[MDEV-30190] Password check plugin prevents changing grants for CURRENT_USER Created: 2022-12-09  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: None


 Description    

grant all on db1.* to current_user;
 
revoke all on db1.* from current_user;
 
install soname 'simple_password_check';
 
grant all on db1.* to current_user;
 
select current_user;
 
grant all on db1.* to root@localhost;
 
show grants;

10.4 0174a9ff

 
install soname 'simple_password_check';
 
grant all on db1.* to current_user;
 
mysqltest: At line 4: query 'grant all on db1.* to current_user' failed: 1819: Your password does not satisfy the current policy requirements (simple_password_check)
 
select current_user;
 
current_user
 
root@localhost
 
grant all on db1.* to root@localhost;
 
show grants;
 
Grants for root@localhost
 
GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` WITH GRANT OPTION
 
GRANT ALL PRIVILEGES ON `db1`.* TO `root`@`localhost`
 
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION

So, the password check doesn't allow to change grants for the CURRENT_USER. It would be somewhat understandable if it weren't only for CURRENT_USER. If a user is specified by a name, it works.

Reproducible on 10.4+.
Generated at Thu Feb 08 10:14:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.