Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24528

Nesting roles is allowed but not supported, and causes incorrect privilege reporting with "show grants;".

    XMLWordPrintable

    Details

      Description

      Nesting of privileges should either be supported or disallowed.

      Currently it is possible to grant role R1 to role R2, and then grant role R2 to user U1, and even though show grants for role R2 shows all the grants from role R1, these are not carried to user U1, so strictly speaking the server shows the role assigned to the user as having privileges the user does not get:

      MariaDB [(none)]> create role adm;
      Query OK, 0 rows affected (0.012 sec)
       
      MariaDB [(none)]> grant all on *.* to adm with grant option;
      Query OK, 0 rows affected (0.009 sec)
       
      MariaDB [(none)]> create role interm;
      Query OK, 0 rows affected (0.020 sec)
       
      MariaDB [(none)]> grant adm to interm;
      Query OK, 0 rows affected (0.007 sec)
       
      MariaDB [(none)]> show grants for interm;
      +--------------------------------------+
      | Grants for interm                    |
      +--------------------------------------+
      | GRANT `adm` TO `interm`              |
      | GRANT USAGE ON *.* TO `interm`       |
      | GRANT ALL PRIVILEGES ON *.* TO `adm` |
      +--------------------------------------+
      3 rows in set (0.001 sec)
       
      MariaDB [(none)]> grant usage on *.* to 'test'@'%' identified by 'test';
      Query OK, 0 rows affected (0.020 sec)
       
      MariaDB [(none)]> grant interm to 'test'@'%';
      Query OK, 0 rows affected (0.008 sec)
       
      MariaDB [(none)]> show grants for 'test'@'%';
      +-----------------------------------------------------------------------------------------------------+
      | Grants for test@%                                                                                   |
      +-----------------------------------------------------------------------------------------------------+
      | GRANT `interm` TO `test`@`%`                                                                        |
      | GRANT USAGE ON *.* TO `test`@`%` IDENTIFIED BY PASSWORD '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' |
      +-----------------------------------------------------------------------------------------------------+
      2 rows in set (0.000 sec)
       
      MariaDB [(none)]> exit
      Bye
      ~# mysql -h 127.0.0.1 -u test -ptest
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 9
      Server version: 10.5.8-5-MariaDB-enterprise MariaDB Enterprise Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> use test;
      ERROR 1044 (42000): Access denied for user 'test'@'%' to database 'test'
      MariaDB [(none)]>
      

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            juan.vera Juan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: