Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0.23
-
None
-
Ubuntu 14.04.1 LTS x86_64, 10.0.23 built from source
-
10.0.25
Description
If <user> does not have SELECT privilege on the `mysql` database and <user> is the current user the "SHOW GRANTS FOR <user>" (without hostname specified) statement fails with:
1044: Access denied for user '<user>'@'%' to database 'mysql'
|
This can be reproduced with the following test:
CREATE USER test;
|
connect (conn_1, localhost, test,,);
|
SHOW GRANTS FOR test;
|
This worked in 10.0.12, and seems to have been broken as part of the fix for MDEV-6625.
Attachments
Activity
Elena,
The syntax is ambiguous in terms of meaning, but documented. This syntax has existed since the beginning of time; it can't be arbitrarily broken in a minor version upgrade in a supposedly stable release. While it's fine to argue about whether the syntax looks good or not (and I agree that it doesn't, really), it has existed since forever, it previously worked, and should not be broken in this way.
Regards,
Jeremy
This is a bug.
SHOW GRANTS FOR test |
should resolve the ambiguity of test like other commands do, for example
GRANT SELECT ON *.* TO test |
Thanks Sergei, resolving the ambiguity in the same way as GRANT would fix our tests.
FWIW, we're currently working around this issue with the attached patch: 0001-Hacky-fix-for-MDEV-9580-SHOW-GRANTS-should-work-for-.patch
.
This works for our use case (which doesn't use roles), but hasn't been tested more widely. At the very least, it changes a few of the reported errors when using "SHOW GRANTS FOR CURRENT_ROLE()".
All the best,
— David
I'm not sure it's a bug. it was ambiguous before, and much more so now when we also have roles (but the problem with roles has already been filed as
MDEV-5227). It would be much cleaner if it always required to specify full name (or no name at all).Anyway, I'm assigning it to serg to decide if it needs to be fixed.