Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10744

Roles are not fully case-sensitive

Details

    • 10.1.18, 10.1.19

    Description

      I've created a role with both upper and lowercase name, resulting in some weird behavior (output and test case below).

      The first thing I noticed is that you can create roles with the same name but different case (test_role and test_ROLE in below example), but you can't grant both to the same user as that results in an error 1961 when granting the second role. Imo this indicates that not all the roles code is case-sensitive.

      The second weird thing is that when you get the error 1961 in above scenario, the first role (that was granted successfully) is gone from the show grants output. It is not revoked (the user can still use it), it just isn't shown anymore until I flush privileges.

      MariaDB [mysql]> create role test_ROLE;
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> create role test_role;
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> grant select on mysql.* to test_role;
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> select user, host from user where is_role='y' and user like 'test%';
      		 
      +-----------+------+
      		 
      | user      | host |
      		 
      +-----------+------+
      		 
      | test_ROLE |      |
      		 
      | test_role |      |
      		 
      +-----------+------+
      		 
      2 rows in set (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> grant test_role to testuser;
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> show grants for testuser;
      		 
      +------------------------------------------------------------------------+
      		 
      | Grants for testuser@%                                                   |
      		 
      +------------------------------------------------------------------------+
      		 
      | GRANT test_role TO 'testuser'@'%'                                       |
      		 
      | GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |
      		 
      +------------------------------------------------------------------------+
      		 
      2 rows in set (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> grant test_ROLE to testuser;
      		 
      ERROR 1961 (HY000): Cannot grant role 'test_ROLE' to: 'testuser'.
      		 
      MariaDB [mysql]> show grants for testuser;
      		 
      +------------------------------------------------------------------------+
      		 
      | Grants for testuser@%                                                   |
      		 
      +------------------------------------------------------------------------+
      		 
      | GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |
      		 
      +------------------------------------------------------------------------+
      		 
      1 row in set (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> select * from roles_mapping where user='testuser';
      		 
      +-----------+---------+-----------+--------------+
      		 
      | Host      | User    | Role      | Admin_option |
      		 
      +-----------+---------+-----------+--------------+
      		 
      | %         | testuser | test_role | N            |
      		 
      +-----------+---------+-----------+--------------+
      		 
      3 rows in set (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> flush privileges;
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      MariaDB [mysql]> show grants for testuser;
      		 
      +------------------------------------------------------------------------+
      		 
      | Grants for testuser@%                                                   |
      		 
      +------------------------------------------------------------------------+
      		 
      | GRANT test_role TO 'testuser'@'%'                                       |
      		 
      | GRANT USAGE ON *.* TO 'testuser'@'%' IDENTIFIED VIA pam USING 'mariadb' |
      		 
      +------------------------------------------------------------------------+
      		 
      2 rows in set (0.00 sec)

      Attachments

        Activity

          Transition Time In Source Status Execution Times
          Elena Stepanova made transition -
          Open Confirmed
          		7h 33m 1
          Vicențiu Ciorbaru made transition -
          Confirmed In Progress
          		51d 14m 1
          Vicențiu Ciorbaru made transition -
          In Progress Closed
          		37d 48m 1

          People

            cvicentiu Vicențiu Ciorbaru
            rpeiremans Robin Peiremans
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.