Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
13.1
-
None
-
Not for Release Notes
Description
|
MDEV-14443 CS 13.1.0 e5dffa6a4f3a8df4f5d60192f1f81c65bea19b73 (Debug, Clang 18.1.3-11) Build 22/06/2026 |
worker[01] Using MTR_BUILD_THREAD 300, with reserved ports 19000..19029
|
CREATE DATABASE d1;
|
CREATE TABLE d1.t1 (a INT);
|
INSERT INTO d1.t1 VALUES (1);
|
CREATE ROLE r;
|
GRANT SELECT ON d1.* TO r;
|
DENY SELECT ON d1.t1 TO r;
|
CREATE USER u@localhost;
|
GRANT r TO u@localhost;
|
SET DEFAULT ROLE r FOR u@localhost;
|
# BEFORE reload: role DENY correctly enforced
|
connect p, localhost, u,, d1;
|
SELECT * FROM d1.t1;
|
ERROR 42000: SELECT command denied to user 'u'@'localhost' for table `d1`.`t1`
|
connection default;
|
disconnect p;
|
# reload privileges
|
FLUSH PRIVILEGES;
|
# AFTER reload: BUG -- role DENY dropped, t1 readable (bypass). The SELECT must still be ER_TABLEACCESS_DENIED_ERROR.
|
connect p, localhost, u,, d1;
|
SELECT * FROM d1.t1;
|
a
|
1
|
connection default;
|
disconnect p;
|
DROP USER u@localhost;
|
DROP ROLE r;
|
DROP DATABASE d1;
|
main.mytest [ pass ] 20
|
MTR test
CREATE DATABASE d1; |
CREATE TABLE d1.t1 (a INT); |
INSERT INTO d1.t1 VALUES (1); |
CREATE ROLE r; |
GRANT SELECT ON d1.* TO r; |
DENY SELECT ON d1.t1 TO r; |
CREATE USER u@localhost; |
GRANT r TO u@localhost; |
SET DEFAULT ROLE r FOR u@localhost; |
|
|
--echo # BEFORE reload: role DENY correctly enforced
|
connect (p, localhost, u,, d1); |
--error ER_TABLEACCESS_DENIED_ERROR
|
SELECT * FROM d1.t1; |
connection default; |
disconnect p;
|
|
|
--echo # reload privileges
|
FLUSH PRIVILEGES; |
|
|
--echo # AFTER reload: BUG -- role DENY dropped, t1 readable (bypass). The SELECT must still be ER_TABLEACCESS_DENIED_ERROR.
|
connect (p, localhost, u,, d1); |
SELECT * FROM d1.t1; |
connection default; |
disconnect p;
|
|
|
DROP USER u@localhost; |
DROP ROLE r; |
DROP DATABASE d1; |
Attachments
Issue Links
- is caused by
-
MDEV-14443 DENY clause for access control a.k.a. "negative grants"
-
- In Testing
-
