[MDEV-4397] Roles Created: 2013-04-15  Updated: 2020-12-03  Resolved: 2013-10-29

Status: Closed
Project: MariaDB Server
Component/s: None
Fix Version/s: 10.0.5

Type: Task Priority: Major
Reporter: Sergei Golubchik Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: gsoc13

Issue Links:
Blocks
blocks MDEV-5164 Testing Roles Closed
Duplicate
duplicates MDEV-14444 Support Role based access control for... Closed
Problem/Incident
causes MDEV-24345 WITH ADMIN OPTION privilege is missin... Closed
Relates
relates to MDEV-5166 10.0-roles does not build with BUILD/... Closed
relates to MDEV-5170 Assertion `(&(&acl_cache->lock)->m_mu... Closed
relates to MDEV-5172 safe_mutex: Trying to lock mutex when... Closed
relates to MDEV-5175 Revoking a role does not revoke corre... Closed
relates to MDEV-5211 Rename role Open
relates to MDEV-5212 Role support for Audit Plugin API Open
relates to MDEV-5215 Granted to PUBLIC Closed
relates to MDEV-5221 User auto-creation does not work upon... Closed
relates to MDEV-5223 Server crashes on REVOKE ... from CUR... Closed
relates to MDEV-5225 Server crashes on CREATE USER|ROLE CU... Closed
relates to MDEV-5227 Resolve the ambiguity between user an... Open
relates to MDEV-5228 Incorrect message test on a failed at... Open
relates to MDEV-5232 SET ROLE checks privileges differentl... Closed
relates to MDEV-5237 Minor inconsistency between current_r... Closed
relates to MDEV-5238 Server crashes in find_role_grant_pai... Closed
relates to MDEV-5668 Assertion `granted_role->is_role()' f... Closed
relates to MDEV-5669 Possible inconsistencies or lack of d... Closed
relates to MDEV-5771 Privileges acquired via roles depend ... Closed
relates to MDEV-5772 Granting multiple roles in single sta... Open
relates to MDEV-5210 Default role Closed
relates to MDEV-5213 Roles: OOM checks Open

 Description   

Roles

As (or close to) defined in the SQL:2003 standard.

New statements

CREATE ROLE role
 
DROP ROLE role
 
GRANT role TO { user | user }
 
REVOKE role FROM {user | role }
 
SET ROLE { role_name | NONE }

According to the standard, role and user names live in the same namespace. But in MariaDB a user name has a mandatory @host part (even if it's @%). And we probably wouldn't want it for roles. So, practically, we will have users and roles in different name spaces, with a little ambiguity, when a user name is specified without a @host part, where allowed. Alternatively, we can specify that a role name cannot match the first part of any user name. May be it'll be less confusing this way.

Only one role can be set to a user at any specific point in any given session. In other words, CURRENT_ROLE (see below) can never return a list.

Privileges

One needs CREATE USER privilege to create or drop a role. Or an appropriate (insert or delete) privilege on the mysql database.

One needs a role to be granted to himself WITH ADMIN OPTION to be able to grant or revoke it further. A creator of a role gets it automatically granted to himself WITH ADMIN CURRENT_USER. Alternatively, one can use WITH ADMIN CURRENT_ROLE or (with SUPER privilege) WITH ADMIN arbitrary_definer.

Existing statements need to work with roles

REVOKE privilege FROM { user | role }
 
GRANT privilege TO { user | role }
 
SHOW GRANTS FOR { user | role }

New functions

CURRENT_ROLE
 
CURRENT_ROLE()

If there is no current role, the function returns NULL, not "NONE".

Informational tables

INFORMATION_SCHEMA.APPLICABLE_ROLES
 
INFORMATION_SCHEMA.ENABLED_ROLES

there are more tables in the INFORMATION_SCHEMA that are relevant for roles. They are not part of this task.

DEFINER=CURRENT_ROLE

Everywhere where one can write DEFINER=xxx, we should allow xxx to be a role name. And additionally we'll support DEFINER=CURRENT_ROLE.

Reserved role names

The role name of PUBLIC is reserved. There can be no role with this name. But this name can be used in GRANT and REVOKE statements as a grantee.Privileges granted to PUBLIC are always available to everyone. Implementing it is not part of this task.

The role name of NONE is reserved too.

Default role (not part of this task)

Syntax variants (which ones we'll do?):

CREATE USER xxx DEFAULT ROLE yyy;
 
ALTER USER xxx DEFAULT ROLE yyy;
 
SET DEFAULT ROLE yyy;
 
SET DEFAULT ROLE yyy [ FOR xxx ];

When a default role is set, the server implicitly runs SET ROLE yyy for every new connection (or after a COM_CHANGE_USER for a user xxx.

 Comments   
Comment by Mark Callaghan [ 2013-04-17 ]

Implemented something like this long ago in the Google patch. Will be great to see an officially supported version of it – https://code.google.com/p/google-mysql-tools/wiki/MysqlRoles

Comment by Sergei Golubchik [ 2013-09-23 ]

lp:~maria-captains/maria/10.0-serg

Generated at Thu Feb 08 06:56:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.