[MDEV-13453] Executing a query via CTE requires more permissions than the query itself - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL)
Fix Version/s: 10.2.11
Component/s: Authentication and Privilege System, Optimizer - CTE
Labels:
None

Sprint:
10.2.11

Description

Based on the question posted at stackoverflow by Diogo Melo:
https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma

When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have SELECT privileges for the CTE itself, which are impossible to grant.

create database db;

use db;

create table t1 (i int);

create user foo@localhost;

grant SELECT on db.t1 to foo@localhost;

--connect (con1,localhost,foo,,)

use db;

with cte as (select * from t1) select * from cte;

# Cleanup

--disconnect con1

--connection default

drop database db;

drop user foo@localhost;

CURRENT_TEST: bug.t6

mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte'

Attachments

Issue Links

causes

MXS-2064 Loading of users with MariaDB 10.2.10 fails

Closed

is duplicated by

MDEV-13682 Role permissions don't work with CTEs

Closed

links to

StackOverflow

Activity

Ascending order - Click to sort in descending order

Elena Stepanova created issue - 2017-08-04 15:38

Elena Stepanova made changes - 2017-08-04 15:39

Field	Original Value	New Value
Description	Based on the question posted at stackoverflow: https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have grants for the CTE itself, which are impossible to grant. {code:sql} create database db; use db; create table t1 (i int); create user foo@localhost; grant SELECT on db.t1 to foo@localhost; --connect (con1,localhost,foo,,) use db; with cte as (select * from t1) select * from cte; # Cleanup --disconnect con1 --connection default drop database db; drop user foo@localhost; {code} {noformat} CURRENT_TEST: bug.t6 mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte' {noformat}	Based on the question posted at stackoverflow by Diogo Melo: https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have grants for the CTE itself, which are impossible to grant. {code:sql} create database db; use db; create table t1 (i int); create user foo@localhost; grant SELECT on db.t1 to foo@localhost; --connect (con1,localhost,foo,,) use db; with cte as (select * from t1) select * from cte; # Cleanup --disconnect con1 --connection default drop database db; drop user foo@localhost; {code} {noformat} CURRENT_TEST: bug.t6 mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte' {noformat}

Elena Stepanova made changes - 2017-08-04 15:45

Description

Based on the question posted at stackoverflow by *Diogo Melo*:
https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma

When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have grants for the CTE itself, which are impossible to grant.

{code:sql}
create database db;
use db;
create table t1 (i int);

create user foo@localhost;
grant SELECT on db.t1 to foo@localhost;

--connect (con1,localhost,foo,,)
use db;
with cte as (select * from t1) select * from cte;

# Cleanup
--disconnect con1

--connection default
drop database db;
drop user foo@localhost;
{code}

{noformat}
CURRENT_TEST: bug.t6
mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte'
{noformat}

Based on the question posted at stackoverflow by *Diogo Melo*:
https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma

When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have SELECT privileges for the CTE itself, which are impossible to grant.

{code:sql}
create database db;
use db;
create table t1 (i int);

create user foo@localhost;
grant SELECT on db.t1 to foo@localhost;

--connect (con1,localhost,foo,,)
use db;
with cte as (select * from t1) select * from cte;

# Cleanup
--disconnect con1

--connection default
drop database db;
drop user foo@localhost;
{code}

{noformat}
CURRENT_TEST: bug.t6
mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte'
{noformat}

Elena Stepanova made changes - 2017-08-04 21:29

Remote Link

This issue links to "StackOverflow (Web Link)" [ 28016 ]

Rick James (Inactive) added a comment - 2017-08-14 19:45

Seems to work on 10.2.2, so perhaps a regression?

Rick James (Inactive) added a comment - 2017-08-14 19:45 Seems to work on 10.2.2, so perhaps a regression?

Elena Stepanova made changes - 2017-09-29 17:02

Link

This issue is duplicated by ~~MDEV-13682~~ [ ~~MDEV-13682~~ ]

Sergei Golubchik made changes - 2017-11-09 18:20

Sprint

10.2.11 [ 203 ]

Igor Babaev (Inactive) made changes - 2017-11-14 00:09

Status

Open [ 1 ]

In Progress [ 3 ]

Igor Babaev (Inactive) made changes - 2017-11-14 00:10

Assignee	Igor Babaev [ igor ]	Oleksandr Byelkin [ sanja ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Oleksandr Byelkin added a comment - 2017-11-14 16:23

OK to push after fixing resulta and adding the comment we discussed.

Oleksandr Byelkin added a comment - 2017-11-14 16:23 OK to push after fixing resulta and adding the comment we discussed.

Oleksandr Byelkin made changes - 2017-11-14 16:23

Assignee	Oleksandr Byelkin [ sanja ]	Igor Babaev [ igor ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Igor Babaev (Inactive) added a comment - 2017-12-20 18:10

The fix for this bug was pushed into the 10.2 tree.

Igor Babaev (Inactive) added a comment - 2017-12-20 18:10 The fix for this bug was pushed into the 10.2 tree.

Igor Babaev (Inactive) made changes - 2017-12-20 18:10

Fix Version/s		10.2.11 [ 22634 ]
Fix Version/s	10.2 [ 14601 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

markus makela made changes - 2018-09-21 05:32

Link

This issue causes ~~MXS-2064~~ [ ~~MXS-2064~~ ]

Sergei Golubchik made changes - 2021-12-06 21:45

Workflow

MariaDB v3 [ 81913 ]

MariaDB v4 [ 152569 ]

People

Assignee:: Igor Babaev (Inactive)

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2017-08-04 15:38

Updated:: 2018-10-30 10:45

Resolved:: 2017-12-20 18:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration