Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29851

Cached role privileges are not invalidated when needed

Details

    Description

      There appears to be an inconsistency of when privileges of a role are applied indirectly via another role and when the user connects to the server.

      For instance - role1->user, role2->role1; user connects and has role2 privileges:

      create role admin;
      		 
      create role student;
      		 
      create database crm;
      		 
      grant create on crm.* to admin;
      		 
      grant select on crm.* to student;
      		 
      create user intern@localhost;
      		 
      grant student to intern@localhost;
      		 
      set default role student for intern@localhost;
      		 
      grant admin to student;
      		 
       
      		 
      connect (con1, localhost, intern,,);
      		 
      use crm;
      		 
      create table t1 (a int);
      		 
      disconnect con1;
      		 
       
      		 
      # cleanup
      		 
      connection default;
      		 
      drop user intern@localhost;
      		 
      drop role student;
      		 
      drop role admin;
      		 
      drop database crm;
      		 
      flush privileges;

      However - role1->user; user connects; role2->role1; user connects but does not have role2 privileges. FLUSH PRIVILEGES is needed before user has role2 capabilities:

      create role admin;
      		 
      create role student;
      		 
      create database crm;
      		 
      grant create on crm.* to admin;
      		 
      grant select on crm.* to student;
      		 
      create user intern@localhost;
      		 
      grant student to intern@localhost;
      		 
      set default role student for intern@localhost;
      		 
       
      		 
      connect (con1, localhost, intern,,);
      		 
      use crm;
      		 
      disconnect con1;
      		 
       
      		 
      connection default;
      		 
      grant admin to student;
      		 
       
      		 
      connect (con1, localhost, intern,,);
      		 
      use crm;
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      create table t1 (a int);
      		 
      disconnect con1;
      		 
       
      		 
      connection default;
      		 
      flush privileges;
      		 
       
      		 
      connect (con1, localhost, intern,,);
      		 
      use crm;
      		 
      create table t1 (a int);
      		 
      disconnect con1;
      		 
       
      		 
      # cleanup
      		 
      connection default;
      		 
      drop user intern@localhost;
      		 
      drop role student;
      		 
      drop role admin;
      		 
      drop database crm;
      		 
      flush privileges;

      Why this is the case is not clear to me.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-5771 Privileges acquired via roles depend on the order of granting

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            angelique.sklavounos Angelique Sklavounos (Inactive) created issue -
            angelique.sklavounos Angelique Sklavounos (Inactive) made changes -
            Field Original Value New Value
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.7 [ 24805 ]
            Fix Version/s 10.8 [ 26121 ]
            Fix Version/s 10.9 [ 26905 ]
            Fix Version/s 10.10 [ 27530 ]
            elenst Elena Stepanova made changes -
            serg Sergei Golubchik made changes -
            Assignee Oleksandr Byelkin [ sanja ] Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            serg Sergei Golubchik made changes -
            Summary Role privileges via intermediate role applied inconsistently Cached role privileges are not invalidated when needed
            serg Sergei Golubchik made changes -
            Fix Version/s 10.3.37 [ 28404 ]
            Fix Version/s 10.4.27 [ 28405 ]
            Fix Version/s 10.5.18 [ 28421 ]
            Fix Version/s 10.6.11 [ 28441 ]
            Fix Version/s 10.7.7 [ 28442 ]
            Fix Version/s 10.8.6 [ 28443 ]
            Fix Version/s 10.9.4 [ 28444 ]
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.7 [ 24805 ]
            Fix Version/s 10.8 [ 26121 ]
            Fix Version/s 10.9 [ 26905 ]
            Fix Version/s 10.10 [ 27530 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]

            People

              serg Sergei Golubchik
              angelique.sklavounos Angelique Sklavounos (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.