Commit 7481ac02 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>

recognize the context better:
always treat the barename as a username in the username context
parent a718355d
......@@ -38,5 +38,5 @@ create role '';
ERROR OP000: Invalid role specification ``.
create role r1;
drop user r1;
ERROR HY000: Operation DROP USER failed for 'r1'
ERROR HY000: Operation DROP USER failed for 'r1'@'%'
drop role r1;
create role r1;
create user user;
grant proxy on r1 to user;
show grants for user;
Grants for user@%
GRANT USAGE ON *.* TO 'user'@'%'
GRANT PROXY ON 'r1'@'%' TO 'user'@'%'
drop user user;
drop role r1;
#
# MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>
#
create role r1;
create user user;
grant proxy on r1 to user;
show grants for user;
drop user user;
drop role r1;
create role r1;
grant select on *.* to r1 identified by 'foobar';
ERROR 28000: Can't find any matching row in the user table
drop user r1;
grant select on *.* to r1 identified by '';
ERROR 28000: Can't find any matching row in the user table
drop user r1;
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
ERROR 28000: Can't find any matching row in the user table
drop user r1;
grant select on *.* to r1 identified via plugin;
ERROR 28000: Can't find any matching row in the user table
ERROR HY000: Plugin 'plugin' is not loaded
grant select on mysql.user to r1 identified via plugin using 'param';
ERROR 28000: Can't find any matching row in the user table
ERROR HY000: Plugin 'plugin' is not loaded
grant select on *.* to r1 require subject 'foobar';
ERROR 28000: Can't find any matching row in the user table
grant select on mysql.user to r1 require issuer 'foobar';
......
......@@ -12,16 +12,18 @@
create role r1;
--error ER_PASSWORD_NO_MATCH
# IDENTIFIED does not apply to roles, using it forces username context
grant select on *.* to r1 identified by 'foobar';
--error ER_PASSWORD_NO_MATCH
drop user r1;
grant select on *.* to r1 identified by '';
--error ER_PASSWORD_NO_MATCH
drop user r1;
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
--error ER_PASSWORD_NO_MATCH
drop user r1;
--error ER_PLUGIN_IS_NOT_LOADED
grant select on *.* to r1 identified via plugin;
--error ER_PASSWORD_NO_MATCH
--error ER_PLUGIN_IS_NOT_LOADED
grant select on mysql.user to r1 identified via plugin using 'param';
--error ER_PASSWORD_NO_MATCH
grant select on *.* to r1 require subject 'foobar';
--error ER_PASSWORD_NO_MATCH
......
......@@ -8351,7 +8351,7 @@ static int handle_roles_mappings_table(TABLE *table, bool drop,
{
role= safe_str(get_field(thd->mem_root, role_field));
if (strcmp(user_from->user.str, role))
if (!user_from->is_role() || strcmp(user_from->user.str, role))
continue;
error= 0;
......@@ -8574,7 +8574,6 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
const char *UNINIT_VAR(user);
const char *UNINIT_VAR(host);
const char *UNINIT_VAR(role);
uint role_not_matched= 1;
ACL_USER *acl_user= NULL;
ACL_ROLE *acl_role= NULL;
ACL_DB *acl_db= NULL;
......@@ -8734,11 +8733,10 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
if (struct_no == ROLES_MAPPINGS_HASH)
{
role_not_matched= strcmp(user_from->user.str, role);
if (role_not_matched &&
if (user_from->is_role() ? strcmp(user_from->user.str, role) :
(strcmp(user_from->user.str, user) ||
my_strcasecmp(system_charset_info, user_from->host.str, host)))
continue;
continue;
}
else
{
......@@ -8858,14 +8856,14 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
size_t old_key_length= role_grant_pair->hashkey.length;
bool oom;
if (role_not_matched)
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
user_to->host.str,
role_grant_pair->r_uname, false);
else
if (user_to->is_role())
oom= role_grant_pair->init(&acl_memroot, role_grant_pair->u_uname,
role_grant_pair->u_hname,
user_to->user.str, false);
else
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
user_to->host.str,
role_grant_pair->r_uname, false);
if (oom)
DBUG_RETURN(-1);
......@@ -9349,20 +9347,20 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list)
while ((tmp_user_from= user_list++))
{
tmp_user_to= user_list++;
if (!(user_from= get_current_user(thd, tmp_user_from, false)) ||
user_from->is_role())
if (!(user_from= get_current_user(thd, tmp_user_from, false)))
{
append_user(&wrong_users, user_from);
result= TRUE;
continue;
}
if (!(user_to= get_current_user(thd, tmp_user_to, false)) ||
user_to->is_role())
if (!(user_to= get_current_user(thd, tmp_user_to, false)))
{
append_user(&wrong_users, user_to);
result= TRUE;
continue;
}
DBUG_ASSERT(!user_from->is_role());
DBUG_ASSERT(!user_to->is_role());
/*
Search all in-memory structures and grant tables
......
......@@ -1771,7 +1771,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
%type <symbol> keyword keyword_sp
%type <lex_user> user grant_user grant_role user_or_role current_role
admin_option_for_role
admin_option_for_role user_maybe_role
%type <charset>
opt_collate
......@@ -13916,7 +13916,7 @@ ident_or_text:
| LEX_HOSTNAME { $$=$1;}
;
user:
user_maybe_role:
ident_or_text
{
if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
......@@ -13974,7 +13974,15 @@ user:
}
;
user_or_role: user | current_role;
user_or_role: user_maybe_role | current_role;
user: user_maybe_role
{
if ($1->user.str != current_user.str && $1->host.str == 0)
$1->host= host_not_specified;
$$= $1;
}
;
/* Keyword that we allow for identifiers (except SP labels) */
keyword:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment