[MDEV-10366] Dropped user's sessions are not killed automatically Created: 2016-07-12  Updated: 2016-07-15  Resolved: 2016-07-15

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.1.13
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Robin Peiremans Assignee: Unassigned
Resolution: Not a Bug Votes: 0
Labels: None


 Description   

MariaDB allows you to drop a user while that user has active sessions. When the user is dropped, it can continue querying like nothing ever happened, even after flushing privileges:

--user is logged in and can query tables
 
MariaDB [mysql]> select count(*) from user;
 
+----------+
 
| count(*) |
 
+----------+
 
|       25 |
 
+----------+
 
1 row in set (0.00 sec)
 
 
 
--user is then dropped by an admin
 
MariaDB [mysql]> drop user user_to_be_dropped@localhost;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
--user can continue querying
 
MariaDB [mysql]> select count(*) from user;
 
+----------+
 
| count(*) |
 
+----------+
 
|       24 |
 
+----------+
 
1 row in set (0.00 sec)
 
 
 
--Even after flushing privileges
 
MariaDB [mysql]> flush privileges;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [mysql]> select count(*) from user;
 
+----------+
 
| count(*) |
 
+----------+
 
|       24 |
 
+----------+
 
1 row in set (0.00 sec)

I would expect user_to_be_dropped@localhost to get an error when running another query after the flush privileges.

Is the above expected behaviour (meaning my expectations are wrong) or is this an actual bug?

 Comments   
Comment by Elena Stepanova [ 2016-07-15 ]

Yes, the above is the expected and documented behavior, both in MariaDB and MySQL:
https://mariadb.com/kb/en/mariadb/drop-user/

Note that, if you specify an account that is currently connected, it will not be deleted until the connection is closed. The connection will not be automatically closed.

http://dev.mysql.com/doc/refman/5.7/en/drop-user.html

Important
DROP USER does not automatically close any open user sessions. Rather, in the event that a user with an open session is dropped, the statement does not take effect until that user's session is closed. Once the session is closed, the user is dropped, and that user's next attempt to log in will fail. This is by design.

Generated at Thu Feb 08 07:41:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.