[MDEV-36431] User identified via proxy cannot do SET SESSION AUTHORIZATION into itself - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: 12.0
Component/s: Authentication and Privilege System, Documentation
Labels:
None

Description

Probably also a note for documentation.

If a user logged into the database via PAM and proxy account, and doesn't have the SET USER privilege, it cannot do SET SESSION AUTHORIZATION into itself, because it cannot use the actual database account from the CURRENT_USER() value (MDEV-36430), it cannot use the @@proxy_user value because it has the empty user name and it is not allowed in SET SESSION AUTHORIZATION (MDEV-36415), and it cannot use the USER() value because this account doesn't exist.

283183cf22d4a74d7b0dd959be9898b7cfa7d930
MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
\| Grants for admin@% \|
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
\| GRANT USAGE ON . TO `admin`@`%` IDENTIFIED BY PASSWORD '*FAB0955B2CE7AE2DAFEE46C36501AFC5E65D445D' \|
\| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, EVENT, TRIGGER, DELETE HISTORY, SHOW CREATE ROUTINE ON `test`.* TO PUBLIC \|
\| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, EVENT, TRIGGER, DELETE HISTORY, SHOW CREATE ROUTINE ON `test\_%`.* TO PUBLIC \|
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.001 sec)

MariaDB [(none)]> select user(), current_user(), session_user(), @@proxy_user, @@external_user;
+------------------+----------------+----------------+--------------+-----------------+
\| user() \| current_user() \| session_user() \| @@proxy_user \| @@external_user \|
+------------------+----------------+----------------+--------------+-----------------+
\| elenst@localhost \| admin@% \| admin@% \| ''@'%' \| NULL \|
+------------------+----------------+----------------+--------------+-----------------+
1 row in set (0.001 sec)

MariaDB [(none)]> set session authorization elenst@localhost;
ERROR 1873 (28000): Access denied trying to change to user 'elenst'@'localhost'
MariaDB [(none)]> set session authorization admin@'%';
ERROR 1873 (28000): Access denied trying to change to user 'admin'@'%'
MariaDB [(none)]> set session authorization ''@'%';
ERROR 1449 (HY000): The user ''@'%' does not exist

Attachments

Issue Links

is caused by

MDEV-20299 SET SESSION AUTHORIZATION

Closed

Activity

There are no comments yet on this issue.

People

Assignee:: Ian Gilfillan

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-03-28 22:31

Updated:: 2025-03-28 22:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server