Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17655

Inconsistent grant-name usage between grant-statement and privilege tables

    XMLWordPrintable

    Details

      Description

      In MariaDB 10.3.9 the Privilege_Type returned from INFORMATION_SCHEMA.SCHEMA_PRIVILEGES is different for the new privilege type DELETE VERSIONING ROWS from the allowed grants in grant/revoke statements.

      Example:

      MariaDB [(none)]> GRANT DELETE VERSIONING ROWS ON tests.* TO alice;
      ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'VERSIONING ROWS ON tests.* TO alice' at line 1
      MariaDB [(none)]> GRANT DELETE HISTORY ON tests.* TO alice;
      Query OK, 0 rows affected (0.001 sec)
       
      MariaDB [(none)]> SELECT * FROM information_schema.SCHEMA_PRIVILEGES WHERE GRANTEE LIKE '\'alice%';
      +-------------+---------------+--------------+------------------------+--------------+
      | GRANTEE     | TABLE_CATALOG | TABLE_SCHEMA | PRIVILEGE_TYPE         | IS_GRANTABLE |
      +-------------+---------------+--------------+------------------------+--------------+
      | 'alice'@'%' | def           | tests        | DELETE VERSIONING ROWS | NO           |
      +-------------+---------------+--------------+------------------------+--------------+
      1 row in set (0.010 sec)
      MariaDB [(none)]> SHOW GRANTS FOR alice;
      +----------------------------------------------------------+
      | Grants for alice@%                                       |
      +----------------------------------------------------------+
      | GRANT USAGE ON *.* TO 'alice'@'%'                        |
      | GRANT DELETE VERSIONING ROWS ON `tests`.* TO 'alice'@'%' |
      +----------------------------------------------------------+
      2 rows in set (0.001 sec)
      

      We have some in-house scripting which compares the granted rights in the database with a config, and produces grant/revoke-statements when things are different. At this moment it cannot use the produced grants to automatically generate revoke-statements for DELETE VERSIONING ROWS. Neither can it confirm that DELETE HISTORY has been granted.

      Proposal for fix:

      • Add DELETE VERSIONING ROWS as valid grant to the grant/revoke statements

        Attachments

          Activity

            People

            • Assignee:
              midenok Aleksey Midenok
              Reporter:
              reinder Reinder Cuperus
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: