[MDEV-29845] ALTER USER <role> pretends to succeed but has no effect Created: 2022-10-21  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Set affected versions to 10.4 because I haven't found a variant of ALTER applicable to 10.3 which would reveal the same; but I didn't try all of them.

create user `user_acc`;
 
create role `role_rec`;
 
 
 
select user, priv from mysql.global_priv where user in ('user_acc','role_rec');
 
alter user `user_acc` account lock;
 
alter user `role_rec` account lock;
 
select user, priv from mysql.global_priv where user in ('user_acc','role_rec');
 
 
 
alter user `user_acc` with max_user_connections 10;
 
alter user `role_rec` with max_user_connections 10;
 
 
 
# Cleanup
 
drop user `user_acc`;
 
drop role `role_rec`;

In the above, alter ... account lock succeeds both for the user account and for the role; but for the user account it actually adds the lock to the JSON, while for the role nothing happens:

10.4 291872ec

 
select user, priv from mysql.global_priv where user in ('user_acc','role_rec');
 
user	priv
 
user_acc	{"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":1666352599}
 
role_rec	{"access":0,"is_role":true}
 
alter user `user_acc` account lock;
 
alter user `role_rec` account lock;
 
select user, priv from mysql.global_priv where user in ('user_acc','role_rec');
 
user	priv
 
user_acc	{"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":1666352599,"account_locked":true}
 
role_rec	{"access":0,"is_role":true}

However, it is not so for every ALTER USER operation. The next one, setting the limit, succeeds for the user but fails for the role:

alter user `user_acc` with max_user_connections 10;
 
alter user `role_rec` with max_user_connections 10;
 
bug.t2                                   [ fail ]
 
        Test ended at 2022-10-21 14:43:19
 
 
 
CURRENT_TEST: bug.t2
 
mysqltest: At line 10: query 'alter user `role_rec` with max_user_connections 10' failed: 1396: Operation ALTER USER failed for 'role_rec'

I suppose the same should happen for any operation which is not really applicable to roles.

PUBLIC introduced in MDEV-5215 is also affected.

 Comments   
Comment by Oleksandr Byelkin [ 2023-09-26 ]

yes, se have the error "Can't find any matching row in the user table" somewhere lost when execute alter user `role_rec` with max_user_connections 10;

Generated at Thu Feb 08 10:11:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.