Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13398

Can't distinguish between DROP DATABASE and DROP TABLE permissions on a database

    Details

      Description

      Feature request:

      GRANT DROP ON TABLE db_name.* does not only give a user the privilege to drop any table within the database db_name, but also the database itself.

      There is no way to just give permission to drop any table, but not the database itself.

      Not sure how to actually solve this in a backwards compatible way, adding an extra ON DATABASE object_type wouldn't really work out as this would require to change the current behavior of ON TABLE.

      Maybe an extra DROP_TABLE privilege would work out best. So

      GRANT DROP ON TABLE db_name.*

      would give DROP permissions on both tables within the database and the database itself, while

      GRANT DROP_TABLE ON TABLE db_name.*

      would only allow to drop tables, but not the database itself.

      When specifying an explicit table level grant

      GRANT DROP_TABLE ON TABLE db_name.tab_name

      on the other hand DROP and DROP_TABLE would be synonyms for the same privilege.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                hholzgra Hartmut Holzgraefe
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: