Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5999

MySQL Bug#12766319 - 61865: RENAME USER DOES NOT WORK CORRECTLY - REQUIRES FLUSH PRIVILEGES

    XMLWordPrintable

Details

    • 10.0.29, 10.0.30

    Description

      revno: 3690.1.180
      committer: gopal.shankar@oracle.com
      branch nick: mysql-flushpriv2
      timestamp: Thu 2012-03-29 00:20:54 +0530
      message:
        Bug#12766319 - 61865: RENAME USER DOES NOT WORK CORRECTLY -
                              REQUIRES FLUSH PRIVILEGES
       
        PROBLEM:
          RENAME USER does not work as expected when from_user contains just
        IP and to_user contains IP/MASK. Attempt to connect to MySQL using
        renamed user fails. Attempts to connect succeed only after command
        FLUSH PRIVILEGES.
       
        ANALYSIS:
          MySQL maintains access control list for users in global DYNAMIC ARRAY
        'acl_users'. This list is updated by acl_reload(), which loads 'acl_users'
        from mysql.user table.
       
          For faster search we maintain HASH acl_check_hosts, which contains
        user details with hostnames without any wild cards. All the users whose
        host name contains wild cards are stored in DYNAMIC_ARRAY acl_wild_hosts.
       
          ADD/DROP/RENAME user basically updates 'acl_users' along with mysql.user.
        At the end of these operations init_check_hosts() is called to update
        acl_check_hosts and  acl_wild_cards based on 'acl_users'.
       
        Bug#12766319 - 61865: RENAME USER DOES NOT WORK CORRECTLY -
                              REQUIRES FLUSH PRIVILEGES
       
        PROBLEM:
          RENAME USER does not work as expected when from_user contains just
        IP and to_user contains IP/MASK. Attempt to connect to MySQL using
        renamed user fails. Attempts to connect succeed only after command
        FLUSH PRIVILEGES.
       
        ANALYSIS:
          MySQL maintains access control list for users in global DYNAMIC ARRAY
        'acl_users'. This list is updated by acl_reload(), which loads 'acl_users'
        from mysql.user table.
       
          For faster search we maintain HASH acl_check_hosts, which contains
        user details with hostnames without any wild cards. All the users whose
        host name contains wild cards are stored in DYNAMIC_ARRAY acl_wild_hosts.
       
          ADD/DROP/RENAME user basically updates 'acl_users' along with mysql.user.
        At the end of these operations init_check_hosts() is called to update
        acl_check_hosts and  acl_wild_cards based on 'acl_users'.
       
          During RENAME, when it updates 'acl_users' in handle_grant_struct(),
        hostname is copied into 'acl_users' list updating only ACL_USER->hostname
        but it does not update ACL_USER->host->ip, ACL_USER->host->ip_mask. This
        is route cause for this bug.
       
          FLUSH PRIVILEGES command invokes acl_reload(). This function updates all
        members of ACL_USER->host (including ip and ip_mask). Hence attempts to connect
        to MySQL succeeds there after.
       
        FIX:
          Make changes to handle_grant_struct() to properly update ACL_USER->host->ip,
        ACL_USER->host->ip_mask. This is done using existing update_hostname().
       
        Note:
          In addition to the fix described above, the code related to acl_host_and_ip is
        modified. The new code helps avoid doing similar mistakes, of updating
        hostname, without updating ip_mask. These changes also improves the related code.

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              svoj Sergey Vojtovich
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.