Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege: fix RequestVerificationWithUser use of default roles (#24442) #24532

Merged
merged 4 commits into from
Aug 12, 2021
Merged

privilege: fix RequestVerificationWithUser use of default roles (#24442) #24532

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d3f794d
cherry pick #24442 to release-5.0
morgo May 10, 2021
477f76c
Fix merge
morgo May 10, 2021
b05018f
Merge branch 'release-5.0' into release-5.0-b8cad01bef30
morgo May 12, 2021
8164b01
Merge branch 'release-5.0' into release-5.0-b8cad01bef30
ti-chi-bot Aug 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion privilege/privileges/privileges.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@ func (p *UserPrivileges) RequestVerificationWithUser(db, table, column string, p
}

mysqlPriv := p.Handle.Get()
return mysqlPriv.RequestVerification(nil, user.Username, user.Hostname, db, table, column, priv)
roles := mysqlPriv.getDefaultRoles(user.Username, user.Hostname)
return mysqlPriv.RequestVerification(roles, user.Username, user.Hostname, db, table, column, priv)
}

// GetEncodedPassword implements the Manager interface.
Expand Down
28 changes: 28 additions & 0 deletions privilege/privileges/privileges_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1257,3 +1257,31 @@ func newSession(c *C, store kv.Storage, dbName string) session.Session {
mustExec(c, se, "use "+dbName)
return se
}

// TestViewDefiner tests that default roles are correctly applied in the algorithm definer
// See: https://github.com/pingcap/tidb/issues/24414
func (s *testPrivilegeSuite) TestViewDefiner(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE DATABASE issue24414")
tk.MustExec("USE issue24414")
tk.MustExec(`create table table1(
col1 int,
col2 int,
col3 int
)`)
tk.MustExec(`insert into table1 values (1,1,1),(2,2,2)`)
tk.MustExec(`CREATE ROLE 'ACL-mobius-admin'`)
tk.MustExec(`CREATE USER 'mobius-admin'`)
tk.MustExec(`CREATE USER 'mobius-admin-no-role'`)
tk.MustExec(`GRANT Select,Insert,Update,Delete,Create,Drop,Alter,Index,Create View,Show View ON issue24414.* TO 'ACL-mobius-admin'@'%'`)
tk.MustExec(`GRANT Select,Insert,Update,Delete,Create,Drop,Alter,Index,Create View,Show View ON issue24414.* TO 'mobius-admin-no-role'@'%'`)
tk.MustExec(`GRANT 'ACL-mobius-admin'@'%' to 'mobius-admin'@'%'`)
tk.MustExec(`SET DEFAULT ROLE ALL TO 'mobius-admin'`)
// create tables
tk.MustExec(`CREATE ALGORITHM = UNDEFINED DEFINER = 'mobius-admin'@'127.0.0.1' SQL SECURITY DEFINER VIEW test_view (col1 , col2 , col3) AS SELECT * from table1`)
tk.MustExec(`CREATE ALGORITHM = UNDEFINED DEFINER = 'mobius-admin-no-role'@'127.0.0.1' SQL SECURITY DEFINER VIEW test_view2 (col1 , col2 , col3) AS SELECT * from table1`)

// all examples should work
tk.MustExec("select * from test_view")
tk.MustExec("select * from test_view2")
}