executor/simple: prohibit setting a resource group to a role (#54525) (…

…#54551) close #54417, ref #54434
pingcap · Jul 15, 2024 · ae394c6 · ae394c6
1 parent 8737e7d
commit ae394c6
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 0 deletions.
diff --git a/errors.toml b/errors.toml
@@ -2856,6 +2856,11 @@ error = '''
 Resource control feature is disabled. Run `SET GLOBAL tidb_enable_resource_control='on'` to enable the feature
 '''
 
+["schema:8257"]
+error = '''
+Cannot set resource group for a role
+'''
+
 ["server:1040"]
 error = '''
 Too many connections

diff --git a/pkg/errno/errcode.go b/pkg/errno/errcode.go
@@ -1145,6 +1145,7 @@ const (
 	ErrResourceGroupQueryRunawayInterrupted   = 8253
 	ErrResourceGroupQueryRunawayQuarantine    = 8254
 	ErrResourceGroupInvalidBackgroundTaskName = 8255
+	ErrResourceGroupInvalidForRole            = 8257
 
 	// TiKV/PD/TiFlash errors.
 	ErrPDServerTimeout           = 9001

diff --git a/pkg/errno/errname.go b/pkg/errno/errname.go
@@ -1138,6 +1138,7 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
 	ErrOptOnCacheTable:                 mysql.Message("'%s' is unsupported on cache tables.", nil),
 	ErrResourceGroupExists:             mysql.Message("Resource group '%-.192s' already exists", nil),
 	ErrResourceGroupNotExists:          mysql.Message("Unknown resource group '%-.192s'", nil),
+	ErrResourceGroupInvalidForRole:     mysql.Message("Cannot set resource group for a role", nil),
 
 	ErrColumnInChange:                         mysql.Message("column %s id %d does not exist, this column may have been updated by other DDL ran in parallel", nil),
 	ErrResourceGroupSupportDisabled:           mysql.Message("Resource control feature is disabled. Run `SET GLOBAL tidb_enable_resource_control='on'` to enable the feature", nil),

diff --git a/pkg/executor/simple.go b/pkg/executor/simple.go
@@ -1081,6 +1081,9 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		if !variable.EnableResourceControl.Load() {
 			return infoschema.ErrResourceGroupSupportDisabled
 		}
+		if s.IsCreateRole {
+			return infoschema.ErrResourceGroupInvalidForRole
+		}
 
 		resourceGroupName := strings.ToLower(s.ResourceGroupNameOption.Value)
 
@@ -1270,6 +1273,26 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 	return domain.GetDomain(e.Ctx()).NotifyUpdatePrivilege()
 }
 
+func isRole(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name, host string) (bool, error) {
+	sql := new(strings.Builder)
+	sqlescape.MustFormatSQL(sql, `SELECT 1 FROM %n.%n WHERE User=%? AND Host=%? AND Account_locked="Y" AND Password_expired="Y";`,
+		mysql.SystemDB, mysql.UserTable, name, strings.ToLower(host))
+	recordSet, err := sqlExecutor.ExecuteInternal(ctx, sql.String())
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		if closeErr := recordSet.Close(); closeErr != nil {
+			err = closeErr
+		}
+	}()
+	rows, err := sqlexec.DrainRecordSet(ctx, recordSet, 1)
+	if err != nil {
+		return false, err
+	}
+	return len(rows) > 0, nil
+}
+
 func getUserPasswordLimit(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name string, host string, plOptions *passwordOrLockOptionsInfo) (pRI *passwordReuseInfo, err error) {
 	res := &passwordReuseInfo{notSpecified, notSpecified}
 	sql := new(strings.Builder)
@@ -1892,6 +1915,13 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			if !variable.EnableResourceControl.Load() {
 				return infoschema.ErrResourceGroupSupportDisabled
 			}
+			is, err := isRole(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname)
+			if err != nil {
+				return err
+			}
+			if is {
+				return infoschema.ErrResourceGroupInvalidForRole
+			}
 
 			// check if specified resource group exists
 			resourceGroupName := strings.ToLower(s.ResourceGroupNameOption.Value)

diff --git a/pkg/infoschema/error.go b/pkg/infoschema/error.go
@@ -38,6 +38,8 @@ var (
 	ErrResourceGroupNotExists = dbterror.ClassSchema.NewStd(mysql.ErrResourceGroupNotExists)
 	// ErrResourceGroupInvalidBackgroundTaskName return for unknown resource group background task name.
 	ErrResourceGroupInvalidBackgroundTaskName = dbterror.ClassExecutor.NewStd(mysql.ErrResourceGroupInvalidBackgroundTaskName)
+	// ErrResourceGroupInvalidForRole return for invalid resource group for role.
+	ErrResourceGroupInvalidForRole = dbterror.ClassSchema.NewStd(mysql.ErrResourceGroupInvalidForRole)
 	// ErrReservedSyntax for internal syntax.
 	ErrReservedSyntax = dbterror.ClassSchema.NewStd(mysql.ErrReservedSyntax)
 	// ErrTableExists returns for table already exists.

diff --git a/tests/integrationtest/r/executor/simple.result b/tests/integrationtest/r/executor/simple.result
@@ -319,6 +319,10 @@ ALTER USER `user1` RESOURCE GROUP `rg1`;
 SELECT CURRENT_RESOURCE_GROUP();
 CURRENT_RESOURCE_GROUP()
 default
+create role role_for_resource_group;
+alter user role_for_resource_group resource group rg1;
+Error 8257 (HY000): Cannot set resource group for a role
+drop role role_for_resource_group;
 SELECT CURRENT_RESOURCE_GROUP();
 CURRENT_RESOURCE_GROUP()
 rg1

diff --git a/tests/integrationtest/t/executor/simple.test b/tests/integrationtest/t/executor/simple.test
@@ -379,6 +379,11 @@ create user user1;
 ALTER USER `user1` RESOURCE GROUP `rg1`;
 SELECT CURRENT_RESOURCE_GROUP();
 
+create role role_for_resource_group;
+-- error 8257
+alter user role_for_resource_group resource group rg1;
+drop role role_for_resource_group;
+
 connect(conn1, localhost, user1,,);
 SELECT CURRENT_RESOURCE_GROUP();