Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privilege: fix RequestVerificationWithUser use of default roles #24442

Merged
merged 9 commits into from
May 10, 2021
3 changes: 2 additions & 1 deletion privilege/privileges/privileges.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,8 @@ func (p *UserPrivileges) RequestVerificationWithUser(db, table, column string, p
}

mysqlPriv := p.Handle.Get()
return mysqlPriv.RequestVerification(nil, user.Username, user.Hostname, db, table, column, priv)
roles := mysqlPriv.getDefaultRoles(user.Username, user.Hostname)
return mysqlPriv.RequestVerification(roles, user.Username, user.Hostname, db, table, column, priv)
}

// GetEncodedPassword implements the Manager interface.
Expand Down
28 changes: 28 additions & 0 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1393,3 +1393,31 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) {
AuthHostname: "%",
}, nil, nil)
}

// TestViewDefiner tests that default roles are correctly applied in the algorithm definer
// See: https://github.com/pingcap/tidb/issues/24414
func (s *testPrivilegeSuite) TestViewDefiner(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE DATABASE issue24414")
tk.MustExec("USE issue24414")
tk.MustExec(`create table table1(
col1 int,
col2 int,
col3 int
)`)
tk.MustExec(`insert into table1 values (1,1,1),(2,2,2)`)
tk.MustExec(`CREATE ROLE 'ACL-mobius-admin'`)
tk.MustExec(`CREATE USER 'mobius-admin'`)
tk.MustExec(`CREATE USER 'mobius-admin-no-role'`)
tk.MustExec(`GRANT Select,Insert,Update,Delete,Create,Drop,Alter,Index,Create View,Show View ON issue24414.* TO 'ACL-mobius-admin'@'%'`)
tk.MustExec(`GRANT Select,Insert,Update,Delete,Create,Drop,Alter,Index,Create View,Show View ON issue24414.* TO 'mobius-admin-no-role'@'%'`)
tk.MustExec(`GRANT 'ACL-mobius-admin'@'%' to 'mobius-admin'@'%'`)
tk.MustExec(`SET DEFAULT ROLE ALL TO 'mobius-admin'`)
// create tables
tk.MustExec(`CREATE ALGORITHM = UNDEFINED DEFINER = 'mobius-admin'@'127.0.0.1' SQL SECURITY DEFINER VIEW test_view (col1 , col2 , col3) AS SELECT * from table1`)
tk.MustExec(`CREATE ALGORITHM = UNDEFINED DEFINER = 'mobius-admin-no-role'@'127.0.0.1' SQL SECURITY DEFINER VIEW test_view2 (col1 , col2 , col3) AS SELECT * from table1`)

// all examples should work
tk.MustExec("select * from test_view")
tk.MustExec("select * from test_view2")
}