test_user;
DROP ROLE test_role;
#
# End of 10.1 tests
#
......@@ -353,8 +353,9 @@ static void update_hostname(acl_host_and_ip *host, const char *hostname);
static ulong get_sort(uint count,...);
static bool show_proxy_grants (THD *, const char *, const char *,
char *, size_t);
static bool show_role_grants(THD *, const char *, const char *,
static bool show_role_grants(THD *, const char *,
ACL_USER_BASE *, char *, size_t);
static bool show_default_role(THD *, ACL_USER *, char *, size_t);
static bool show_global_privileges(THD *, ACL_USER_BASE *,
bool, char *, size_t);
static bool show_database_privileges(THD *, const char *, const char *,
......@@ -8531,7 +8532,7 @@ static bool print_grants_for_role(THD *thd, ACL_ROLE * role)
{
char buff[1024];
if (show_role_grants(thd, role->user.str, "", role, buff, sizeof(buff)))
if (show_role_grants(thd, "", role, buff, sizeof(buff)))
return TRUE;
if (show_global_privileges(thd, role, TRUE, buff, sizeof(buff)))
......@@ -8746,7 +8747,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
}
/* Show granted roles to acl_user */
if (show_role_grants(thd, username, hostname, acl_user, buff, sizeof(buff)))
if (show_role_grants(thd, hostname, acl_user, buff, sizeof(buff)))
goto end;
/* Add first global access grants */
......@@ -8795,6 +8796,14 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
}
}
if (username)
{
/* Show default role to acl_user */
if (show_default_role(thd, acl_user, buff, sizeof(buff)))
goto end;
}
error= 0;
end:
mysql_mutex_unlock(&acl_cache->lock);
......@@ -8821,15 +8830,44 @@ static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_STRING *u,
my_hash_search(&acl_roles_mappings, (uchar*)pair_key.ptr(), key_length);
}
static bool show_role_grants(THD *thd, const char *username,
const char *hostname, ACL_USER_BASE *acl_entry,
static bool show_default_role(THD *thd, ACL_USER *acl_entry,
char *buff, size_t buffsize)
{
Protocol *protocol= thd->protocol;
LEX_STRING def_rolename= acl_entry->default_rolename;
if (def_rolename.length)
{
String def_str(buff, buffsize, system_charset_info);
def_str.length(0);
def_str.append(STRING_WITH_LEN("SET DEFAULT ROLE "));
def_str.append(&def_rolename);
def_str.append(" FOR '");
def_str.append(&acl_entry->user);
DBUG_ASSERT(!(acl_entry->flags & IS_ROLE));
def_str.append(STRING_WITH_LEN("'@'"));
def_str.append(acl_entry->host.hostname, acl_entry->hostname_length,
system_charset_info);
def_str.append('\'');
protocol->prepare_for_resend();
protocol->store(def_str.ptr(),def_str.length(),def_str.charset());
if (protocol->write())
{
return TRUE;
}
}
return FALSE;
}
static bool show_role_grants(THD *thd, const char *hostname,
ACL_USER_BASE *acl_entry,
char *buff, size_t buffsize)
{
uint counter;
Protocol *protocol= thd->protocol;
LEX_STRING host= {const_cast<char*>(hostname), strlen(hostname)};
String grant(buff,sizeof(buff),system_charset_info);
String grant(buff, buffsize, system_charset_info);
for (counter= 0; counter < acl_entry->role_grants.elements; counter++)
{
grant.length(0);
......@@ -8873,7 +8911,7 @@ static bool show_global_privileges(THD *thd, ACL_USER_BASE *acl_entry,
ulong want_access;
Protocol *protocol= thd->protocol;
String global(buff,sizeof(buff),system_charset_info);
String global(buff, buffsize, system_charset_info);
global.length(0);
global.append(STRING_WITH_LEN("GRANT "));
......@@ -8952,7 +8990,7 @@ static bool show_database_privileges(THD *thd, const char *username,
want_access=acl_db->initial_access;
if (want_access)
{
String db(buff,sizeof(buff),system_charset_info);
String db(buff, buffsize, system_charset_info);
db.length(0);
db.append(STRING_WITH_LEN("GRANT "));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment