Skip to content

Commit

Permalink
privileges: refine infoschema privilege check (#13006)
Browse files Browse the repository at this point in the history
  • Loading branch information
lysu authored and sre-bot committed Oct 30, 2019
1 parent bfd4b2f commit 02b7634
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
5 changes: 5 additions & 0 deletions privilege/privileges/privileges.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, d
// Skip check for INFORMATION_SCHEMA database.
// See https://dev.mysql.com/doc/refman/5.7/en/information-schema.html
if strings.EqualFold(db, "INFORMATION_SCHEMA") {
switch priv {
case mysql.CreatePriv, mysql.AlterPriv, mysql.DropPriv, mysql.IndexPriv, mysql.CreateViewPriv,
mysql.InsertPriv, mysql.UpdatePriv, mysql.DeletePriv:
return false
}
return true
}

Expand Down
6 changes: 6 additions & 0 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,12 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `select * from information_schema.tables`)
mustExec(c, se, `select * from information_schema.key_column_usage`)
_, err := se.Execute(context.Background(), "create table information_schema.t(a int)")
c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue)
_, err = se.Execute(context.Background(), "drop table information_schema.tables")
c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue)
_, err = se.Execute(context.Background(), "update information_schema.tables set table_name = 'tst' where table_name = 'mysql'")
c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
}

func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
Expand Down

0 comments on commit 02b7634

Please sign in to comment.