Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5227

Resolve the ambiguity between user and role names as mentioned in MDEV-4397

Details

    Description

      MDEV-4397 (Roles) says that there is expected ambiguity between role names and user names, and also mentions a possible solution for that ("we can specify that a role name cannot match the first part of any user name."). It hasn't been done, please consider implementing it or something similar; the way it works now is indeed a bit confusing and somewhat disturbing, e.g.

      create user manager;
      		 
      grant all on db1.* to manager; # grant goes to the user manager@'%'
      		 
      create role manager;
      		 
      grant all on db2.* to manager; # grant goes to the role manager

      etc.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-4397 Roles

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-5164 Testing Roles

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            elenst Elena Stepanova added a comment - - edited

            Here is Peter's opinion on the subject, mentioned in his blog (http://ocelot.ca/blog/blog/2014/01/12/roles-review/):

            Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say

            CREATE USER u_1;
            CREATE ROLE u_1;
            GRANT INSERT ON . TO u_1;
            SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1';

            I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!

            elenst Elena Stepanova added a comment - - edited Here is Peter's opinion on the subject, mentioned in his blog ( http://ocelot.ca/blog/blog/2014/01/12/roles-review/): Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say CREATE USER u_1; CREATE ROLE u_1; GRANT INSERT ON . TO u_1; SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1'; I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!
            serg Sergei Golubchik added a comment -

            there's no user manager, there's a user manager@%. Omitting the host name is a shortcut, which only works if it doesn't create an ambiguity.

            serg Sergei Golubchik added a comment - there's no user manager , there's a user manager@% . Omitting the host name is a shortcut, which only works if it doesn't create an ambiguity.

            People

              Unassigned Unassigned
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.