Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.1.44, 10.2.31, 10.3.22, 10.4.12, 10.5.2
-
None
Description
Let's say that we create a role and a user account:
MariaDB [(none)]> CREATE ROLE 'test_role'; |
Query OK, 0 rows affected (0.004 sec) |
|
|
MariaDB [(none)]> CREATE USER 'test_user'@'%'; |
Query OK, 0 rows affected (0.004 sec) |
And then let's say that we set this role to be the default role for the user account:
MariaDB [(none)]> GRANT 'test_role' TO 'test_user'@'%'; |
Query OK, 0 rows affected (0.004 sec) |
|
|
MariaDB [(none)]> SET DEFAULT ROLE 'test_role' FOR 'test_user'@'%'; |
Query OK, 0 rows affected (0.004 sec) |
Neither SHOW CREATE USER now SHOW GRANTS prints this default role for the user account:
MariaDB [(none)]> SHOW CREATE USER 'test_user'@'%'; |
+-----------------------------+ |
| CREATE USER for test_user@% | |
+-----------------------------+ |
| CREATE USER 'test_user'@'%' | |
+-----------------------------+ |
1 row in set (0.000 sec) |
|
|
MariaDB [(none)]> SHOW GRANTS FOR 'test_user'@'%'; |
+---------------------------------------+ |
| Grants for test_user@% | |
+---------------------------------------+ |
| GRANT test_role TO 'test_user'@'%' | |
| GRANT USAGE ON *.* TO 'test_user'@'%' | |
+---------------------------------------+ |
2 rows in set (0.000 sec) |
In my opinion, it should at least be printed by SHOW GRANTS, since it is somewhat related to one of the grants that is printed.
Attachments
Issue Links
- relates to
-
MDEV-23630 mysqldump to logically dump system tables
-
- Closed
-
-
-
- Closed
-
-
MDEV-22311 implement SHOW CREATE ROLE
-
- Open
-
-
-
- Closed
-
Activity
anel I rebased MDEV-23630 (no server changes) on 2e0bac4688a73cd6df406727ce7f6c62a57b7293
and managed to trigger this crash::
Thread pointer: 0x7f2e6c000c48
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7f2ebc416dd8 thread_stack 0x49000
|
mysys/stacktrace.c:173(my_print_stacktrace)[0x5606a381e8f9]
|
sql/signal_handler.cc:209(handle_fatal_signal)[0x5606a33d71ab]
|
sigaction.c:0(__restore_rt)[0x7f2ec2352a90]
|
sql/sql_acl.cc:8889(show_role_grants(THD*, char const*, ACL_USER_BASE*, char*, unsigned long) [clone .constprop.0])[0x5606a31ec73e]
|
sql/sql_acl.cc:8535(print_grants_for_role(THD*, ACL_ROLE*))[0x5606a31ed696]
|
sql/sql_acl.cc:8630(show_grants_callback(ACL_USER_BASE*, void*))[0x5606a31ed7a2]
|
sql/sql_acl.cc:5744(traverse_role_graph_impl(ACL_USER_BASE*, void*, long, int (*)(ACL_USER_BASE*, void*), int (*)(ACL_USER_BASE*, ACL_ROLE*, void*)))[0x5606a31e802d]
|
sql/sql_acl.cc:8833(mysql_show_grants(THD*, st_lex_user*))[0x5606a31fb212]
|
sql/sql_parse.cc:5250(mysql_execute_command(THD*))[0x5606a324b3ab]
|
sql/sql_parse.cc:7734(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5606a325074f]
|
sql/sql_parse.cc:1829(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5606a3252b6a]
|
sql/sql_parse.cc:1383(do_command(THD*))[0x5606a3253bde]
|
sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x5606a331c604]
|
sql/sql_connect.cc:1243(handle_one_connection)[0x5606a331c792]
|
perfschema/pfs.cc:1872(pfs_spawn_thread)[0x5606a37e35d3]
|
nptl/pthread_create.c:478(start_thread)[0x7f2ec2347432]
|
x86_64/clone.S:97(??)[0x7f2ec19b3913]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7f2e6c00f290): SHOW GRANTS FOR 'role_1'
|
|
Please check the SHOW GRANTS on a ROLE case.
role_1 definition- https://github.com/grooverdan/mariadb-server/pull/2/files#diff-21df662c1ccaf5443b23e4b7ca89121f6d3b0ff013e5a2b512f4cb3f1ef7f2a5R27
serg, anel, how do you feel about versioned output here for the SET DEFAULT ROLE (what I'm doing in MDEV-23630):
/*M!100005 SET DEFAULT ROLE %s FOR %s */
|
/*!80001 ALTER USER %s DEFAULT ROLE %s */
|
Hi serg,
what I have seen that DEFALT_ROLE doesn't get set after all grants for root.
Here is an example:
SET DEFAULT ROLE test_role; #order doesn't matter+SET ROLE test_role;SHOW GRANTS;Grants for root@localhostGRANT test_role TO 'root'@'localhost' WITH ADMIN OPTIONGRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTIONGRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTIONSET DEFAULT ROLE test_role FOR 'root'@'localhost' #this line should be last line?+GRANT USAGE ON *.* TO 'test_role'I guess I need to change this?
If the check for default_role is validated after rolename check:
if (rolename)@@ -8801,6 +8796,10 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)}}+ /* Show default role to acl_user */+ if (show_default_role(thd, acl_user, buff, sizeof(buff)))+ goto end;+Grants for test_user@%GRANT test_role TO 'test_user'@'%'GRANT USAGE ON *.* TO 'test_user'@'%'+SET ROLE test_role;SET DEFAULT ROLE test_role;SHOW GRANTS;Grants for root@localhostGRANT test_role TO 'root'@'localhost' WITH ADMIN OPTIONGRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTIONGRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION+GRANT USAGE ON *.* TO 'test_role'SET DEFAULT ROLE test_role FOR 'root'@'localhost' #now it is the last lineSET DEFAULT ROLE NONE;SHOW GRANTS;So this is done on the new 10.2 commit (again local repo):
https://github.com/an3l/server/commit/2e0bac4688a73cd6df406727ce7f6c62a57b7293
Thanks for few review iterations.