[MDEV-34838] SELECT Grant restricts visibility to referential_constraints table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Not a Bug
Affects Version/s: 10.11.8
Fix Version/s: N/A
Component/s: Authentication and Privilege System, Information Schema
Labels:
- regression
Environment:
Debian Ubuntu 22.04

Description

After upgrading from 10.3.34 to 10.11.8, a SELECT Granted user is no more able to read rows from the referential_constraints table.

I needed to change the GRANT from :

CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';

GRANT SELECT ON *.* TO 'readonly'@'%';

FLUSH PRIVILEGES;

To :

CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';

GRANT USAGE ON *.* TO `readonly`@`%`;

GRANT SELECT, REFERENCES, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `some_db`.* TO `readonly`@`%`;

FLUSH PRIVILEGES;

With SELECT GRANT, this query returns empty set :

SELECT * FROM `REFERENTIAL_CONSTRAINTS

With the new GRANT, the same query returns the expected results.

Maybe this is a new feature, but I could not find any reference of this change in the changelogs.

Attachments

Issue Links

is caused by

MDEV-32500 Information schema leaks table names and structure to unauthorized users

Closed

Activity

Ascending order - Click to sort in descending order

Kevin NGUYEN created issue - 2024-08-29 17:40

Kevin NGUYEN made changes - 2024-08-29 17:41

Field	Original Value	New Value
Description	After upgrading from 10.3.34 to 10.11.8, a SELECT Granted user is no more able to read rows from the referential_constraints table. I needed to change the GRANT from : {{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly'; GRANT SELECT ON . TO 'readonly'@'%'; FLUSH PRIVILEGES;}} To : {{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly'; GRANT USAGE ON . TO `readonly`@`%`; GRANT SELECT, REFERENCES, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `some_db`.* TO `readonly`@`%`; FLUSH PRIVILEGES;}} With SELECT GRANT, this query returns empty set : {{SELECT * FROM `REFERENTIAL_CONSTRAINTS}} With new GRANST, the same query returns the expected results. Maybe this is a new feature, but I cound not find any reference of this change in the changelogs.	After upgrading from 10.3.34 to 10.11.8, a SELECT Granted user is no more able to read rows from the referential_constraints table. I needed to change the GRANT from : {{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly'; GRANT SELECT ON . TO 'readonly'@'%'; FLUSH PRIVILEGES;}} To : {{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly'; GRANT USAGE ON . TO `readonly`@`%`; GRANT SELECT, REFERENCES, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `some_db`.* TO `readonly`@`%`; FLUSH PRIVILEGES;}} With SELECT GRANT, this query returns empty set : {{SELECT * FROM `REFERENTIAL_CONSTRAINTS}} With the new GRANT, the same query returns the expected results. Maybe this is a new feature, but I cound not find any reference of this change in the changelogs.

Sergei Golubchik made changes - 2024-08-30 13:51

Description

After upgrading from 10.3.34 to 10.11.8, a SELECT Granted user is no more able to read rows from the referential_constraints table.

I needed to change the GRANT from :

{{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';
GRANT SELECT ON *.* TO 'readonly'@'%';
FLUSH PRIVILEGES;}}

To :

{{CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';
GRANT USAGE ON *.* TO `readonly`@`%`;
GRANT SELECT, REFERENCES, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `some_db`.* TO `readonly`@`%`;
FLUSH PRIVILEGES;}}

With SELECT GRANT, this query returns empty set :
{{SELECT * FROM `REFERENTIAL_CONSTRAINTS}}

With the new GRANT, the same query returns the expected results.

Maybe this is a new feature, but I cound not find any reference of this change in the changelogs.

After upgrading from 10.3.34 to 10.11.8, a SELECT Granted user is no more able to read rows from the referential_constraints table.

I needed to change the GRANT from :

{code:sql}CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';
GRANT SELECT ON *.* TO 'readonly'@'%';
FLUSH PRIVILEGES;{code}

To :

{code:sql}CREATE USER 'readonly'@'%' IDENTIFIED BY 'readonly';
GRANT USAGE ON *.* TO `readonly`@`%`;
GRANT SELECT, REFERENCES, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `some_db`.* TO `readonly`@`%`;
FLUSH PRIVILEGES;{code}

With SELECT GRANT, this query returns empty set :
{code:sql}SELECT * FROM `REFERENTIAL_CONSTRAINTS{code}

With the new GRANT, the same query returns the expected results.

Maybe this is a new feature, but I could not find any reference of this change in the changelogs.

Sergei Golubchik made changes - 2024-08-30 13:53

Link

This issue is caused by ~~MDEV-32500~~ [ ~~MDEV-32500~~ ]

Sergei Golubchik made changes - 2024-08-30 13:57

Component/s		Authentication and Privilege System [ 13101 ]
Fix Version/s		N/A [ 14700 ]
Assignee		Sergei Golubchik [ serg ]
Resolution		Not a Bug [ 6 ]
Status	Open [ 1 ]	Closed [ 6 ]

People

Assignee:: Sergei Golubchik

Reporter:: Kevin NGUYEN

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-08-29 17:40

Updated:: 2024-08-30 13:57

Resolved:: 2024-08-30 13:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration