Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Not a Bug
-
13.1
-
None
-
Not for Release Notes
Description
|
MDEV-14443 CS 13.1.0 e5dffa6a4f3a8df4f5d60192f1f81c65bea19b73 (Optimized, Clang 18.1.3-11) Build 22/06/2026 |
CREATE DATABASE d1;
|
CREATE TABLE d1.t1 (a INT, b INT);
|
CREATE USER u@localhost;
|
GRANT SELECT, INSERT ON d1.* TO u@localhost;
|
DENY SELECT ON d1.t1 TO u@localhost;
|
DENY INSERT (b) ON d1.t1 TO u@localhost;
|
FLUSH PRIVILEGES;
|
# SHOW GRANTS DOES reflect the denies :
|
SHOW GRANTS FOR u@localhost;
|
Grants for u@localhost
|
GRANT USAGE ON *.* TO `u`@`localhost`
|
GRANT SELECT, INSERT ON `d1`.* TO `u`@`localhost`
|
DENY SELECT, INSERT (`b`) ON `d1`.`t1` TO `u`@`localhost`
|
# information_schema.SCHEMA_PRIVILEGES: shows the db grants, no deny:
|
SELECT TABLE_SCHEMA, PRIVILEGE_TYPE
|
FROM information_schema.SCHEMA_PRIVILEGES
|
WHERE GRANTEE="'u'@'localhost'" ORDER BY PRIVILEGE_TYPE;
|
TABLE_SCHEMA PRIVILEGE_TYPE
|
d1 INSERT
|
d1 SELECT
|
# information_schema.TABLE_PRIVILEGES: EMPTY -- the table-level DENY on d1.t1 is invisible
|
SELECT TABLE_NAME, PRIVILEGE_TYPE
|
FROM information_schema.TABLE_PRIVILEGES
|
WHERE GRANTEE="'u'@'localhost'";
|
TABLE_NAME PRIVILEGE_TYPE
|
# information_schema.COLUMN_PRIVILEGES: EMPTY -- the column-level DENY is invisible too:
|
SELECT TABLE_NAME, COLUMN_NAME, PRIVILEGE_TYPE
|
FROM information_schema.COLUMN_PRIVILEGES
|
WHERE GRANTEE="'u'@'localhost'";
|
TABLE_NAME COLUMN_NAME PRIVILEGE_TYPE
|
# SELECT on d1.t1 is denied:
|
connect p, localhost, u,, d1;
|
SELECT * FROM d1.t1;
|
ERROR 42000: SELECT command denied to user 'u'@'localhost' for table `d1`.`t1`
|
connection default;
|
disconnect p;
|
DROP USER u@localhost;
|
DROP DATABASE d1;
|
MTR Test
CREATE DATABASE d1; |
CREATE TABLE d1.t1 (a INT, b INT); |
CREATE USER u@localhost; |
GRANT SELECT, INSERT ON d1.* TO u@localhost; |
DENY SELECT ON d1.t1 TO u@localhost; |
DENY INSERT (b) ON d1.t1 TO u@localhost; |
FLUSH PRIVILEGES; |
|
|
--echo # SHOW GRANTS DOES reflect the denies :
|
SHOW GRANTS FOR u@localhost; |
|
|
--echo # information_schema.SCHEMA_PRIVILEGES: shows the db grants, no deny:
|
SELECT TABLE_SCHEMA, PRIVILEGE_TYPE |
FROM information_schema.SCHEMA_PRIVILEGES |
WHERE GRANTEE="'u'@'localhost'" ORDER BY PRIVILEGE_TYPE; |
|
|
--echo # information_schema.TABLE_PRIVILEGES: EMPTY -- the table-level DENY on d1.t1 is invisible
|
SELECT TABLE_NAME, PRIVILEGE_TYPE |
FROM information_schema.TABLE_PRIVILEGES |
WHERE GRANTEE="'u'@'localhost'"; |
|
|
--echo # information_schema.COLUMN_PRIVILEGES: EMPTY -- the column-level DENY is invisible too:
|
SELECT TABLE_NAME, COLUMN_NAME, PRIVILEGE_TYPE |
FROM information_schema.COLUMN_PRIVILEGES |
WHERE GRANTEE="'u'@'localhost'"; |
|
|
--echo # SELECT on d1.t1 is denied:
|
connect (p, localhost, u,, d1); |
--error ER_TABLEACCESS_DENIED_ERROR
|
SELECT * FROM d1.t1; |
connection default; |
disconnect p;
|
|
|
DROP USER u@localhost; |
DROP DATABASE d1; |
Attachments
Issue Links
- is caused by
-
MDEV-14443 DENY clause for access control a.k.a. "negative grants"
-
- In Testing
-
