Details

    Description

      Implement the standard behavior for

      GRANT xxx TO PUBLIC;
      REVOKE xxx FROM PUBLIC;

      Also, this statement is supposed to work:

      SHOW GRANTS FOR PUBLIC;

      And these should not

      CREATE ROLE PUBLIC;
      DROP ROLE PUBLIC;
      SET ROLE PUBLIC;
      GRANT PUBLIC TO xxx;
      REVOKE PUBLIC FROM xxx;

      Note that

      SHOW GRANTS FOR xxx;

      should not list roles and privileges granted to PUBLIC (unless granted to xxx too), but

      SHOW GRANTS;

      should, arguably, list them.

      Attachments

        Issue Links

          Activity

            No, PUBLIC role isn't sufficient. It can allow everyone to access test db, but it won't allow just anyone to connect. If you want an anonymous user, you need to it with CREATE USER ''@'%'

            serg Sergei Golubchik added a comment - No, PUBLIC role isn't sufficient. It can allow everyone to access test db, but it won't allow just anyone to connect. If you want an anonymous user, you need to it with CREATE USER ''@'%'

            abc294fab44 on bb-10.11-MDEV-5215 okay to push

            angelique.sklavounos Angelique Sklavounos (Inactive) added a comment - abc294fab44 on bb-10.11- MDEV-5215 okay to push
            dlenski Daniel Lenski (Inactive) added a comment - - edited

            serg, we are very confused by the code changes linked to this JIRA (cc tingynia):

            What is/was the goal of these changes?

            In the next release, do you actually intend to require that each individual test files does GRANT ALL ON test.*, or not?

            dlenski Daniel Lenski (Inactive) added a comment - - edited serg , we are very confused by the code changes linked to this JIRA (cc tingynia ): In the commit MDEV-5215 prerequisite: remove test and test_* database hacks in the test suite , you removed the grants from the test database , requiring each individual test to GRANT ALL ON test.* TO mysqltest@localhost . In the subsequent commit Add magic database access to test and test_% and removing the script , you restored the grants in the script … but at the same time you stopped calling the script* from mariadb-test-run.pl : The latter change seemingly renders the former one ineffectual What is/was the goal of these changes? In the next release, do you actually intend to require that each individual test files does GRANT ALL ON test.* , or not?

            Correct, tests have to include GRANT ALL ON test.* as needed. For the majority of the tests it's not needed, as they're run under the root user anyway. Tests that create new users might need to grant all needed privileges explicitly to these new users. There were actually few bugs in tests because newly created users were automatically be able to do something.

            The second commit restores access to test and test_% (using the new PUBLIC feature) — the intention here is to restore the historical behavior for normal usage, in bintar and rpm installations of MariaDB, but not restore it for the test suite.

            serg Sergei Golubchik added a comment - Correct, tests have to include GRANT ALL ON test.* as needed. For the majority of the tests it's not needed, as they're run under the root user anyway. Tests that create new users might need to grant all needed privileges explicitly to these new users. There were actually few bugs in tests because newly created users were automatically be able to do something. The second commit restores access to test and test_% (using the new PUBLIC feature) — the intention here is to restore the historical behavior for normal usage, in bintar and rpm installations of MariaDB, but not restore it for the test suite.

            Tests that create new users might need to grant all needed privileges explicitly to these new users. There were actually few bugs in tests because newly created users were automatically be able to do something.

            Ah, thank you very much for clarifying, serg. Now this totally makes sense! If we need to test the privilege environment of new users, then magically/automatically having certain privilege will get in the way of realistic testing of those privileges.

            Okay, so we can expect that GRANT ALL ON test.* will be needed for non-root users going forward. Thanks!

            dlenski Daniel Lenski (Inactive) added a comment - Tests that create new users might need to grant all needed privileges explicitly to these new users. There were actually few bugs in tests because newly created users were automatically be able to do something. Ah, thank you very much for clarifying, serg . Now this totally makes sense! If we need to test the privilege environment of new users, then magically/automatically having certain privilege will get in the way of realistic testing of those privileges. Okay, so we can expect that GRANT ALL ON test.* will be needed for non-root users going forward. Thanks!

            People

              sanja Oleksandr Byelkin
              serg Sergei Golubchik
              Votes:
              1 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.