[MDEV-5772] Granting multiple roles in single statement does not work - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.0.8
Fix Version/s: 10.1(EOL)
Component/s: None
Labels:
- foundation

Description

One can create several roles at once:

MariaDB [test]> create role r1, r2;

Query OK, 0 rows affected (0.01 sec)

One can grant multiple privileges to multiple users at once:

MariaDB [test]> grant SELECT,INSERT on db.* to foo@localhost, bar@localhost;

Query OK, 0 rows affected (0.00 sec)

But one cannot grant multiple roles at once:

MariaDB [test]> grant r1, r2 to foo@localhost;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' r2 to foo@localhost' at line 1

SQL standard seems to think that it should work.

Attachments

Issue Links

relates to

MDEV-4397 Roles

Closed

MDEV-5164 Testing Roles

Closed

MDEV-5669 Possible inconsistencies or lack of documentation in role privilege grants and propogation

Closed

Activity

Ascending order - Click to sort in descending order

Vicențiu Ciorbaru added a comment - 2015-03-02 18:23 - edited

I've started working on this and I'm somewhat stuck at the moment with the following grammar extension issue:

I've redefined GRANT grant_role TO .... to
GRANT role_list TO ...
This leads to 7 reduce/reduce conflicts, because:

We define

object_privilege_list as:

object_privilege_list:

      object_privilege

    | object_privilege_list ',' object_privilege

role_list as:

role_list:

      grant_role

    | role_list ',' grant_role

Within these two rules we allow for keywords such as EVENT, EXECUTE, FILE, PROCESS, RELOAD, SHUTDOWN.

Technically, the two grant statements should be unambigous:

GRANT EVENT, EXECUTE ON .....

GRANT EVENT, EXECUTE TO .....

These 2 statements are different. The first one refers to object privileges, while the other one refers to role grants. Bison finds these to be ambiguous because it needs to make a decision on which rule (object_privilege_list or role_list) to use, when it encounters the ',' (comma) token.
The decision would be clear, if the parser would look for the TO or ON keyword, but the lookahead token only looks forward one step.

Possible solutions:
Do not allow EVENT, EXECUTE, FILE, etc. as role names. (It will break people's existing databases on update).
Redefine both rules to account for this overlap. The downside to this approach is that it requires a pretty big amount of changes.

Vicențiu Ciorbaru added a comment - 2015-03-02 18:23 - edited I've started working on this and I'm somewhat stuck at the moment with the following grammar extension issue: I've redefined GRANT grant_role TO .... to GRANT role_list TO ... This leads to 7 reduce/reduce conflicts, because: We define object_privilege_list as: object_privilege_list: object_privilege | object_privilege_list ',' object_privilege role_list as: role_list: grant_role | role_list ',' grant_role Within these two rules we allow for keywords such as EVENT, EXECUTE, FILE, PROCESS, RELOAD, SHUTDOWN. Technically, the two grant statements should be unambigous: GRANT EVENT, EXECUTE ON ..... GRANT EVENT, EXECUTE TO ..... These 2 statements are different. The first one refers to object privileges, while the other one refers to role grants. Bison finds these to be ambiguous because it needs to make a decision on which rule (object_privilege_list or role_list) to use, when it encounters the ',' (comma) token. The decision would be clear, if the parser would look for the TO or ON keyword, but the lookahead token only looks forward one step. Possible solutions: Do not allow EVENT, EXECUTE, FILE, etc. as role names. (It will break people's existing databases on update). Redefine both rules to account for this overlap. The downside to this approach is that it requires a pretty big amount of changes.

Sergei Golubchik added a comment - 2015-03-02 21:52

I wouldn't like the first solution. The second is straightforward, but requires a notable amount of changes. Like, create one rule that accepts a list of identifiers or privileges. Create a structure that can accumulate that list and at the end — when you see ON or TO — decide how to parse it. There are details, like having a column list forces the structure to be interpreted as a list of privileges, etc. One would need to remember positions in the list for every word t be able to do correct error messages. All in all not while not complex, but still a big change.

Taking into account that this is a minor task, I'd postpone it.

Sergei Golubchik added a comment - 2015-03-02 21:52 I wouldn't like the first solution. The second is straightforward, but requires a notable amount of changes. Like, create one rule that accepts a list of identifiers or privileges. Create a structure that can accumulate that list and at the end — when you see ON or TO — decide how to parse it. There are details, like having a column list forces the structure to be interpreted as a list of privileges, etc. One would need to remember positions in the list for every word t be able to do correct error messages. All in all not while not complex, but still a big change. Taking into account that this is a minor task, I'd postpone it.

Vicențiu Ciorbaru added a comment - 2015-03-02 22:12

I agree that the first option is rather undesirable. I thought that there might be a simpler implementation but I guess there isn't one. I'll keep it as a back burner.

Vicențiu Ciorbaru added a comment - 2015-03-02 22:12 I agree that the first option is rather undesirable. I thought that there might be a simpler implementation but I guess there isn't one. I'll keep it as a back burner.

People

Assignee:: Vicențiu Ciorbaru

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2014-03-01 20:52

Updated:: 2025-02-06 07:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server