Skip to content

Commit

Permalink
executor,privilege: fix "show grants" result for RBAC (#10571) (#10684)
Browse files Browse the repository at this point in the history
  • Loading branch information
tiancaiamao authored and zz-jason committed Jun 4, 2019
1 parent bff7dac commit aed9b01
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 8 deletions.
7 changes: 6 additions & 1 deletion executor/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -550,7 +550,12 @@ func (b *executorBuilder) buildShow(v *plannercore.Show) Executor {
is: b.is,
}
if e.Tp == ast.ShowGrants && e.User == nil {
e.User = e.ctx.GetSessionVars().User
// The input is a "show grants" statement, fulfill the user and roles field.
// Note: "show grants" result are different from "show grants for current_user",
// The former determine privileges with roles, while the later doesn't.
vars := e.ctx.GetSessionVars()
e.User = vars.User
e.Roles = vars.ActiveRoles
}
if e.Tp == ast.ShowMasterStatus {
// show master status need start ts.
Expand Down
15 changes: 15 additions & 0 deletions executor/show_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,21 @@ func (s *testSuite2) TestIssue3641(c *C) {
c.Assert(err.Error(), Equals, plannercore.ErrNoDB.Error())
}

func (s *testSuite2) TestIssue10549(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE DATABASE newdb;")
tk.MustExec("CREATE ROLE 'app_developer';")
tk.MustExec("GRANT ALL ON newdb.* TO 'app_developer';")
tk.MustExec("CREATE USER 'dev';")
tk.MustExec("GRANT 'app_developer' TO 'dev';")
tk.MustExec("SET DEFAULT ROLE app_developer TO 'dev';")

c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue)
tk.MustQuery("SHOW DATABASES;").Check(testkit.Rows("INFORMATION_SCHEMA", "newdb"))
tk.MustQuery("SHOW GRANTS;").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT ALL PRIVILEGES ON newdb.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'"))
tk.MustQuery("SHOW GRANTS FOR CURRENT_USER").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'"))
}

// TestShow2 is moved from session_test
func (s *testSuite2) TestShow2(c *C) {
tk := testkit.NewTestKit(c, s.store)
Expand Down
15 changes: 9 additions & 6 deletions executor/simple.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,17 +221,20 @@ func (e *SimpleExec) setDefaultRoleAll(s *ast.SetDefaultRoleStmt) error {
return nil
}

func (e *SimpleExec) executeSetDefaultRole(s *ast.SetDefaultRoleStmt) error {
func (e *SimpleExec) executeSetDefaultRole(s *ast.SetDefaultRoleStmt) (err error) {
switch s.SetRoleOpt {
case ast.SetRoleAll:
return e.setDefaultRoleAll(s)
err = e.setDefaultRoleAll(s)
case ast.SetRoleNone:
return e.setDefaultRoleNone(s)
err = e.setDefaultRoleNone(s)
case ast.SetRoleRegular:
return e.setDefaultRoleRegular(s)
err = e.setDefaultRoleRegular(s)
}
err := domain.GetDomain(e.ctx).PrivilegeHandle().Update(e.ctx.(sessionctx.Context))
return err
if err != nil {
return
}
domain.GetDomain(e.ctx).NotifyUpdatePrivilege(e.ctx)
return
}

func (e *SimpleExec) setRoleRegular(s *ast.SetRoleStmt) error {
Expand Down
1 change: 0 additions & 1 deletion privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,6 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) {
mustExec(c, se, `CREATE USER 'dev'@'localhost'`)
mustExec(c, se, `GRANT 'app_developer' TO 'dev'@'localhost'`)
mustExec(c, se, `SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue)
_, err = se.Execute(context.Background(), "use app_db")
c.Assert(err, IsNil)
Expand Down

0 comments on commit aed9b01

Please sign in to comment.