Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13398

Can't distinguish between DROP DATABASE and DROP TABLE permissions on a database

    Details

      Description

      Feature request:

      GRANT DROP ON TABLE db_name.* does not only give a user the privilege to drop any table within the database db_name, but also the database itself.

      There is no way to just give permission to drop any table, but not the database itself.

      Not sure how to actually solve this in a backwards compatible way, adding an extra ON DATABASE object_type wouldn't really work out as this would require to change the current behavior of ON TABLE.

      Maybe an extra DROP_TABLE privilege would work out best. So

      GRANT DROP ON TABLE db_name.*

      would give DROP permissions on both tables within the database and the database itself, while

      GRANT DROP_TABLE ON TABLE db_name.*

      would only allow to drop tables, but not the database itself.

      When specifying an explicit table level grant

      GRANT DROP_TABLE ON TABLE db_name.tab_name

      on the other hand DROP and DROP_TABLE would be synonyms for the same privilege.

        Attachments

          Activity

            People

            • Assignee:
              serg Sergei Golubchik
              Reporter:
              hholzgra Hartmut Holzgraefe
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: