Commit 7481ac02 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>

recognize the context better:
always treat the barename as a username in the username context
parent a718355d
...@@ -38,5 +38,5 @@ create role ''; ...@@ -38,5 +38,5 @@ create role '';
ERROR OP000: Invalid role specification ``. ERROR OP000: Invalid role specification ``.
create role r1; create role r1;
drop user r1; drop user r1;
ERROR HY000: Operation DROP USER failed for 'r1' ERROR HY000: Operation DROP USER failed for 'r1'@'%'
drop role r1; drop role r1;
create role r1;
create user user;
grant proxy on r1 to user;
show grants for user;
Grants for user@%
GRANT USAGE ON *.* TO 'user'@'%'
GRANT PROXY ON 'r1'@'%' TO 'user'@'%'
drop user user;
drop role r1;
#
# MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>
#
create role r1;
create user user;
grant proxy on r1 to user;
show grants for user;
drop user user;
drop role r1;
create role r1; create role r1;
grant select on *.* to r1 identified by 'foobar'; grant select on *.* to r1 identified by 'foobar';
ERROR 28000: Can't find any matching row in the user table drop user r1;
grant select on *.* to r1 identified by ''; grant select on *.* to r1 identified by '';
ERROR 28000: Can't find any matching row in the user table drop user r1;
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000'; grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
ERROR 28000: Can't find any matching row in the user table drop user r1;
grant select on *.* to r1 identified via plugin; grant select on *.* to r1 identified via plugin;
ERROR 28000: Can't find any matching row in the user table ERROR HY000: Plugin 'plugin' is not loaded
grant select on mysql.user to r1 identified via plugin using 'param'; grant select on mysql.user to r1 identified via plugin using 'param';
ERROR 28000: Can't find any matching row in the user table ERROR HY000: Plugin 'plugin' is not loaded
grant select on *.* to r1 require subject 'foobar'; grant select on *.* to r1 require subject 'foobar';
ERROR 28000: Can't find any matching row in the user table ERROR 28000: Can't find any matching row in the user table
grant select on mysql.user to r1 require issuer 'foobar'; grant select on mysql.user to r1 require issuer 'foobar';
......
...@@ -12,16 +12,18 @@ ...@@ -12,16 +12,18 @@
create role r1; create role r1;
--error ER_PASSWORD_NO_MATCH # IDENTIFIED does not apply to roles, using it forces username context
grant select on *.* to r1 identified by 'foobar'; grant select on *.* to r1 identified by 'foobar';
--error ER_PASSWORD_NO_MATCH drop user r1;
grant select on *.* to r1 identified by ''; grant select on *.* to r1 identified by '';
--error ER_PASSWORD_NO_MATCH drop user r1;
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000'; grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
--error ER_PASSWORD_NO_MATCH drop user r1;
--error ER_PLUGIN_IS_NOT_LOADED
grant select on *.* to r1 identified via plugin; grant select on *.* to r1 identified via plugin;
--error ER_PASSWORD_NO_MATCH --error ER_PLUGIN_IS_NOT_LOADED
grant select on mysql.user to r1 identified via plugin using 'param'; grant select on mysql.user to r1 identified via plugin using 'param';
--error ER_PASSWORD_NO_MATCH --error ER_PASSWORD_NO_MATCH
grant select on *.* to r1 require subject 'foobar'; grant select on *.* to r1 require subject 'foobar';
--error ER_PASSWORD_NO_MATCH --error ER_PASSWORD_NO_MATCH
......
...@@ -8351,7 +8351,7 @@ static int handle_roles_mappings_table(TABLE *table, bool drop, ...@@ -8351,7 +8351,7 @@ static int handle_roles_mappings_table(TABLE *table, bool drop,
{ {
role= safe_str(get_field(thd->mem_root, role_field)); role= safe_str(get_field(thd->mem_root, role_field));
if (strcmp(user_from->user.str, role)) if (!user_from->is_role() || strcmp(user_from->user.str, role))
continue; continue;
error= 0; error= 0;
...@@ -8574,7 +8574,6 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop, ...@@ -8574,7 +8574,6 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
const char *UNINIT_VAR(user); const char *UNINIT_VAR(user);
const char *UNINIT_VAR(host); const char *UNINIT_VAR(host);
const char *UNINIT_VAR(role); const char *UNINIT_VAR(role);
uint role_not_matched= 1;
ACL_USER *acl_user= NULL; ACL_USER *acl_user= NULL;
ACL_ROLE *acl_role= NULL; ACL_ROLE *acl_role= NULL;
ACL_DB *acl_db= NULL; ACL_DB *acl_db= NULL;
...@@ -8734,11 +8733,10 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop, ...@@ -8734,11 +8733,10 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
if (struct_no == ROLES_MAPPINGS_HASH) if (struct_no == ROLES_MAPPINGS_HASH)
{ {
role_not_matched= strcmp(user_from->user.str, role); if (user_from->is_role() ? strcmp(user_from->user.str, role) :
if (role_not_matched &&
(strcmp(user_from->user.str, user) || (strcmp(user_from->user.str, user) ||
my_strcasecmp(system_charset_info, user_from->host.str, host))) my_strcasecmp(system_charset_info, user_from->host.str, host)))
continue; continue;
} }
else else
{ {
...@@ -8858,14 +8856,14 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop, ...@@ -8858,14 +8856,14 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
size_t old_key_length= role_grant_pair->hashkey.length; size_t old_key_length= role_grant_pair->hashkey.length;
bool oom; bool oom;
if (role_not_matched) if (user_to->is_role())
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
user_to->host.str,
role_grant_pair->r_uname, false);
else
oom= role_grant_pair->init(&acl_memroot, role_grant_pair->u_uname, oom= role_grant_pair->init(&acl_memroot, role_grant_pair->u_uname,
role_grant_pair->u_hname, role_grant_pair->u_hname,
user_to->user.str, false); user_to->user.str, false);
else
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
user_to->host.str,
role_grant_pair->r_uname, false);
if (oom) if (oom)
DBUG_RETURN(-1); DBUG_RETURN(-1);
...@@ -9349,20 +9347,20 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list) ...@@ -9349,20 +9347,20 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list)
while ((tmp_user_from= user_list++)) while ((tmp_user_from= user_list++))
{ {
tmp_user_to= user_list++; tmp_user_to= user_list++;
if (!(user_from= get_current_user(thd, tmp_user_from, false)) || if (!(user_from= get_current_user(thd, tmp_user_from, false)))
user_from->is_role())
{ {
append_user(&wrong_users, user_from); append_user(&wrong_users, user_from);
result= TRUE; result= TRUE;
continue; continue;
} }
if (!(user_to= get_current_user(thd, tmp_user_to, false)) || if (!(user_to= get_current_user(thd, tmp_user_to, false)))
user_to->is_role())
{ {
append_user(&wrong_users, user_to); append_user(&wrong_users, user_to);
result= TRUE; result= TRUE;
continue; continue;
} }
DBUG_ASSERT(!user_from->is_role());
DBUG_ASSERT(!user_to->is_role());
/* /*
Search all in-memory structures and grant tables Search all in-memory structures and grant tables
......
...@@ -1771,7 +1771,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize); ...@@ -1771,7 +1771,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
%type <symbol> keyword keyword_sp %type <symbol> keyword keyword_sp
%type <lex_user> user grant_user grant_role user_or_role current_role %type <lex_user> user grant_user grant_role user_or_role current_role
admin_option_for_role admin_option_for_role user_maybe_role
%type <charset> %type <charset>
opt_collate opt_collate
...@@ -13916,7 +13916,7 @@ ident_or_text: ...@@ -13916,7 +13916,7 @@ ident_or_text:
| LEX_HOSTNAME { $$=$1;} | LEX_HOSTNAME { $$=$1;}
; ;
user: user_maybe_role:
ident_or_text ident_or_text
{ {
if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
...@@ -13974,7 +13974,15 @@ user: ...@@ -13974,7 +13974,15 @@ user:
} }
; ;
user_or_role: user | current_role; user_or_role: user_maybe_role | current_role;
user: user_maybe_role
{
if ($1->user.str != current_user.str && $1->host.str == 0)
$1->host= host_not_specified;
$$= $1;
}
;
/* Keyword that we allow for identifiers (except SP labels) */ /* Keyword that we allow for identifiers (except SP labels) */
keyword: keyword:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment