Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5232

SET ROLE checks privileges differently from check_access()

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 10.0.5
    • None
    • None

    Description

      Test case:

      create user ''@localhost;
      		 
      create user c;
      		 
      grant select on mysql.* to c;
      		 
      create role r1;
      		 
      grant r1 to c;
      		 
      connect (c,localhost,c,,,,,);
      		 
      select user(), current_user();
      		 
      --error ER_TABLEACCESS_DENIED_ERROR
      		 
      select user from mysql.user group by user;
      		 
      set role r1;
      		 
      disconnect c;
      		 
      connection default;
      		 
      drop role r1;
      		 
      drop user c;
      		 
      drop user ''@localhost;

      Note that SELECT fails, while SET ROLE succeeds. Both grants were to c@%.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-5233 inconsistent check_access()

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. MDEV-4397 Roles

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            serg Sergei Golubchik created issue -
            serg Sergei Golubchik made changes -
            Field Original Value New Value
            serg Sergei Golubchik made changes -
            Description Test case:
            {code:sql}
            create user ''@localhost;
            create user c;
            grant select on mysql.* to c;
            create role r1;
            grant r1 to c;
            connect (c,localhost,c,,,,,);
            select user(), current_user();
            --error ER_TABLEACCESS_DENIED_ERROR
            select user from mysql.user group by user;
            set role r1;
            disconnect c;
            connection default;
            drop role r1;
            drop user c;
            drop user ''@localhost;
            {code}             		Test case:
            {code:sql}
            create user ''@localhost;
            create user c;
            grant select on mysql.* to c;
            create role r1;
            grant r1 to c;
            connect (c,localhost,c,,,,,);
            select user(), current_user();
            --error ER_TABLEACCESS_DENIED_ERROR
            select user from mysql.user group by user;
            set role r1;
            disconnect c;
            connection default;
            drop role r1;
            drop user c;
            drop user ''@localhost;
            {code}

            Note that {{SELECT}} fails, while {{SET ROLE}} succeeds. Both grants were to {{c@%}}.
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            serg Sergei Golubchik made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]
            serg Sergei Golubchik made changes -
            Workflow defaullt [ 29600 ] MariaDB v2 [ 44646 ]
            ratzpo Rasmus Johansson (Inactive) made changes -
            Workflow MariaDB v2 [ 44646 ] MariaDB v3 [ 64008 ]
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 64008 ] MariaDB v4 [ 147192 ]

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.