[MDEV-15491] Allow wildcards in table names of GRANT statement - Jira

XML

Word

Printable

Details

Type: Task
Status: Stalled (View Workflow)
Priority: Minor
Resolution: Unresolved
Fix Version/s: N/A
Component/s: Authentication and Privilege System
Labels:
None

Description

I would like to be able to run something like this:

GRANT CREATE, DROP ON TABLE `tux`.* TO 'tux'@'localhost';

Sometimes it's not enough to grant on a per database level.

There are situations where I would like to be able to forbid creating or dropping a database, but allowing creating or dropping tables inside a database - which currently is not possible. Idea was to not grant create and drop privileges on database level but to grant them on table level using a wildcard (similar like it is possible for databases).

Actually above command does not lead to a syntax error but "works", while it silently "upgrades" the desired table permission to a database one, example:

MariaDB [(none)]> SHOW GRANTS for tux@localhost;

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Grants for tux@localhost                                                                                                                                                                                             |

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'tux'@'localhost' IDENTIFIED BY PASSWORD '*B8B7661580DDC13E7DFB9B10EFBAB6F8F960EC82'                                                                                                           |

| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `tux`.* TO 'tux'@'localhost' |

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

MariaDB [(none)]>

MariaDB [(none)]> GRANT CREATE, DROP ON TABLE `tux`.* TO 'tux'@'localhost';

Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]>

MariaDB [(none)]> SHOW GRANTS for tux@localhost;

+------------------------------------------------------------------------------------------------------------+

| Grants for tux@localhost                                                                                   |

+------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'tux'@'localhost' IDENTIFIED BY PASSWORD '*B8B7661580DDC13E7DFB9B10EFBAB6F8F960EC82' |

| GRANT ALL PRIVILEGES ON `tux`.* TO 'tux'@'localhost'                                                       |

+------------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

MariaDB [(none)]>

Honestly, I would treat the silent upgrade from table to database level permission as an unexpected privilege escalation. If wildcards are not supported for table names, this should lead to an error simply.

Attachments

Issue Links

is duplicated by

MDEV-13398 Can't distinguish between DROP DATABASE and DROP TABLE permissions on a database

Confirmed

Activity

People

Assignee:: Unassigned

Reporter:: Robert Scheck

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018-03-06 19:22

Updated:: 2018-03-07 12:36

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.