Extended component_masking_functions.dictionary_operations

'component_masking_functions.dictionary_operations' extended with more checks for the case when 'mysql.session'@'localhost' system user does not have enough privileges to access 'mysql.masking_dictionaries' table. Also fixed checks for non-existing 'mysql.masking_dictionaries' table.
percona · Jan 14, 2025 · bea9437 · bea9437
1 parent aafce7c
commit bea9437
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 10 deletions.
diff --git a/mysql-test/suite/component_masking_functions/r/dictionary_operations.result b/mysql-test/suite/component_masking_functions/r/dictionary_operations.result
@@ -55,12 +55,14 @@ SELECT gen_blocklist('Berlin', 'de_cities', NULL);
 ERROR HY000: gen_blocklist<string> UDF failed; argument 3 cannot be null
 #
 # checking the case when there is no mysql.masking_dictionaries table
-SELECT gen_blocklist('Berlin', 'de_cities', 'us_cities');
-ERROR HY000: Error in command service backend interface, because of : "SELECT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+GRANT CREATE, SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
 SELECT gen_dictionary('us_cities');
-ERROR HY000: Error in command service backend interface, because of : "SELECT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+ERROR HY000: Error in command service backend interface, because of : "Table 'mysql.masking_dictionaries' doesn't exist"
 SELECT masking_dictionaries_flush();
-ERROR HY000: Error in command service backend interface, because of : "SELECT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+ERROR HY000: Error in command service backend interface, because of : "Table 'mysql.masking_dictionaries' doesn't exist"
+SELECT masking_dictionary_term_add('single_dict', 'entry');
+ERROR HY000: Error in command service backend interface, because of : "Table 'mysql.masking_dictionaries' doesn't exist"
+REVOKE CREATE, SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries FROM 'mysql.session'@'localhost';
 #
 # NULL for NULL checks
 include/assert.inc [gen_blocklist() for the NULL primary argument should return NULL]
@@ -86,13 +88,22 @@ ERROR HY000: Can't initialize function 'masking_dictionary_term_remove'; Functio
 SELECT masking_dictionary_remove('single_dict');
 ERROR HY000: Can't initialize function 'masking_dictionary_remove'; Function requires MASKING_DICTIONARIES_ADMIN privilege
 #
-# checking the case when mysql.masking_dictionaries is empty
+# checking the case when 'mysql.session'@'localhost' has insufficient privileges
 CREATE TABLE mysql.masking_dictionaries(
 Dictionary VARCHAR(256) NOT NULL,
 Term VARCHAR(256) NOT NULL,
 UNIQUE INDEX dictionary_term_idx (Dictionary, Term)
 ) ENGINE = InnoDB DEFAULT CHARSET=utf8mb4;
-GRANT SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
+SELECT gen_dictionary('us_cities');
+ERROR HY000: Error in command service backend interface, because of : "SELECT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+SELECT masking_dictionaries_flush();
+ERROR HY000: Error in command service backend interface, because of : "SELECT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+GRANT SELECT ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
+SELECT masking_dictionary_term_add('single_dict', 'entry');
+ERROR HY000: Error in command service backend interface, because of : "INSERT command denied to user 'mysql.session'@'localhost' for table 'masking_dictionaries'"
+#
+# checking the case when mysql.masking_dictionaries is empty
+GRANT INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
 include/assert.inc [gen_dictionary on an empty table must return NULL]
 SET @check_expression_result = gen_blocklist('Berlin', 'de_cities', 'us_cities');
 include/assert.inc [the result of evaluating 'gen_blocklist('Berlin', 'de_cities', 'us_cities')' must be equal to 'Berlin']

diff --git a/mysql-test/suite/component_masking_functions/t/dictionary_operations.test b/mysql-test/suite/component_masking_functions/t/dictionary_operations.test
@@ -77,15 +77,23 @@ SELECT gen_blocklist('Berlin', 'de_cities', NULL);
 
 --echo #
 --echo # checking the case when there is no mysql.masking_dictionaries table
---error ER_COMMAND_SERVICE_BACKEND_FAILED
-SELECT gen_blocklist('Berlin', 'de_cities', 'us_cities');
+--connection default
+# here CREATE is needed to grant privileges to a not-yet-existing table
+GRANT CREATE, SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
+--connection con_unpriv
 
 --error ER_COMMAND_SERVICE_BACKEND_FAILED
 SELECT gen_dictionary('us_cities');
 
 --connection con_priv
 --error ER_COMMAND_SERVICE_BACKEND_FAILED
 SELECT masking_dictionaries_flush();
+
+--error ER_COMMAND_SERVICE_BACKEND_FAILED
+SELECT masking_dictionary_term_add('single_dict', 'entry');
+
+--connection default
+REVOKE CREATE, SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries FROM 'mysql.session'@'localhost';
 --connection con_unpriv
 
 
@@ -131,14 +139,33 @@ SELECT masking_dictionary_term_remove('single_dict', 'entry');
 SELECT masking_dictionary_remove('single_dict');
 
 --echo #
---echo # checking the case when mysql.masking_dictionaries is empty
+--echo # checking the case when 'mysql.session'@'localhost' has insufficient privileges
 --connection default
 CREATE TABLE mysql.masking_dictionaries(
     Dictionary VARCHAR(256) NOT NULL,
     Term VARCHAR(256) NOT NULL,
     UNIQUE INDEX dictionary_term_idx (Dictionary, Term)
 ) ENGINE = InnoDB DEFAULT CHARSET=utf8mb4;
-GRANT SELECT, INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
+
+--error ER_COMMAND_SERVICE_BACKEND_FAILED
+SELECT gen_dictionary('us_cities');
+
+--connection con_priv
+--error ER_COMMAND_SERVICE_BACKEND_FAILED
+SELECT masking_dictionaries_flush();
+
+--connection default
+GRANT SELECT ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
+--connection con_priv
+
+--error ER_COMMAND_SERVICE_BACKEND_FAILED
+SELECT masking_dictionary_term_add('single_dict', 'entry');
+
+
+--echo #
+--echo # checking the case when mysql.masking_dictionaries is empty
+--connection default
+GRANT INSERT, UPDATE, DELETE ON mysql.masking_dictionaries TO 'mysql.session'@'localhost';
 --connection con_unpriv
 
 --let $assert_cond = gen_dictionary("us_cities") IS NULL