Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
-
None
Description
There appears to be an inconsistency of when privileges of a role are applied indirectly via another role and when the user connects to the server.
For instance - role1->user, role2->role1; user connects and has role2 privileges:
create role admin; |
create role student; |
create database crm; |
grant create on crm.* to admin; |
grant select on crm.* to student; |
create user intern@localhost; |
grant student to intern@localhost; |
set default role student for intern@localhost; |
grant admin to student; |
|
|
connect (con1, localhost, intern,,); |
use crm; |
create table t1 (a int); |
disconnect con1;
|
|
|
# cleanup
|
connection default; |
drop user intern@localhost; |
drop role student; |
drop role admin; |
drop database crm; |
flush privileges; |
However - role1->user; user connects; role2->role1; user connects but does not have role2 privileges. FLUSH PRIVILEGES is needed before user has role2 capabilities:
create role admin; |
create role student; |
create database crm; |
grant create on crm.* to admin; |
grant select on crm.* to student; |
create user intern@localhost; |
grant student to intern@localhost; |
set default role student for intern@localhost; |
|
|
connect (con1, localhost, intern,,); |
use crm; |
disconnect con1;
|
|
|
connection default; |
grant admin to student; |
|
|
connect (con1, localhost, intern,,); |
use crm; |
--error ER_TABLEACCESS_DENIED_ERROR
|
create table t1 (a int); |
disconnect con1;
|
|
|
connection default; |
flush privileges; |
|
|
connect (con1, localhost, intern,,); |
use crm; |
create table t1 (a int); |
disconnect con1;
|
|
|
# cleanup
|
connection default; |
drop user intern@localhost; |
drop role student; |
drop role admin; |
drop database crm; |
flush privileges; |
Why this is the case is not clear to me.
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Fix Version/s | 10.3 [ 22126 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.7 [ 24805 ] | |
| Fix Version/s | 10.8 [ 26121 ] | |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] |
| Assignee | Oleksandr Byelkin [ sanja ] | Sergei Golubchik [ serg ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Summary | Role privileges via intermediate role applied inconsistently | Cached role privileges are not invalidated when needed |
| Fix Version/s | 10.3.37 [ 28404 ] | |
| Fix Version/s | 10.4.27 [ 28405 ] | |
| Fix Version/s | 10.5.18 [ 28421 ] | |
| Fix Version/s | 10.6.11 [ 28441 ] | |
| Fix Version/s | 10.7.7 [ 28442 ] | |
| Fix Version/s | 10.8.6 [ 28443 ] | |
| Fix Version/s | 10.9.4 [ 28444 ] | |
| Fix Version/s | 10.3 [ 22126 ] | |
| Fix Version/s | 10.4 [ 22408 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Fix Version/s | 10.6 [ 24028 ] | |
| Fix Version/s | 10.7 [ 24805 ] | |
| Fix Version/s | 10.8 [ 26121 ] | |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
The reason is intermediate
disconnect con1;this computes privileges that user intern has on the schema crm, the result is cached. And, apparently, the cache is not invalidated when you grant admin to student.