Skip to content

Commit

Permalink
fix merge
Browse files Browse the repository at this point in the history
  • Loading branch information
morgo committed May 10, 2021
1 parent 0e0aaaa commit 7514eed
Showing 1 changed file with 0 additions and 156 deletions.
156 changes: 0 additions & 156 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1178,161 +1178,6 @@ func newSession(c *C, store kv.Storage, dbName string) session.Session {
mustExec(c, se, "use "+dbName)
return se
}
<<<<<<< HEAD
=======

func (s *testPrivilegeSuite) TestDynamicPrivs(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, "CREATE USER notsuper")
mustExec(c, rootSe, "CREATE USER otheruser")
mustExec(c, rootSe, "CREATE ROLE anyrolename")
mustExec(c, rootSe, "SET tidb_enable_dynamic_privileges=1")

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "notsuper", Hostname: "%"}, nil, nil), IsTrue)
mustExec(c, se, "SET tidb_enable_dynamic_privileges=1")

// test SYSTEM_VARIABLES_ADMIN
_, err := se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86400")
c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation")
mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_admin ON *.* TO notsuper")
mustExec(c, se, "SET GLOBAL wait_timeout = 86400")

// test ROLE_ADMIN
_, err = se.ExecuteInternal(context.Background(), "GRANT anyrolename TO otheruser")
c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or ROLE_ADMIN privilege(s) for this operation")
mustExec(c, rootSe, "GRANT ROLE_ADMIN ON *.* TO notsuper")
mustExec(c, se, "GRANT anyrolename TO otheruser")

// revoke SYSTEM_VARIABLES_ADMIN, confirm it is dropped
mustExec(c, rootSe, "REVOKE SYSTEM_VARIABLES_AdmIn ON *.* FROM notsuper")
_, err = se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86000")
c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation")

// grant super, confirm that it is also a substitute for SYSTEM_VARIABLES_ADMIN
mustExec(c, rootSe, "GRANT SUPER ON *.* TO notsuper")
mustExec(c, se, "SET GLOBAL wait_timeout = 86400")

// revoke SUPER, assign SYSTEM_VARIABLES_ADMIN to anyrolename.
// confirm that a dynamic privilege can be inherited from a role.
mustExec(c, rootSe, "REVOKE SUPER ON *.* FROM notsuper")
mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_AdmIn ON *.* TO anyrolename")
mustExec(c, rootSe, "GRANT anyrolename TO notsuper")

// It's not a default role, this should initially fail:
_, err = se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86400")
c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation")
mustExec(c, se, "SET ROLE anyrolename")
mustExec(c, se, "SET GLOBAL wait_timeout = 87000")
}

func (s *testPrivilegeSuite) TestDynamicGrantOption(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, "CREATE USER varuser1")
mustExec(c, rootSe, "CREATE USER varuser2")
mustExec(c, rootSe, "CREATE USER varuser3")
mustExec(c, rootSe, "SET tidb_enable_dynamic_privileges=1")

mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser1")
mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser2 WITH GRANT OPTION")

se1 := newSession(c, s.store, s.dbName)
mustExec(c, se1, "SET tidb_enable_dynamic_privileges=1")

c.Assert(se1.Auth(&auth.UserIdentity{Username: "varuser1", Hostname: "%"}, nil, nil), IsTrue)
_, err := se1.ExecuteInternal(context.Background(), "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser3")
c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the GRANT OPTION privilege(s) for this operation")

se2 := newSession(c, s.store, s.dbName)
mustExec(c, se2, "SET tidb_enable_dynamic_privileges=1")

c.Assert(se2.Auth(&auth.UserIdentity{Username: "varuser2", Hostname: "%"}, nil, nil), IsTrue)
mustExec(c, se2, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser3")
}

func (s *testPrivilegeSuite) TestSecurityEnhancedModeRestrictedTables(c *C) {
// This provides an integration test of the tests in util/security/security_test.go
cloudAdminSe := newSession(c, s.store, s.dbName)
mustExec(c, cloudAdminSe, "CREATE USER cloudadmin")
mustExec(c, cloudAdminSe, "SET tidb_enable_dynamic_privileges=1")
mustExec(c, cloudAdminSe, "GRANT RESTRICTED_TABLES_ADMIN, SELECT ON *.* to cloudadmin")
mustExec(c, cloudAdminSe, "GRANT CREATE ON mysql.* to cloudadmin")
mustExec(c, cloudAdminSe, "CREATE USER uroot")
mustExec(c, cloudAdminSe, "GRANT ALL ON *.* to uroot WITH GRANT OPTION") // A "MySQL" all powerful user.
c.Assert(cloudAdminSe.Auth(&auth.UserIdentity{Username: "cloudadmin", Hostname: "%"}, nil, nil), IsTrue)
urootSe := newSession(c, s.store, s.dbName)
mustExec(c, urootSe, "SET tidb_enable_dynamic_privileges=1")
c.Assert(urootSe.Auth(&auth.UserIdentity{Username: "uroot", Hostname: "%"}, nil, nil), IsTrue)

sem.Enable()
defer sem.Disable()

_, err := urootSe.ExecuteInternal(context.Background(), "use metrics_schema")
c.Assert(err.Error(), Equals, "[executor:1044]Access denied for user 'uroot'@'%' to database 'metrics_schema'")

_, err = urootSe.ExecuteInternal(context.Background(), "SELECT * FROM metrics_schema.uptime")
c.Assert(err.Error(), Equals, "[planner:1142]SELECT command denied to user 'uroot'@'%' for table 'uptime'")

_, err = urootSe.ExecuteInternal(context.Background(), "CREATE TABLE mysql.abcd (a int)")
c.Assert(err.Error(), Equals, "[planner:1142]CREATE command denied to user 'uroot'@'%' for table 'abcd'")

mustExec(c, cloudAdminSe, "USE metrics_schema")
mustExec(c, cloudAdminSe, "SELECT * FROM metrics_schema.uptime")
mustExec(c, cloudAdminSe, "CREATE TABLE mysql.abcd (a int)")
}

func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE USER uroot1, uroot2, uroot3")
tk.MustExec("GRANT SUPER ON *.* to uroot1 WITH GRANT OPTION") // super not process
tk.MustExec("SET tidb_enable_dynamic_privileges=1")
tk.MustExec("GRANT SUPER, PROCESS, RESTRICTED_TABLES_ADMIN ON *.* to uroot2 WITH GRANT OPTION")
tk.Se.Auth(&auth.UserIdentity{
Username: "uroot1",
Hostname: "localhost",
AuthUsername: "uroot",
AuthHostname: "%",
}, nil, nil)

sem.Enable()
defer sem.Disable()

// Even though we have super, we still can't read protected information from tidb_servers_info, cluster_* tables
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NOT NULL`).Check(testkit.Rows("0"))
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NOT NULL`).Check(testkit.Rows("0"))
// 36 = a UUID. Normally it is an IP address.
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) != 36`).Check(testkit.Rows("0"))

// That is unless we have the RESTRICTED_TABLES_ADMIN privilege
tk.Se.Auth(&auth.UserIdentity{
Username: "uroot2",
Hostname: "localhost",
AuthUsername: "uroot",
AuthHostname: "%",
}, nil, nil)

// flip from is NOT NULL etc
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NULL`).Check(testkit.Rows("0"))
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NULL`).Check(testkit.Rows("0"))
tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) = 36`).Check(testkit.Rows("0"))
}

func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) {
// Without TiKV the status var list does not include tidb_gc_leader_desc
// So we can only test that the dynamic privilege is grantable.
// We will have to use an integration test to run SHOW STATUS LIKE 'tidb_gc_leader_desc'
// and verify if it appears.
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE USER unostatus, ustatus")
tk.MustExec("SET tidb_enable_dynamic_privileges=1")
tk.MustExec("GRANT RESTRICTED_STATUS_ADMIN ON *.* to ustatus")
tk.Se.Auth(&auth.UserIdentity{
Username: "unostatus",
Hostname: "localhost",
AuthUsername: "uroot",
AuthHostname: "%",
}, nil, nil)
}

// TestViewDefiner tests that default roles are correctly applied in the algorithm definer
// See: https://github.com/pingcap/tidb/issues/24414
Expand Down Expand Up @@ -1361,4 +1206,3 @@ func (s *testPrivilegeSuite) TestViewDefiner(c *C) {
tk.MustExec("select * from test_view")
tk.MustExec("select * from test_view2")
}
>>>>>>> b8cad01be... privilege: fix RequestVerificationWithUser use of default roles (#24442)

0 comments on commit 7514eed

Please sign in to comment.