Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
10.5.8
-
None
Description
Nesting of privileges should either be supported or disallowed.
Currently it is possible to grant role R1 to role R2, and then grant role R2 to user U1, and even though show grants for role R2 shows all the grants from role R1, these are not carried to user U1, so strictly speaking the server shows the role assigned to the user as having privileges the user does not get:
MariaDB [(none)]> create role adm;
|
Query OK, 0 rows affected (0.012 sec)
|
|
MariaDB [(none)]> grant all on *.* to adm with grant option;
|
Query OK, 0 rows affected (0.009 sec)
|
|
MariaDB [(none)]> create role interm;
|
Query OK, 0 rows affected (0.020 sec)
|
|
MariaDB [(none)]> grant adm to interm;
|
Query OK, 0 rows affected (0.007 sec)
|
|
MariaDB [(none)]> show grants for interm;
|
+--------------------------------------+
|
| Grants for interm |
|
+--------------------------------------+
|
| GRANT `adm` TO `interm` |
|
| GRANT USAGE ON *.* TO `interm` |
|
| GRANT ALL PRIVILEGES ON *.* TO `adm` |
|
+--------------------------------------+
|
3 rows in set (0.001 sec)
|
|
MariaDB [(none)]> grant usage on *.* to 'test'@'%' identified by 'test';
|
Query OK, 0 rows affected (0.020 sec)
|
|
MariaDB [(none)]> grant interm to 'test'@'%';
|
Query OK, 0 rows affected (0.008 sec)
|
|
MariaDB [(none)]> show grants for 'test'@'%';
|
+-----------------------------------------------------------------------------------------------------+
|
| Grants for test@% |
|
+-----------------------------------------------------------------------------------------------------+
|
| GRANT `interm` TO `test`@`%` |
|
| GRANT USAGE ON *.* TO `test`@`%` IDENTIFIED BY PASSWORD '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' |
|
+-----------------------------------------------------------------------------------------------------+
|
2 rows in set (0.000 sec)
|
|
MariaDB [(none)]> exit
|
Bye
|
~# mysql -h 127.0.0.1 -u test -ptest
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 9
|
Server version: 10.5.8-5-MariaDB-enterprise MariaDB Enterprise Server
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
MariaDB [(none)]> use test;
|
ERROR 1044 (42000): Access denied for user 'test'@'%' to database 'test'
|
MariaDB [(none)]>
|