[MDEV-10744] Roles are not fully case-sensitive - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.13, 10.0, 10.1
Fix Version/s: 10.0.29, 10.1.20
Component/s: Authentication and Privilege System
Labels:
None

Sprint:
10.1.18, 10.1.19

Description

I've created a role with both upper and lowercase name, resulting in some weird behavior (output and test case below).

The first thing I noticed is that you can create roles with the same name but different case (test_role and test_ROLE in below example), but you can't grant both to the same user as that results in an error 1961 when granting the second role. Imo this indicates that not all the roles code is case-sensitive.

The second weird thing is that when you get the error 1961 in above scenario, the first role (that was granted successfully) is gone from the show grants output. It is not revoked (the user can still use it), it just isn't shown anymore until I flush privileges.

MariaDB [mysql]> create role test_ROLE;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> create role test_role;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> grant select on mysql.* to test_role;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> select user, host from user where is_role='y' and user like 'test%';

+-----------+------+

| user      | host |

+-----------+------+

| test_ROLE |      |

| test_role |      |

+-----------+------+

2 rows in set (0.00 sec)

MariaDB [mysql]> grant test_role to testuser;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> show grants for testuser;

+------------------------------------------------------------------------+

| Grants for testuser@%                                                   |

+------------------------------------------------------------------------+

| GRANT test_role TO 'testuser'@'%'                                       |

| GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |

+------------------------------------------------------------------------+

2 rows in set (0.00 sec)

MariaDB [mysql]> grant test_ROLE to testuser;

ERROR 1961 (HY000): Cannot grant role 'test_ROLE' to: 'testuser'.

MariaDB [mysql]> show grants for testuser;

+------------------------------------------------------------------------+

| Grants for testuser@%                                                   |

+------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |

+------------------------------------------------------------------------+

1 row in set (0.00 sec)

MariaDB [mysql]> select * from roles_mapping where user='testuser';

+-----------+---------+-----------+--------------+

| Host      | User    | Role      | Admin_option |

+-----------+---------+-----------+--------------+

| %         | testuser | test_role | N            |

+-----------+---------+-----------+--------------+

3 rows in set (0.00 sec)

MariaDB [mysql]> flush privileges;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> show grants for testuser;

+------------------------------------------------------------------------+

| Grants for testuser@%                                                   |

+------------------------------------------------------------------------+

| GRANT test_role TO 'testuser'@'%'                                       |

| GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |

+------------------------------------------------------------------------+

2 rows in set (0.00 sec)

Attachments

Activity

People

Assignee:: Vicențiu Ciorbaru

Reporter:: Robin Peiremans

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2016-09-05 12:58

Updated:: 2016-12-02 21:34

Resolved:: 2016-12-02 21:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.