[MDEV-24528] Nesting roles is allowed but not supported, and causes incorrect privilege reporting with "show grants;". Created: 2021-01-05  Updated: 2021-05-03  Resolved: 2021-01-05

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.5.8
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Juan Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 0
Labels: None


 Description   

Nesting of privileges should either be supported or disallowed.

Currently it is possible to grant role R1 to role R2, and then grant role R2 to user U1, and even though show grants for role R2 shows all the grants from role R1, these are not carried to user U1, so strictly speaking the server shows the role assigned to the user as having privileges the user does not get:

MariaDB [(none)]> create role adm;
 
Query OK, 0 rows affected (0.012 sec)
 
 
 
MariaDB [(none)]> grant all on *.* to adm with grant option;
 
Query OK, 0 rows affected (0.009 sec)
 
 
 
MariaDB [(none)]> create role interm;
 
Query OK, 0 rows affected (0.020 sec)
 
 
 
MariaDB [(none)]> grant adm to interm;
 
Query OK, 0 rows affected (0.007 sec)
 
 
 
MariaDB [(none)]> show grants for interm;
 
+--------------------------------------+
 
| Grants for interm                    |
 
+--------------------------------------+
 
| GRANT `adm` TO `interm`              |
 
| GRANT USAGE ON *.* TO `interm`       |
 
| GRANT ALL PRIVILEGES ON *.* TO `adm` |
 
+--------------------------------------+
 
3 rows in set (0.001 sec)
 
 
 
MariaDB [(none)]> grant usage on *.* to 'test'@'%' identified by 'test';
 
Query OK, 0 rows affected (0.020 sec)
 
 
 
MariaDB [(none)]> grant interm to 'test'@'%';
 
Query OK, 0 rows affected (0.008 sec)
 
 
 
MariaDB [(none)]> show grants for 'test'@'%';
 
+-----------------------------------------------------------------------------------------------------+
 
| Grants for test@%                                                                                   |
 
+-----------------------------------------------------------------------------------------------------+
 
| GRANT `interm` TO `test`@`%`                                                                        |
 
| GRANT USAGE ON *.* TO `test`@`%` IDENTIFIED BY PASSWORD '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' |
 
+-----------------------------------------------------------------------------------------------------+
 
2 rows in set (0.000 sec)
 
 
 
MariaDB [(none)]> exit
 
Bye
 
~# mysql -h 127.0.0.1 -u test -ptest
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 9
 
Server version: 10.5.8-5-MariaDB-enterprise MariaDB Enterprise Server
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> use test;
 
ERROR 1044 (42000): Access denied for user 'test'@'%' to database 'test'
 
MariaDB [(none)]>



 Comments   
Comment by Sergei Golubchik [ 2021-01-05 ]

you need to do SET ROLE to be able to use role's privileges

Comment by Juan [ 2021-01-05 ]

serg Thanks for the clarification.

Generated at Thu Feb 08 09:30:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.