[MDEV-29458] Role grant commands do not propagate all grants Created: 2022-09-03  Updated: 2022-09-20  Resolved: 2022-09-14

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4

Type: Bug Priority: Critical
Reporter: Vicențiu Ciorbaru Assignee: Vicențiu Ciorbaru
Resolution: Fixed Votes: 0
Labels: roles

Issue Links:
Blocks
blocks MDEV-14443 DENY clause for access control a.k.a.... Stalled
Relates
relates to MDEV-29509 execute granted indirectly (via roles... Closed

 Description   

The following test case shows that grant order matters (when it shouldn't!) with regards to roles.

The issue is reproducible in 10.3 and onwards.

create role r1, r2;
 
create user foo;
 
 
 
create database some_db;
 
create table some_db.t1 (a int, b int, secret int);
 
 
 
grant r2 to r1;
 
grant r1 to foo;
 
 
 
grant select on *.* to r2;
 
grant insert on *.* to r1;
 
# flush privileges; # Adding flush privileges causes the second select to work as expected.
 
 
 
--connect (con1, localhost, foo,,)
 
--error ER_TABLEACCESS_DENIED_ERROR
 
select * from some_db.t1;
 
set role r1;
 
# This command should receive the select rights from r2 and thus be allowed
 
select * from some_db.t1;
 
disconnect con1;
 
 
 
connection default;
 
drop database some_db;
 
 
 
drop role r1, r2;
 
drop user foo;



 Comments   
Comment by Vicențiu Ciorbaru [ 2022-09-05 ]

Hi Sergei!

While working on negative grants, I identified this bug.

https://github.com/MariaDB/server/pull/2256

Please review a fix for this.
Vicențiu

Generated at Thu Feb 08 10:08:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.