[MDEV-39610] Privileges from wildcard host account applied to host-specific account - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.8.5
Fix Version/s: N/A
Component/s: Documentation
Labels:
None

Bug Category:
Notable changes
Release Note Summary:

Hide
Corrected documentation regarding privilege merging for host-specific and wildcard accounts. MariaDB intentionally applies privileges from both a specific host account (e.g., 'user'@'192.168.1.5') and a wildcard account (e.g., 'user'@'%') when a user connects. The manual previously incorrectly stated that only the specific account's privileges would apply.

Show
Corrected documentation regarding privilege merging for host-specific and wildcard accounts. MariaDB intentionally applies privileges from both a specific host account (e.g., 'user'@'192.168.1.5') and a wildcard account (e.g., 'user'@'%') when a user connects. The manual previously incorrectly stated that only the specific account's privileges would apply.

Description

The observed behaviour appears to contradict the documentation here:

https://mariadb.com/docs/server/reference/sql-statements/account-management-sql-statements/create-user#user-name-component

The documentation states:

Once connected, you only have the privileges granted to the account that matched, not all accounts that could have matched. For example, consider the following commands:

CREATE USER 'joffrey'@'192.168.0.3';

CREATE USER 'joffrey'@'%';

GRANT SELECT ON test.t1 TO 'joffrey'@'192.168.0.3';

GRANT SELECT ON test.t2 TO 'joffrey'@'%';

If you connect as joffrey from 192.168.0.3, you will have the SELECT privilege on the table test.t1 but not on the table test.t2. If you connect as joffrey from any other IP address, you will have the SELECT privilege on the table test.t2, but not on the table test.t1

However, in my testing, the user is able to query test.t2 successfully.

CREATE USER 'joffrey'@'192.168.1.5' IDENTIFIED BY 'x';

CREATE USER 'joffrey'@'%' IDENTIFIED BY 'y';

GRANT SELECT ON test.t1 TO 'joffrey'@'192.168.1.5';

GRANT SELECT ON test.t2 TO 'joffrey'@'%';

After login with 'joffrey'@'192.168.1.5'

mariadb --protocol=TCP -ujoffrey -h192.168.1.5 -px

MariaDB [(none)]> SHOW GRANTS FOR CURRENT_USER;

+------------------------------------------------------------------------------------------------------------------+

| Grants for joffrey@192.168.1.5                                                                                   |

+------------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO `joffrey`@`192.168.1.5` IDENTIFIED BY PASSWORD '*B69027D44F6E5EDC07F1AEAD1477967B16F28227' |

| GRANT SELECT ON `test`.`t1` TO `joffrey`@`192.168.1.5`                                                           |

+------------------------------------------------------------------------------------------------------------------+

2 rows in set (0.000 sec)

Despite the above grants, the following query succeeds:

MariaDB [(none)]> SELECT * FROM test.t2;

+-----+------+

| tid | name |

+-----+------+

|   1 | aa   |

+-----+------+

1 row in set (0.000 sec)

Attachments

Activity

People

Assignee:: Julien Fritsch

Reporter:: Koustuv Chatterjee

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2026-05-14 21:03

Updated:: 2026-06-09 08:21

Resolved:: 2026-05-26 07:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.