Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

domain: run FLUSH PRIVILEGES synchronous on GRANT #8886

Merged
merged 2 commits into from
Dec 31, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions domain/domain.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ import (
"github.com/pingcap/tidb/sessionctx/variable"
"github.com/pingcap/tidb/statistics"
"github.com/pingcap/tidb/util"
"github.com/pingcap/tidb/util/sqlexec"
log "github.com/sirupsen/logrus"
"google.golang.org/grpc"
"google.golang.org/grpc/keepalive"
Expand Down Expand Up @@ -957,6 +958,11 @@ func (do *Domain) NotifyUpdatePrivilege(ctx sessionctx.Context) {
log.Warn("notify update privilege failed:", err)
}
}
// update locally
_, _, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, `FLUSH PRIVILEGES`)
if err != nil {
log.Errorf("Unable to update privileges: %s", err)
}
}

func recoverInDomain(funcName string, quit bool) {
Expand Down
29 changes: 2 additions & 27 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,45 +104,38 @@ func (s *testPrivilegeSuite) TearDownTest(c *C) {
func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "testcheck", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsTrue)
}

func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "test1", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsFalse)

mustExec(c, rootSe, `GRANT Index ON test.test TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsTrue)
}

Expand All @@ -151,7 +144,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
ctx, _ := se.(sessionctx.Context)
mustExec(c, se, `CREATE USER 'show'@'localhost' identified by '123';`)
mustExec(c, se, `GRANT Index ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
pc := privilege.GetPrivilegeManager(se)

gs, err := pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
Expand All @@ -160,31 +152,27 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(gs[0], Equals, `GRANT Index ON *.* TO 'show'@'localhost'`)

mustExec(c, se, `GRANT Select ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Index ON *.* TO 'show'@'localhost'`)

// The order of privs is the same with AllGlobalPrivs
mustExec(c, se, `GRANT Update ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Update,Index ON *.* TO 'show'@'localhost'`)

// All privileges
mustExec(c, se, `GRANT ALL ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT ALL PRIVILEGES ON *.* TO 'show'@'localhost'`)

// Add db scope privileges
mustExec(c, se, `GRANT Select ON test.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 2)
Expand All @@ -193,7 +181,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT Index ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -203,7 +190,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT ALL ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -214,7 +200,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {

// Add table scope privileges
mustExec(c, se, `GRANT Update ON test.test TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 4)
Expand All @@ -229,7 +214,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
mustExec(c, se, `REVOKE Select on test.* FROM 'show'@'localhost'`)
mustExec(c, se, `REVOKE ALL ON test1.* FROM 'show'@'localhost'`)
mustExec(c, se, `REVOKE UPDATE on test.test FROM 'show'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
Expand All @@ -239,7 +223,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
// Which we need privileges to do so!
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"}
mustExec(c, se, `DROP USER 'show'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

// This should now return an error
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
Expand All @@ -257,7 +240,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'drop'@'localhost';`)
mustExec(c, se, `GRANT Select ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

// ctx.GetSessionVars().User = "drop@localhost"
c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue)
Expand All @@ -268,7 +250,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"}
mustExec(c, se, `GRANT Drop ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "drop", Hostname: "localhost"}
Expand All @@ -283,16 +264,15 @@ func (s *testPrivilegeSuite) TestSetPasswdStmt(c *C) {
mustExec(c, se, "CREATE USER 'superuser'")
mustExec(c, se, "CREATE USER 'nobodyuser'")
mustExec(c, se, "GRANT ALL ON *.* TO 'superuser'")
mustExec(c, se, "FLUSH PRIVILEGES")

c.Assert(se.Auth(&auth.UserIdentity{Username: "superuser", Hostname: "localhost", AuthUsername: "superuser", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "SET PASSWORD for 'nobodyuser' = 'newpassword'")
mustExec(c, se, "SET PASSWORD for 'nobodyuser' = ''")

// low privileged user trying to set password for other user (fails)
c.Assert(se.Auth(&auth.UserIdentity{Username: "nobodyuser", Hostname: "localhost", AuthUsername: "nobodyuser", AuthHostname: "%"}, nil, nil), IsTrue)
_, err := se.Execute(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'")
c.Assert(err, NotNil)

}

func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
Expand All @@ -302,7 +282,7 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se, `CREATE USER 'u2'@'localhost' identified by 'abc';`)
mustExec(c, se, `CREATE USER '[email protected]'@'localhost';`)
mustExec(c, se, `CREATE USER u4@localhost;`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
salt := []byte{85, 92, 45, 22, 58, 79, 107, 6, 122, 125, 58, 80, 12, 90, 103, 32, 90, 10, 74, 82}
Expand All @@ -316,7 +296,6 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se1, "drop user 'u2'@'localhost'")
mustExec(c, se1, "drop user '[email protected]'@'localhost'")
mustExec(c, se1, "drop user u4@localhost")
mustExec(c, se1, `FLUSH PRIVILEGES;`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsFalse)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
Expand All @@ -331,7 +310,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
mustExec(c, se, "CREATE USER 'usesuper'")
mustExec(c, se, "CREATE USER 'usenobody'")
mustExec(c, se, "GRANT ALL ON *.* TO 'usesuper'")
mustExec(c, se, "FLUSH PRIVILEGES")
c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "use mysql")
// low privileged user
Expand All @@ -342,7 +320,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
// try again after privilege granted
c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "GRANT SELECT ON mysql.* TO 'usenobody'")
mustExec(c, se, "FLUSH PRIVILEGES")
c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue)
_, err = se.Execute(context.Background(), "use mysql")
c.Assert(err, IsNil)
Expand Down Expand Up @@ -391,7 +368,6 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
// This test tests no privilege check for INFORMATION_SCHEMA database.
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'u1'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `select * from information_schema.tables`)
mustExec(c, se, `select * from information_schema.key_column_usage`)
Expand All @@ -401,7 +377,6 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
mustExec(c, se, `CREATE TABLE t(a int)`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)
Expand Down