Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
If a session has set a role X, revoking this role X from the user does not revoke the grants it provided.
I am not 100% sure whether it's design or oversight, but I suspect the latter because a) revoking the grants from the role does revoke them from an open session; b) dropping the role also revokes the grants from an open session. However, it's obviously not practical to do modify a role this way if you only want to deny it for a particular user, and do it immediately.
Test case:
--enable_connect_log
|
|
|
create database db1; |
|
|
create user user1@localhost; |
create role role1; |
grant role1 to user1@localhost; |
grant all on db1.* to role1; |
|
|
--connect (con1,localhost,user1,,)
|
set role role1; |
show grants;
|
create table db1.t1 (i int); |
|
|
--connection default
|
revoke role1 from user1@localhost; |
|
|
--connection con1
|
show grants;
|
drop table db1.t1; |
Output:
create database db1;
|
create user user1@localhost;
|
create role role1;
|
grant role1 to user1@localhost;
|
grant all on db1.* to role1;
|
connect con1,localhost,user1,,;
|
set role role1;
|
show grants;
|
Grants for user1@localhost
|
GRANT role1 TO 'user1'@'localhost'
|
GRANT USAGE ON *.* TO 'user1'@'localhost'
|
GRANT USAGE ON *.* TO 'role1'
|
GRANT ALL PRIVILEGES ON `db1`.* TO 'role1'
|
create table db1.t1 (i int);
|
connection default;
|
revoke role1 from user1@localhost;
|
connection con1;
|
show grants;
|
Grants for user1@localhost
|
GRANT USAGE ON *.* TO 'user1'@'localhost'
|
GRANT USAGE ON *.* TO 'role1'
|
GRANT ALL PRIVILEGES ON `db1`.* TO 'role1'
|
drop table db1.t1;
|
revision-id: sergii@pisem.net-20131020232702-db6ekuk4lz0itg1b
|
revno: 3892
|
branch-nick: 10.0-serg
|
BUILD/compile-pentium-debug-max-no-ndb
|
