Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor: fix privilege check for 'show create user current_user()' (#11142) #11229

Merged
merged 4 commits into from
Jul 15, 2019
Merged

executor: fix privilege check for 'show create user current_user()' (#11142) #11229

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b34a8fd
executor: fix privilege check for 'show create user current_user()' (…
tiancaiamao Jul 9, 2019
61d20d2
Merge branch 'release-3.0' into cherry-11142-show-create-privilege
Jul 12, 2019
6e1a491
Merge branch 'release-3.0' into cherry-11142-show-create-privilege
Jul 15, 2019
6b1efd6
Merge branch 'release-3.0' into cherry-11142-show-create-privilege
zz-jason Jul 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions executor/show.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ type ShowExec struct {
Column *ast.ColumnName // Used for `desc table column`.
Flag int // Some flag parsed from sql, such as FULL.
Full bool
User *auth.UserIdentity // Used for show grants.
User *auth.UserIdentity // Used by show grants, show create user.
Roles []*auth.RoleIdentity // Used for show grants.
IfNotExists bool // Used for `show create database if not exists`

Expand Down Expand Up @@ -941,8 +941,23 @@ func (e *ShowExec) fetchShowCreateUser() error {
if checker == nil {
return errors.New("miss privilege checker")
}

userName, hostName := e.User.Username, e.User.Hostname
sessVars := e.ctx.GetSessionVars()
if e.User.CurrentUser {
userName = sessVars.User.AuthUsername
hostName = sessVars.User.AuthHostname
} else {
// Show create user requires the SELECT privilege on mysql.user.
// Ref https://dev.mysql.com/doc/refman/5.7/en/show-create-user.html
activeRoles := sessVars.ActiveRoles
if !checker.RequestVerification(activeRoles, mysql.SystemDB, mysql.UserTable, "", mysql.SelectPriv) {
return e.tableAccessDenied("SELECT", mysql.UserTable)
}
}

sql := fmt.Sprintf(`SELECT * FROM %s.%s WHERE User='%s' AND Host='%s';`,
mysql.SystemDB, mysql.UserTable, e.User.Username, e.User.Hostname)
mysql.SystemDB, mysql.UserTable, userName, hostName)
rows, _, err := e.ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(e.ctx, sql)
if err != nil {
return errors.Trace(err)
Expand All @@ -951,9 +966,8 @@ func (e *ShowExec) fetchShowCreateUser() error {
return ErrCannotUser.GenWithStackByArgs("SHOW CREATE USER",
fmt.Sprintf("'%s'@'%s'", e.User.Username, e.User.Hostname))
}
showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH 'mysql_native_password' AS '%s' %s",
e.User.Username, e.User.Hostname, checker.GetEncodedPassword(e.User.Username, e.User.Hostname),
"REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK")
showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH 'mysql_native_password' AS '%s' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK",
e.User.Username, e.User.Hostname, checker.GetEncodedPassword(e.User.Username, e.User.Hostname))
e.appendRow([]interface{}{showStr})
return nil
}
Expand Down
23 changes: 22 additions & 1 deletion executor/show_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ func (s *testSuite2) TestShow2(c *C) {
tk.MustQuery("show grants for current_user").Check(testkit.Rows(`GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'`))
}

func (s *testSuite2) TestShow3(c *C) {
func (s *testSuite2) TestShowCreateUser(c *C) {
tk := testkit.NewTestKit(c, s.store)
// Create a new user.
tk.MustExec(`CREATE USER 'test_show_create_user'@'%' IDENTIFIED BY 'root';`)
Expand All @@ -296,6 +296,27 @@ func (s *testSuite2) TestShow3(c *C) {
// Case: a user that doesn't exist
err = tk.QueryToErr("show create user 'aaa'@'localhost';")
c.Assert(err.Error(), Equals, executor.ErrCannotUser.GenWithStackByArgs("SHOW CREATE USER", "'aaa'@'localhost'").Error())

tk.Se.Auth(&auth.UserIdentity{Username: "root", Hostname: "127.0.0.1", AuthUsername: "root", AuthHostname: "%"}, nil, nil)
rows := tk.MustQuery("show create user current_user")
rows.Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))

rows = tk.MustQuery("show create user current_user()")
rows.Check(testkit.Rows("CREATE USER 'root'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))

tk.MustExec("create user 'check_priv'")

// "show create user" for other user requires the SELECT privilege on mysql database.
tk1 := testkit.NewTestKit(c, s.store)
tk1.MustExec("use mysql")
succ := tk1.Se.Auth(&auth.UserIdentity{Username: "check_priv", Hostname: "127.0.0.1", AuthUsername: "test_show", AuthHostname: "asdf"}, nil, nil)
c.Assert(succ, IsTrue)
err = tk1.QueryToErr("show create user 'root'@'%'")
c.Assert(err, NotNil)

// "show create user" for current user doesn't check privileges.
rows = tk1.MustQuery("show create user current_user")
rows.Check(testkit.Rows("CREATE USER 'check_priv'@'127.0.0.1' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"))
}

func (s *testSuite2) TestUnprivilegedShow(c *C) {
Expand Down