Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14732

mysql.db privileges evaluated on order of grants rather than hierarchically

    Details

      Description

      As described by customer:

      As super user :

      drop user twg@'%';
      create user twg@'%' identified by 'test';
       
      grant create, drop on `wildcard_grants%`.* to twg@'%';
      grant all privileges on `wildcard_grants`.* to twg@'%';
       
      drop database if exists wildcard_grants;
      create database wildcard_grants;
      use wildcard_grants;
      create table t(id int);
      

      mysql -utwg -ptest -hlocalhost wildcard_grants;
       
      MariaDB [wildcard_grants]> insert into t values(1);
      ERROR 1142 (42000): INSERT command denied to user 'twg'@'localhost' for table 't'
      

      Interestingly, that works (order of grants) :

      drop user twg@'%';
      create user twg@'%' identified by 'test';
       
      grant all privileges on `wildcard_grants`.* to twg@'%';
      grant create, drop on `wildcard_grants%`.* to twg@'%';
       
      drop database if exists wildcard_grants;
      create database wildcard_grants;
      use wildcard_grants;
      create table t(id int);
      

      mysql -utwg -ptest -hlocalhost wildcard_grants;
       
      MariaDB [wildcard_grants]> insert into t values(1);
      Query OK, 1 row affected (0.00 sec)
      

      The problem here is that the server is evaluating rows in mysql.db in order of addition rather than in logical order with the more specific database name superseding the more general or vice-versa.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                juan.vera Juan
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: