Skip to content

Commit

Permalink
privilege: fix privilege check of GRANT ROLE (#13896) (#13932)
Browse files Browse the repository at this point in the history
  • Loading branch information
sre-bot authored Dec 6, 2019
1 parent 0201879 commit cfbe06a
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 3 deletions.
25 changes: 25 additions & 0 deletions executor/simple_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,31 @@ func (s *testSuite3) TestRole(c *C) {
tk.MustExec(dropRoleSQL)
}

func (s *testSuite3) TestRoleAdmin(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE USER 'testRoleAdmin';")
tk.MustExec("CREATE ROLE 'targetRole';")

// Create a new session.
se, err := session.CreateSession4Test(s.store)
c.Check(err, IsNil)
defer se.Close()
c.Assert(se.Auth(&auth.UserIdentity{Username: "testRoleAdmin", Hostname: "localhost"}, nil, nil), IsTrue)

ctx := context.Background()
_, err = se.Execute(ctx, "GRANT `targetRole` TO `testRoleAdmin`;")
c.Assert(err, NotNil)

tk.MustExec("GRANT SUPER ON *.* TO `testRoleAdmin`;")
_, err = se.Execute(ctx, "GRANT `targetRole` TO `testRoleAdmin`;")
c.Assert(err, IsNil)
_, err = se.Execute(ctx, "REVOKE `targetRole` FROM `testRoleAdmin`;")
c.Assert(err, IsNil)

tk.MustExec("DROP USER 'testRoleAdmin';")
tk.MustExec("DROP ROLE 'targetRole';")
}

func (s *testSuite3) TestDefaultRole(c *C) {
tk := testkit.NewTestKit(c, s.store)

Expand Down
7 changes: 4 additions & 3 deletions planner/core/planbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -1361,12 +1361,13 @@ func (b *PlanBuilder) buildSimple(node ast.StmtNode) (Plan, error) {
case *ast.GrantStmt:
b.visitInfo = collectVisitInfoFromGrantStmt(b.ctx, b.visitInfo, raw)
case *ast.GrantRoleStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("GRANT ROLE")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.GrantPriv, "", "", "", err)
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", err)
case *ast.RevokeStmt:
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", nil)
case *ast.RevokeRoleStmt:
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", nil)
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", err)
case *ast.KillStmt:
// If you have the SUPER privilege, you can kill all threads and statements.
// Otherwise, you can kill only your own threads and statements.
Expand Down

0 comments on commit cfbe06a

Please sign in to comment.