Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5175

Revoking a role does not revoke corresponding grants from open sessions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 10.0.5
    • Component/s: None
    • Labels:
      None

      Description

      If a session has set a role X, revoking this role X from the user does not revoke the grants it provided.
      I am not 100% sure whether it's design or oversight, but I suspect the latter because a) revoking the grants from the role does revoke them from an open session; b) dropping the role also revokes the grants from an open session. However, it's obviously not practical to do modify a role this way if you only want to deny it for a particular user, and do it immediately.

      Test case:

      --enable_connect_log
       
      create database db1;
       
      create user user1@localhost;
      create role role1;
      grant role1 to user1@localhost;
      grant all on db1.* to role1;
       
      --connect (con1,localhost,user1,,)
      set role role1;
      show grants;
      create table db1.t1 (i int);
       
      --connection default
      revoke role1 from user1@localhost;
       
      --connection con1
      show grants;
      drop table db1.t1;

      Output:

      create database db1;
      create user user1@localhost;
      create role role1;
      grant role1 to user1@localhost;
      grant all on db1.* to role1;
      connect  con1,localhost,user1,,;
      set role role1;
      show grants;
      Grants for user1@localhost
      GRANT role1 TO 'user1'@'localhost'
      GRANT USAGE ON *.* TO 'user1'@'localhost'
      GRANT USAGE ON *.* TO 'role1'
      GRANT ALL PRIVILEGES ON `db1`.* TO 'role1'
      create table db1.t1 (i int);
      connection default;
      revoke role1 from user1@localhost;
      connection con1;
      show grants;
      Grants for user1@localhost
      GRANT USAGE ON *.* TO 'user1'@'localhost'
      GRANT USAGE ON *.* TO 'role1'
      GRANT ALL PRIVILEGES ON `db1`.* TO 'role1'
      drop table db1.t1;

      revision-id: sergii@pisem.net-20131020232702-db6ekuk4lz0itg1b
      revno: 3892
      branch-nick: 10.0-serg
      BUILD/compile-pentium-debug-max-no-ndb

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: