Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36430

User cannot SET SESSION AUTHORIZATION into its current_user if the host is a wildcard

Details

    Description

      Probably it's intended and is just a note for documentation and/or an addition to the MTR test case.

      create user u@'%';
      		 
      --connect (con1,127.0.0.1,u,,)
      		 
      select user(), current_user();
      		 
      --error ER_ACCESS_DENIED_CHANGE_USER_ERROR
      		 
      set session authorization u@'%';
      		 
      set session authorization u@'localhost';
      		 
      --disconnect con1
      		 
      --connection default
      		 
      drop user u@'%';

      283183cf22d4a74d7b0dd959be9898b7cfa7d930

      		 
      connect  con1,127.0.0.1,u,,;
      		 
      select user(), current_user();
      		 
      user()	current_user()
      		 
      u@localhost	u@%
      		 
      set session authorization u@'%';
      		 
      ERROR 28000: Access denied trying to change to user 'u'@'%'
      		 
      set session authorization u@'localhost';

      So, even though the user account is u@'%' and there is no account u@<hostname>, for SET SESSION AUTHORIZATION into itself the user needs to use the latter.

      A user with SET USER privilege in this situation can authorize into any u@<whatever>, including but not limited to u@'%'. But once it's authorized into any u@<whatever> and it became the value which the USER() function returns, it had to be used for further authorization.

      create user u@'%';
      		 
      connect  con1,127.0.0.1,root,,;
      		 
      set session authorization u@'%';
      		 
      select user(), current_user();
      		 
      user()	current_user()
      		 
      u@%	u@%
      		 
      set session authorization u@'xxx';
      		 
      ERROR 28000: Access denied trying to change to user 'u'@'xxx'
      		 
      set session authorization u@'%';
      		 
      disconnect con1;
      		 
      connect  con1,127.0.0.1,root,,;
      		 
      set session authorization u@'xxx';
      		 
      select user(), current_user();
      		 
      user()	current_user()
      		 
      u@xxx	u@%
      		 
      set session authorization u@'%';
      		 
      ERROR 28000: Access denied trying to change to user 'u'@'%'
      		 
      set session authorization u@'xxx';
      		 
      disconnect con1;

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-20299 SET SESSION AUTHORIZATION

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            serg Sergei Golubchik added a comment -

            It's a documentation issue. SET SESSION AUTHORIZATION takes a new value of the USER() as an argument, not new value of the CURRENT_USER(). The new CURRENT_USER() value is determined using the usual account matching rules. If a user has no SET USER privilege, he can only change the account to himself, that is, he must specify his current USER() value in SET SESSION AUTHORIZATION.

            serg Sergei Golubchik added a comment - It's a documentation issue. SET SESSION AUTHORIZATION takes a new value of the USER() as an argument, not new value of the CURRENT_USER() . The new CURRENT_USER() value is determined using the usual account matching rules. If a user has no SET USER privilege, he can only change the account to himself, that is, he must specify his current USER() value in SET SESSION AUTHORIZATION .

            People

              greenman Ian Gilfillan
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.