[MDEV-4397] Roles - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.0.5
Component/s: None
Labels:
- gsoc13

Description

Roles

As (or close to) defined in the SQL:2003 standard.

New statements

CREATE ROLE role

DROP ROLE role

GRANT role TO { user | user }

REVOKE role FROM {user | role }

SET ROLE { role_name | NONE }

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory @host part (even if it's @%). And we probably wouldn't want it for roles. So, practically, we will have users and roles in different name spaces, with a little ambiguity, when a user name is specified without a @host part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, CURRENT_ROLE (see below) can never return a list.

Privileges

One needs CREATE USER privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the mysql database.

One needs a role to be granted to himself WITH ADMIN OPTION to be able to grant or revoke it further. A creator of a role gets it automatically granted to himself WITH ADMIN CURRENT_USER. Alternatively, one can use WITH ADMIN CURRENT_ROLE or (with SUPER privilege) WITH ADMIN arbitrary_definer.

Existing statements need to work with roles

REVOKE privilege FROM { user | role }

GRANT privilege TO { user | role }

SHOW GRANTS FOR { user | role }

New functions

CURRENT_ROLE

CURRENT_ROLE()

If there is no current role, the function returns NULL, not "NONE".

Informational tables

INFORMATION_SCHEMA.APPLICABLE_ROLES

INFORMATION_SCHEMA.ENABLED_ROLES

there are more tables in the INFORMATION_SCHEMA that are relevant for roles. They are not part of this task.

DEFINER=CURRENT_ROLE

Everywhere where one can write DEFINER=xxx, we should allow xxx to be a role name. And additionally we'll support DEFINER=CURRENT_ROLE.

Reserved role names

The role name of PUBLIC is reserved. There can be no role with this name. But this name can be used in GRANT and REVOKE statements as a grantee.Privileges granted to PUBLIC are always available to everyone. Implementing it is not part of this task.

The role name of NONE is reserved too.

Default role (not part of this task)

Syntax variants (which ones we'll do?):

CREATE USER xxx DEFAULT ROLE yyy;

ALTER USER xxx DEFAULT ROLE yyy;

SET DEFAULT ROLE yyy;

SET DEFAULT ROLE yyy [ FOR xxx ];

When a default role is set, the server implicitly runs SET ROLE yyy for every new connection (or after a COM_CHANGE_USER for a user xxx.

Attachments

Issue Links

blocks

MDEV-5164 Testing Roles

Closed

causes

MDEV-24345 WITH ADMIN OPTION privilege is missing from SHOW PRIVILEGES

Closed

duplicates

MDEV-14444 Support Role based access control for MariaDB privilege system

Closed

relates to

MDEV-5166 10.0-roles does not build with BUILD/compile-pentium-debug-max-no-ndb

Closed

MDEV-5170 Assertion `(&(&acl_cache->lock)->m_mutex)->count > 0 && pthread_equal(pthread_self(), (&(&acl_cache->lock)->m_mutex)->thread)' fails after restarting server with a pre-created role grants

Closed

MDEV-5172 safe_mutex: Trying to lock mutex when the mutex was already locked on using a role and I_S role tables

Closed

MDEV-5175 Revoking a role does not revoke corresponding grants from open sessions

Closed

MDEV-5211 Rename role

Open

MDEV-5212 Role support for Audit Plugin API

Open

MDEV-5215 Granted to PUBLIC

Closed

MDEV-5221 User auto-creation does not work upon GRANT <role>

Closed

MDEV-5223 Server crashes on REVOKE ... from CURRENT_ROLE

Closed

MDEV-5225 Server crashes on CREATE USER|ROLE CURRENT_ROLE or DROP ROLE CURRENT_ROLE

Closed

MDEV-5227 Resolve the ambiguity between user and role names as mentioned in MDEV-4397

Closed

MDEV-5228 Incorrect message test on a failed attempt to revoke grants from a role

Open

MDEV-5232 SET ROLE checks privileges differently from check_access()

Closed

MDEV-5237 Minor inconsistency between current_role and I_S.enabled_roles

Closed

MDEV-5238 Server crashes in find_role_grant_pair on SHOW GRANTS for an anonymous user

Closed

MDEV-5668 Assertion `granted_role->is_role()' fails on granting role with empty name

Closed

MDEV-5669 Possible inconsistencies or lack of documentation in role privilege grants and propogation

Closed

MDEV-5771 Privileges acquired via roles depend on the order of granting

Closed

MDEV-5772 Granting multiple roles in single statement does not work

Open

MDEV-5210 Default role

Closed

MDEV-5213 Roles: OOM checks

Open

(19 relates to)

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik created issue - 2013-04-15 19:19

Mark Callaghan added a comment - 2013-04-17 21:34

Implemented something like this long ago in the Google patch. Will be great to see an officially supported version of it – https://code.google.com/p/google-mysql-tools/wiki/MysqlRoles

Mark Callaghan added a comment - 2013-04-17 21:34 Implemented something like this long ago in the Google patch. Will be great to see an officially supported version of it – https://code.google.com/p/google-mysql-tools/wiki/MysqlRoles

Sergei Golubchik made changes - 2013-05-01 19:57

Field	Original Value	New Value
Labels		gsoc13

Sergei Golubchik made changes - 2013-09-23 21:48

Fix Version/s

10.0.5 [ 13201 ]

Sergei Golubchik made changes - 2013-09-23 21:48

Assignee

Sergey Vojtovich [ svoj ]

Sergei Golubchik added a comment - 2013-09-23 21:50 - edited

lp:~maria-captains/maria/10.0-serg

Sergei Golubchik added a comment - 2013-09-23 21:50 - edited lp:~maria-captains/maria/10.0-serg

Sergei Golubchik made changes - 2013-09-26 10:57

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE [ IF NOT EXISTS ] role
DROP ROLE [ IF EXISTS ] role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database. Alternatively, we may want to introduce {{CREATE ROLE}} privilege.

One needs a role to be granted to himself to be able to grant or revoke it futher (assuming one has {{GRANT OPTION}}) or to set it.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database. Alternatively, we may want to introduce {{CREATE ROLE}} privilege.

One needs a role to be granted to himself to be able to grant or revoke it futher (assuming one has {{GRANT OPTION}}) or to set it.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

Sergei Golubchik made changes - 2013-09-26 11:06

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN OPTION}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

Sergei Golubchik made changes - 2013-09-26 11:12

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN OPTION}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN OPTION}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

Sergei Golubchik made changes - 2013-09-30 10:37

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN OPTION}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

Sergei Golubchik made changes - 2013-09-30 10:38

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

Sergei Golubchik made changes - 2013-09-30 10:48

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

Sergey Vojtovich made changes - 2013-10-03 12:09

Assignee

Sergey Vojtovich [ svoj ]

Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2013-10-05 16:51

Status

Open [ 1 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2013-10-05 16:52

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. Definer

Where we support {{DEFINER=CURRENT_USER}} we should also support {{DEFINER=CURRENT_ROLE}}.

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

Sergei Golubchik made changes - 2013-10-15 06:10

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself to be able to grant or revoke it further.
{panel:title=Question|titleBGColor=#F7D6C1|bgColor=#FFFFCE}
Will we require traditional {{GRANT OPTION}} privilege to grant roles, or we'll go with the standard {{WITH ADMIN}} (which is an _option_ not a privilege)?
{panel}

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself {{WITH ADMIN OPTION}} to be able to grant or revoke it further. A creator or a role gets it automatically granted to himself {{WITH ADMIN CURRENT_USER}}. Alternatively, one can use {{WITH ADMIN CURRENT_ROLE}} or (with {{SUPER}} privilege) {{WITH ADMIN arbitrary_definer}}.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

Sergei Golubchik made changes - 2013-10-15 06:11

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself {{WITH ADMIN OPTION}} to be able to grant or revoke it further. A creator or a role gets it automatically granted to himself {{WITH ADMIN CURRENT_USER}}. Alternatively, one can use {{WITH ADMIN CURRENT_ROLE}} or (with {{SUPER}} privilege) {{WITH ADMIN arbitrary_definer}}.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself {{WITH ADMIN OPTION}} to be able to grant or revoke it further. A creator of a role gets it automatically granted to himself {{WITH ADMIN CURRENT_USER}}. Alternatively, one can use {{WITH ADMIN CURRENT_ROLE}} or (with {{SUPER}} privilege) {{WITH ADMIN arbitrary_definer}}.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

Sergei Golubchik made changes - 2013-10-19 05:50

Description

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself {{WITH ADMIN OPTION}} to be able to grant or revoke it further. A creator of a role gets it automatically granted to himself {{WITH ADMIN CURRENT_USER}}. Alternatively, one can use {{WITH ADMIN CURRENT_ROLE}} or (with {{SUPER}} privilege) {{WITH ADMIN arbitrary_definer}}.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informatinal tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. May be we won't implement it, though.

The role name of {{NONE}} is reserved too.

h3. Default role (optional)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

h2.Roles
As (or close to) defined in the SQL:2003 standard.

h3. New statements
{noformat}
CREATE ROLE role
DROP ROLE role
GRANT role TO { user | user }
REVOKE role FROM {user | role }
SET ROLE { role_name | NONE }
{noformat}

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory {{@host}} part (even if it's {{@%}}). And we probably wouldn't want it for roles. So, practically, we will have users and roles in _different_ name spaces, with a little ambiguity, when a user name is specified without a {{@host}} part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, {{CURRENT_ROLE}} (see below) can never return a list.

h3. Privileges

One needs {{CREATE USER}} privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the {{mysql}} database.

One needs a role to be granted to himself {{WITH ADMIN OPTION}} to be able to grant or revoke it further. A creator of a role gets it automatically granted to himself {{WITH ADMIN CURRENT_USER}}. Alternatively, one can use {{WITH ADMIN CURRENT_ROLE}} or (with {{SUPER}} privilege) {{WITH ADMIN arbitrary_definer}}.

h3. Existing statements need to work with roles

{noformat}
REVOKE privilege FROM { user | role }
GRANT privilege TO { user | role }
SHOW GRANTS FOR { user | role }
{noformat}

h3. New functions

{noformat}
CURRENT_ROLE
CURRENT_ROLE()
{noformat}

If there is no current role, the function returns {{NULL}}, not {{"NONE"}}.

h3. Informational tables

{noformat}
INFORMATION_SCHEMA.APPLICABLE_ROLES
INFORMATION_SCHEMA.ENABLED_ROLES
{noformat}

there are more tables in the {{INFORMATION_SCHEMA}} that are relevant for roles. They are not part of this task.

h3. DEFINER=CURRENT_ROLE

Everywhere where one can write {{DEFINER=xxx}}, we should allow {{xxx}} to be a role name. And additionally we'll support {{DEFINER=CURRENT_ROLE}}.

h3. Reserved role names

The role name of {{PUBLIC}} is reserved. There can be no role with this name. But this name can be used in {{GRANT}} and {{REVOKE}} statements as a grantee.Privileges granted to {{PUBLIC}} are always available to everyone. Implementing it is not part of this task.

The role name of {{NONE}} is reserved too.

h3. Default role (not part of this task)

Syntax variants (which ones we'll do?):

{noformat}
CREATE USER xxx DEFAULT ROLE yyy;
ALTER USER xxx DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy;
SET DEFAULT ROLE yyy [ FOR xxx ];
{noformat}

When a default role is set, the server implicitly runs {{SET ROLE yyy}} for every new connection (or after a {{COM_CHANGE_USER}} for a user {{xxx}}.

Sergei Golubchik made changes - 2013-10-21 17:55

Link

This issue blocks ~~MDEV-5164~~ [ ~~MDEV-5164~~ ]

Elena Stepanova made changes - 2013-10-21 21:22

Link

This issue relates to ~~MDEV-5166~~ [ ~~MDEV-5166~~ ]

Elena Stepanova made changes - 2013-10-22 19:10

Link

This issue relates to ~~MDEV-5170~~ [ ~~MDEV-5170~~ ]

Elena Stepanova made changes - 2013-10-23 01:43

Link

This issue relates to ~~MDEV-5172~~ [ ~~MDEV-5172~~ ]

Elena Stepanova made changes - 2013-10-23 12:41

Link

This issue relates to ~~MDEV-5175~~ [ ~~MDEV-5175~~ ]

Sergei Golubchik made changes - 2013-10-29 17:49

Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2013-10-30 16:00

Link

This issue blocks ~~MDEV-5210~~ [ ~~MDEV-5210~~ ]

Sergei Golubchik made changes - 2013-10-30 16:01

Link

This issue blocks ~~MDEV-5210~~ [ ~~MDEV-5210~~ ]

Sergei Golubchik made changes - 2013-10-30 16:01

Link

This issue relates to ~~MDEV-5210~~ [ ~~MDEV-5210~~ ]

Sergei Golubchik made changes - 2013-10-30 16:02

Link

This issue relates to MDEV-5211 [ MDEV-5211 ]

Sergei Golubchik made changes - 2013-10-30 16:03

Link

This issue relates to MDEV-5212 [ MDEV-5212 ]

Sergei Golubchik made changes - 2013-10-30 16:06

Link

This issue relates to MDEV-5213 [ MDEV-5213 ]

Sergei Golubchik made changes - 2013-10-30 16:20

Link

This issue relates to ~~MDEV-5215~~ [ ~~MDEV-5215~~ ]

Elena Stepanova made changes - 2013-11-01 14:43

Link

This issue relates to ~~MDEV-5221~~ [ ~~MDEV-5221~~ ]

Elena Stepanova made changes - 2013-11-01 16:46

Link

This issue relates to ~~MDEV-5223~~ [ ~~MDEV-5223~~ ]

Elena Stepanova made changes - 2013-11-01 17:28

Link

This issue relates to ~~MDEV-5225~~ [ ~~MDEV-5225~~ ]

Elena Stepanova made changes - 2013-11-02 16:12

Link

This issue relates to ~~MDEV-5227~~ [ ~~MDEV-5227~~ ]

Elena Stepanova made changes - 2013-11-02 16:46

Link

This issue relates to MDEV-5228 [ MDEV-5228 ]

Sergei Golubchik made changes - 2013-11-04 14:11

Link

This issue relates to ~~MDEV-5232~~ [ ~~MDEV-5232~~ ]

Elena Stepanova made changes - 2013-11-04 18:46

Link

This issue relates to ~~MDEV-5237~~ [ ~~MDEV-5237~~ ]

Elena Stepanova made changes - 2013-11-04 19:16

Link

This issue relates to ~~MDEV-5238~~ [ ~~MDEV-5238~~ ]

Elena Stepanova made changes - 2014-02-13 00:21

Link

This issue relates to ~~MDEV-5668~~ [ ~~MDEV-5668~~ ]

Elena Stepanova made changes - 2014-02-13 11:32

Link

This issue relates to ~~MDEV-5669~~ [ ~~MDEV-5669~~ ]

Elena Stepanova made changes - 2014-03-01 20:50

Link

This issue relates to ~~MDEV-5771~~ [ ~~MDEV-5771~~ ]

Elena Stepanova made changes - 2014-03-01 20:52

Link

This issue relates to MDEV-5772 [ MDEV-5772 ]

Sergei Golubchik made changes - 2014-06-13 15:06

Workflow

defaullt [ 27002 ]

MariaDB v2 [ 44504 ]

Rasmus Johansson (Inactive) made changes - 2015-05-18 17:51

Workflow

MariaDB v2 [ 44504 ]

MariaDB v3 [ 66022 ]

Sergei Golubchik made changes - 2018-02-07 09:52

Link

This issue duplicates ~~MDEV-14444~~ [ ~~MDEV-14444~~ ]

Geoff Montee (Inactive) made changes - 2020-12-03 20:43

Link

This issue causes ~~MDEV-24345~~ [ ~~MDEV-24345~~ ]

Sergei Golubchik made changes - 2021-12-06 21:22

Workflow

MariaDB v3 [ 66022 ]

MariaDB v4 [ 132102 ]

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2013-04-15 19:19

Updated:: 2020-12-03 20:43

Resolved:: 2013-10-29 17:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Roles

New statements

Privileges

Existing statements need to work with roles

New functions

Informational tables

DEFINER=CURRENT_ROLE

Reserved role names

Default role (not part of this task)

Attachments

Issue Links

Activity

People

Dates

Git Integration