Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege: fix RequestVerificationWithUser use of default roles #24442

Merged
merged 9 commits into from
May 10, 2021
Merged

privilege: fix RequestVerificationWithUser use of default roles #24442

merged 9 commits into from
May 10, 2021

Conversation

morgo
Copy link
Contributor

@morgo morgo commented May 6, 2021

What problem does this PR solve?

Issue Number: close #24414

Problem Summary:

Views support a feature to run in the security of the DEFINER. This is useful because it allows column level / row level security to effectively be supported, when TiDB supports neither.

However, the implementation was buggy because RequestVerificationWithUser in the privilege API did not consider default roles for that user correctly. In this fix it now does.

What is changed and how it works?

What's Changed:

Bug fix only.

Related changes

  • Need to cherry-pick to the release branch

Check List

Tests

  • Integration test

Side effects

  • None

Release note

  • SQL Views now consider the default roles associated with the SQL DEFINER correctrly.

@ti-chi-bot ti-chi-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 6, 2021
@morgo morgo requested a review from bb7133 May 6, 2021 16:10
@bb7133
Copy link
Member

bb7133 commented May 7, 2021

/lgtm

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label May 7, 2021
@bb7133
Copy link
Member

bb7133 commented May 7, 2021

PTAL @djshow832

@morgo morgo requested a review from a team May 10, 2021 00:21
@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • bb7133
  • wjhuang2016

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by writing /lgtm in a comment.
Reviewer can cancel approval by writing /lgtm cancel in a comment.

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels May 10, 2021
@bb7133
Copy link
Member

bb7133 commented May 10, 2021

/lgtm

@xhebox
Copy link
Contributor

xhebox commented May 10, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: e684d26

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label May 10, 2021
@ti-chi-bot
Copy link
Member

/run-all-tests

This bot automatically retries jobs that failed on can merge PRs (send feedback to hi-rustin).

Silence the bot with the /merge cancel comment for consistent failures.

@ti-chi-bot
Copy link
Member

/run-all-tests

This bot automatically retries jobs that failed on can merge PRs (send feedback to hi-rustin).

Silence the bot with the /merge cancel comment for consistent failures.

@ti-chi-bot
Copy link
Member

/run-all-tests

This bot automatically retries jobs that failed on can merge PRs (send feedback to hi-rustin).

Silence the bot with the /merge cancel comment for consistent failures.

@ti-chi-bot ti-chi-bot merged commit b8cad01 into pingcap:master May 10, 2021
ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request May 10, 2021
@morgo @ti-srebot
cherry pick pingcap#24442 to release-4.0
0e0aaaa 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request May 10, 2021
Merged
@ti-srebot
Copy link
Contributor

cherry pick to release-4.0 in PR #24531

ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request May 10, 2021
@morgo @ti-srebot
cherry pick pingcap#24442 to release-5.0
d3f794d 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request May 10, 2021
Merged
@ti-srebot
Copy link
Contributor

cherry pick to release-5.0 in PR #24532

ti-chi-bot pushed a commit that referenced this pull request May 12, 2021
@ti-srebot
privilege: fix RequestVerificationWithUser use of default roles (#24442
e25d1d0 
…) (#24531)
@morgo morgo deleted the fix-issue-24414 branch May 31, 2021 20:55
ti-chi-bot pushed a commit that referenced this pull request Aug 12, 2021
@ti-srebot
privilege: fix RequestVerificationWithUser use of default roles (#24442
8a51f59 
…) (#24532)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bb7133 bb7133 bb7133 left review comments

@wjhuang2016 wjhuang2016 wjhuang2016 approved these changes

Assignees
No one assigned
Labels
needs-cherry-pick-release-5.0 sig/sql-infra SIG: SQL Infra size/M Denotes a PR that changes 30-99 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Role-base User Created Non-retrievable View
6 participants
@morgo @bb7133 @ti-chi-bot @xhebox @ti-srebot @wjhuang2016