Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users can also get the names of tables that are not allowed using INFORMATION_SCHEMA. #38407

Closed
mikecaat opened this issue Oct 11, 2022 · 1 comment · Fixed by #38627
Closed

Users can also get the names of tables that are not allowed using INFORMATION_SCHEMA. #38407

mikecaat opened this issue Oct 11, 2022 · 1 comment · Fixed by #38627
Assignees
@CbcWestwolf
Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.

Comments

@mikecaat
Copy link

mikecaat commented Oct 11, 2022
edited
Loading

Bug Report

Thanks for the active developments! I'm testing the permission behaviors of TiDB database for production use and found the issue that users can also get the names of tables that are not allowed. Please let me know if it's the expected result or not.

1. Minimal reproduce step (Required)

# 1. prepare
# mysql -h 127.0.0.1 -u root -P 4000
MySQL [(none)]> CREATE DATABASE secret;
MySQL [(none)]> CREATE TABLE `secret`.`secret_table` (id int);
MySQL [(none)]> CREATE USER test_user IDENTIFIED BY 'pass';   --  *doesn't have the privilege to access `secret`.`secret_table`*

# 2. check whether the user can get the name of the unpermitted table or not
# mysql -h 127.0.0.1 -u test_user -P 4000 -ppass

# The table must be invisible to the user. The following result is OK.
MySQL [(none)]>  SELECT * FROM `INFORMATION_SCHEMA`.`TABLES` WHERE TABLE_SCHEMA = 'secret'; 
Empty set (0.09 sec)

# But, the user can see the table name using `INFORMATION_SCHEMA`.`TIKV_REGION_STATUS`.
MySQL [(none)]> SELECT * FROM `INFORMATION_SCHEMA`.`TIKV_REGION_STATUS` WHERE DB_NAME = 'secret';
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
| REGION_ID | START_KEY                            | END_KEY | TABLE_ID | DB_NAME | TABLE_NAME   | IS_INDEX | INDEX_ID | INDEX_NAME | EPOCH_CONF_VER | EPOCH_VERSION | WRITTEN_BYTES | READ_BYTES | APPROXIMATE_SIZE | APPROXIMATE_KEYS | REPLICATIONSTATUS_STATE | REPLICATIONSTATUS_STATEID |
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
|     15001 | 748000000000000EFFA900000000000000F8 |         |     3753 | secret  | secret_table |        0 |     NULL | NULL       |              5 |          1587 |             0 |          0 |                1 |                0 | NULL                    |                      NULL |
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
1 row in set (0.05 sec)

2. What did you expect to see? (Required)

My expectation was it returns the empty set.

MySQL [(none)]> SELECT * FROM `INFORMATION_SCHEMA`.`TIKV_REGION_STATUS` WHERE DB_NAME = 'secret';
Empty set (0.09 sec)

I expected that TiDB adapts MySQL's following behavior even if the user accesses the tables in INFORMATION_SCHEMA which are only supported in TiDB.

For most INFORMATION_SCHEMA tables, each MySQL user has the right to access them, but can see only the rows in the tables that correspond to objects for which the user has the proper access privileges.

Since I didn't check other tables in INFORMATION_SCHEMA yet, there might be same issues.

3. What did you see instead (Required)

MySQL [(none)]> SELECT * FROM `INFORMATION_SCHEMA`.`TIKV_REGION_STATUS` WHERE DB_NAME = 'secret';
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
| REGION_ID | START_KEY                            | END_KEY | TABLE_ID | DB_NAME | TABLE_NAME   | IS_INDEX | INDEX_ID | INDEX_NAME | EPOCH_CONF_VER | EPOCH_VERSION | WRITTEN_BYTES | READ_BYTES | APPROXIMATE_SIZE | APPROXIMATE_KEYS | REPLICATIONSTATUS_STATE | REPLICATIONSTATUS_STATEID |
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
|     15001 | 748000000000000EFFA900000000000000F8 |         |     3753 | secret  | secret_table |        0 |     NULL | NULL       |              5 |          1587 |             0 |          0 |                1 |                0 | NULL                    |                      NULL |
+-----------+--------------------------------------+---------+----------+---------+--------------+----------+----------+------------+----------------+---------------+---------------+------------+------------------+------------------+-------------------------+---------------------------+
1 row in set (0.05 sec)

4. What is your TiDB version? (Required)

MySQL [(none)]> SELECT tidb_version();
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                                                                       |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v6.1.1
Edition: Community
Git Commit Hash: 5263a0abda61f102122735049fd0dfadc7b7f8b2
Git Branch: heads/refs/tags/v6.1.1
UTC Build Time: 2022-08-25 10:42:41
GoVersion: go1.18.5
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.01 sec)
@mikecaat mikecaat added the type/bug The issue is confirmed as a bug. label Oct 11, 2022
@CbcWestwolf
Copy link
Member

/assign

@CbcWestwolf CbcWestwolf mentioned this issue Oct 24, 2022
Merged
12 tasks
ti-chi-bot pushed a commit that referenced this issue Oct 25, 2022
@CbcWestwolf
inforschema: check the user permission before loading TIKV_REGION_STA…
00169d2 
…TUS (#38627)

close #38407
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CbcWestwolf CbcWestwolf

Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

inforschema: check the user permission before loading TIKV_REGION_STATUS CbcWestwolf/tidb
3 participants
@ChenPeng2013 @CbcWestwolf @mikecaat