Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Not a Bug
-
10.0.11-galera
-
None
-
None
-
None
Description
When granting privileges on a set of databases using wildcards including '\_' with 'grant option' to a user this user may create new databases according to the pattern but cannot grant privileges to other users.
Excerpt from http://dev.mysql.com/doc/refman/5.5/en/grant.html:
The “” and “%” wildcards are permitted when specifying database names in GRANT statements that grant privileges at the global or database levels. This means, for example, that if you want to use a “” character as part of a database name, you should specify it as “_” in the GRANT statement, to prevent the user from being able to access additional databases matching the wildcard pattern; for example, GRANT ... ON `foo_bar`.* TO
So when executing as root/admin user
grant all on `%\_bar` to user with grant option |
I would expect the user to be able to create a database foo_bar (which works just fine) and then be able to grant privileges to other users. Instead an access denied error is reported ERROR 1044 (42000): Access denied for user 'user'@'%' to database 'foo_bar'
When I change the db pattern to '%_bar', granting privileges works as expected.
Logged in as admin user:
grant all on `%_bar` to user with grant option |
Logged in as 'user'
MariaDB [none]> create database foo_bar; |
Query OK, 1 row affected (0.00 sec)
|
MariaDB [none]> grant all on foo_bar.* to otheruser; |
Query OK, 0 rows affected (0.00 sec) |
After this 'otheruser' can work with database foo_bar. However, this workaround will allow 'user' to create databases such as 'abar' which is not intended.