[MDEV-8288] Deleting users can break unrelated databases Created: 2015-06-09  Updated: 2018-11-22  Resolved: 2015-06-09

Status: Closed
Project: MariaDB Server
Component/s: Views
Affects Version/s: 5.5.41
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Martin Häcker Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 1
Labels: None
Environment:

Linux * 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


 Description   

Deleting a user can break unrelated databases.

The problem, as far as I understand it is that deleting a user, causes all views (and possible other constructs) that he created not to be queryable anymore. Even worse, recreating that user doesn't solve the whole problem, because he has to have enough access rights to actually see the views he created to allow other users to query them.

This seems very arbitrary and unrelated and is highly surprising. I vote to either:

  • disable this 'feature' outright (the user who initially created a view / database / table) should not need to stick around (imagine him changing companies, I want to get rid of him!) and the ability of another user to query a construct should not depend on another user being able to see / query it.
  • Deprecate it, that is start by adding an option to disable it, and then switch that option to be default on in some future release

Some example error messages that we saw:
SQL Fehler (1449): The user specified as a definer (´$foo´@´%´) does not exist
1356: View '$bar' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them

 Comments   
Comment by Sergei Golubchik [ 2015-06-09 ]

The user, who created the view doesn't need to stick around. But the user whose privileges the view uses — he does.

In this case the view was created with explicit instructions „use the access rights of the user foo@%“. It's not surprising when this user foo@% is deleted the view stops working. There is nothing we can do in this case, MariaDB is doing exactly what you told it to.

Alternatives are:

  • create the view with SQL SECURITY INVOKER, meaning the view will use access rights of whoever uses it.
  • create the view with the explicit definer, like CREATE DEFINER=bar@% VIEW ....
  • use roles. Grant privileges to roles, not to users. e.g. create a role developer, grant needed privileges to it, grant this role to your users. Create views with DEFINER=CURRENT_ROLE.
Comment by Martin Häcker [ 2015-06-09 ]

Many thanks for your comment Sergei, does that mean that the default for view creation is that it uses the access rights of the 'DEFINER'? (Because I couldn't find any definitions of this property in our code).

If so, then probably the real bug is that the default behavior is really unintuitive and should be 'SQL SECURITY INVOKER' instead.

If that is the case, you guys should probably get together with Oracle and start deprecating that default.

Comment by Ben [ 2018-11-12 ]

@Sergei Golubchik the problem here is that the error message is a little bit misleading. If I create a view as user 'x', then dump that database and import it to another mariadb installation, no user is able to use that view, that is FAI and ok. If I try to use that view as root user I'll get a correct error message that user 'x' does not exist and the view could not be used. But if I want to access this view as user 'y', even if user 'y' has all privileges, I just get the error message 'you don't have the permissions to access this view'. This is really missleading and I don't know a reason for not showing the same error message as for the root user.

Comment by Sergei Golubchik [ 2018-11-14 ]

The general answer is — to not disclose the information to the user 'y' that this user has no right to see. This is why, for example, during login both incorrect password and incorrect user name say "access denied" and not "the password is incorrect" and "no such user".

In your particular case it is a question of privileges, still. There is no check in the code anywhere to do something differently for the 'root' user, the name 'root' is not special. The server looks at the SUPER privilege, because it's the privilege that allows to specify a definer, so it's the privilege that allows to see it too.

Comment by Ben [ 2018-11-15 ]

serg how will hiding the reason for the denial improve security? In case of a login it makes sense but not when the creator of a view does not exist.

My case has nothing to do with privileges. The user who created the view does not exist on the target system and the view could be used by every user if the creator would exist. So the error message that a user who wants to access this view does not have enough privileges, is not correct. There is no good reason to hide the correct error message from a user who has enough privileges to use this view.

Comment by Sergei Golubchik [ 2018-11-19 ]

every user has privileges to use the view, but not every user has privileges to specify the definer. Only users with the SUPER privilege can do that. That's why the detailed definer-related information is only shown to users with the SUPER privilege, not to every user with a SELECT privilege.

Comment by Ben [ 2018-11-19 ]

'every user has privileges to use the view, but not every user has privileges to specify the definer.' But if the creator does not exist anymore the error message says that each user who access the view, does not have enough privileges to access the view. This is wrong and should be changed.

I think a simple error message like "The view is not accessible" or "The view is in an inconsistent state, please inform an administrator" would have more useful information for an user.

Even better would be a warning for administrators while they import the data. if the creator of a view is not existent and the usage of the view requires the creator, the import script could show a warning.

Generated at Thu Feb 08 07:26:01 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.