Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36401

Access denied errors produced by SET SESSION AUTHORIZATION not reflected in status values

Details

    Description

      Unlike a failed COM_CHANGE_USER which causes ER_ACCESS_DENIED_ERROR, a failed SET SESSION AUTHORIZATION command causes ER_ACCESS_DENIED_CHANGE_USER_ERROR. Maybe that's the reason why it isn't included into the Access_denied_errors status counter, and I don't see any other counters which would be used for it. 

      create user foo@localhost;
      		 
      flush global status;
      		 
       
      		 
      --connect (con1,localhost,foo,,)
      		 
      show global status like 'access_denied_errors';
      		 
      --echo # Running change_user bar
      		 
      --error ER_ACCESS_DENIED_ERROR
      		 
      --change_user bar
      		 
      show global status like 'access_denied_errors';
      		 
      --error ER_ACCESS_DENIED_CHANGE_USER_ERROR
      		 
      SET SESSION AUTHORIZATION bar@localhost;
      		 
      show global status like 'access_denied_errors';
      		 
      --disconnect con1
      		 
       
      		 
      --connection default
      		 
      drop user foo@localhost;

      d4c600f804af677ac3177497b3770dbd67c448f7

      		 
      Access_denied_errors	0
      		 
      # Running change_user bar
      		 
      ERROR 28000: Access denied for user 'bar'@'localhost' (using password: NO)
      		 
      show global status like 'access_denied_errors';
      		 
      Variable_name	Value
      		 
      Access_denied_errors	1
      		 
      SET SESSION AUTHORIZATION bar@localhost;
      		 
      ERROR 28000: Access denied trying to change to user 'bar'@'localhost'
      		 
      show global status like 'access_denied_errors';
      		 
      Variable_name	Value
      		 
      Access_denied_errors	1

      Also, errors upon COM_CHANGE_USER are logged in the error log as warnings 

      [Warning] Access denied for user 'bar'@'localhost' (using password: NO)

      but errors upon SET SESSION AUTHORIZATION are not. I'm not sure whether they are necessarily needed in the error log, but they should probably be reflected in the status.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-20299 SET SESSION AUTHORIZATION

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.