[MDEV-28544] Appending SELECT privilege not applied on show columns and show index Created: 2022-05-11  Updated: 2022-06-09  Resolved: 2022-05-12

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Data Definition - Create Table, Server
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Anel Husakovic Assignee: Anel Husakovic
Resolution: Not a Bug Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-28455 CREATE TEMPORARY TABLES privilege is ... Closed
relates to MDEV-28455 CREATE TEMPORARY TABLES privilege is ... Closed

 Description   

When the user is created without SELECT privilege and after that applied the SELECT privilege nothing changes:

create database db;
 
create user foo@localhost;
 
grant create on db.* to foo@localhost;
 
 
--connect (con1,localhost,foo,,db)
 
create table t (a int, key(a));
 
show create table t;
 
--error ER_TABLEACCESS_DENIED_ERROR
 
show columns in t;
 
--error ER_TABLEACCESS_DENIED_ERROR
 
show index in t;
 
 
# Give the user select privilege
 
--connection default
 
grant select on db.* to foo@localhost;
 
 
 
--connection con1
 
show grants for current_user;
 
Grants for foo@localhost
 
GRANT USAGE ON *.* TO `foo`@`localhost`
 
GRANT SELECT, CREATE ON `db`.* TO `foo`@`localhost`
 
 
 
# This should be visible but is not - bug! still ER_TABLEACCESS_DENIED_ERROR
 
show columns in t;
 
8: query 'show columns in t' failed: ER_TABLEACCESS_DENIED_ERROR (1142): SELECT command denied to user 'foo'@'localhost' for table 't'
 
 
 
# This should be visible but is not - bug! still ER_TABLEACCESS_DENIED_ERROR
 
show index in t;
 
 
 
# Cleanup
 
--disconnect con1
 
--connection default
 
drop database db;
 
drop user foo@localhost;

However if we create new user that has just SELECT priv it works

--connection default
 
create user bar@localhost;
 
grant select on db.* to bar@localhost;
 
show grants for bar@localhost;
 
Grants for bar@localhost
 
GRANT USAGE ON *.* TO `bar`@`localhost`
 
GRANT SELECT ON `db`.* TO `bar`@`localhost`
 
 
 
--connect (con2,localhost,bar,,db)
 
show index in t;
 
Table	Non_unique	Key_name	Seq_in_index	Column_name	Collation	CardinalitySub_part	Packed	Null	Index_type	Comment	Index_comment	Ignored
 
t	1	a	1	a	A	NULL	NULL	NULL	YES	BTREE			NO
 
show columns in t;
 
Field	Type	Null	Key	Default	Extra
 
a	int(11)	YES	MUL	NULL



 Comments   
Comment by Anel Husakovic [ 2022-05-12 ]

It seems that this behavior is by design. Changing of privileges in current sessions don't take place immediately. One need to close the sessions at least.

Generated at Thu Feb 08 10:01:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.