[MDEV-9580] SHOW GRANTS FOR <current_user> fails Created: 2016-02-18  Updated: 2016-04-24  Resolved: 2016-04-24

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.0.23
Fix Version/s: 10.0.25, 10.1.14

Type: Bug Priority: Major
Reporter: David Gow Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

Ubuntu 14.04.1 LTS x86_64, 10.0.23 built from source

Attachments: File 0001-Hacky-fix-for-MDEV-9580-SHOW-GRANTS-should-work-for-.patch    
Sprint: 10.0.25

 Description   

If <user> does not have SELECT privilege on the `mysql` database and <user> is the current user the "SHOW GRANTS FOR <user>" (without hostname specified) statement fails with:

1044: Access denied for user '<user>'@'%' to database 'mysql'

This can be reproduced with the following test:

CREATE USER test;
 
connect (conn_1, localhost, test,,);
 
SHOW GRANTS FOR test;

This worked in 10.0.12, and seems to have been broken as part of the fix for MDEV-6625.

 Comments   
Comment by Elena Stepanova [ 2016-02-18 ]

I'm not sure it's a bug. it was ambiguous before, and much more so now when we also have roles (but the problem with roles has already been filed as MDEV-5227). It would be much cleaner if it always required to specify full name (or no name at all).

Anyway, I'm assigning it to serg to decide if it needs to be fixed.

Comment by Jeremy Cole [ 2016-02-18 ]

Elena,

The syntax is ambiguous in terms of meaning, but documented. This syntax has existed since the beginning of time; it can't be arbitrarily broken in a minor version upgrade in a supposedly stable release. While it's fine to argue about whether the syntax looks good or not (and I agree that it doesn't, really), it has existed since forever, it previously worked, and should not be broken in this way.

Regards,

Jeremy

Comment by Sergei Golubchik [ 2016-02-22 ]

This is a bug.

SHOW GRANTS FOR test

should resolve the ambiguity of test like other commands do, for example

GRANT SELECT ON *.* TO test

Comment by David Gow [ 2016-02-23 ]

Thanks Sergei, resolving the ambiguity in the same way as GRANT would fix our tests.

FWIW, we're currently working around this issue with the attached patch: 0001-Hacky-fix-for-MDEV-9580-SHOW-GRANTS-should-work-for-.patch.
This works for our use case (which doesn't use roles), but hasn't been tested more widely. At the very least, it changes a few of the reported errors when using "SHOW GRANTS FOR CURRENT_ROLE()".

All the best,
— David

Generated at Thu Feb 08 07:35:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.