[MDEV-29458] Role grant commands do not propagate all grants - Jira

XML

Word

Printable

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL)
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4
Component/s: Authentication and Privilege System
Labels:
- roles

The following test case shows that grant order matters (when it shouldn't!) with regards to roles.

The issue is reproducible in 10.3 and onwards.

create role r1, r2;

create user foo;

create database some_db;

create table some_db.t1 (a int, b int, secret int);

grant r2 to r1;

grant r1 to foo;

grant select on *.* to r2;

grant insert on *.* to r1;

# flush privileges; # Adding flush privileges causes the second select to work as expected.

--connect (con1, localhost, foo,,)

--error ER_TABLEACCESS_DENIED_ERROR

select * from some_db.t1;

set role r1;

# This command should receive the select rights from r2 and thus be allowed

select * from some_db.t1;

disconnect con1;

connection default;

drop database some_db;

drop role r1, r2;

drop user foo;

blocks

MDEV-14443 DENY clause for access control a.k.a. "negative grants"

relates to

MDEV-29509 execute granted indirectly (via roles) doesn't always work

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.