Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privilege,planner/core: add dynamic privilege RESOURCE_GROUP_ADMIN for resource group operation | tidb-test=pr/2068 #40632

Merged
merged 6 commits into from
Jan 17, 2023
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions executor/executor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,7 @@ func TestShow(t *testing.T) {
"RESTRICTED_USER_ADMIN Server Admin ",
"RESTRICTED_CONNECTION_ADMIN Server Admin ",
"RESTRICTED_REPLICA_WRITER_ADMIN Server Admin ",
"RESOURCE_GROUP_ADMIN Server Admin ",
))
require.Len(t, tk.MustQuery("show table status").Rows(), 1)
}
Expand Down
3 changes: 3 additions & 0 deletions planner/core/planbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4755,6 +4755,9 @@ func (b *PlanBuilder) buildDDL(ctx context.Context, node ast.DDLNode) (Plan, err
case *ast.DropPlacementPolicyStmt, *ast.CreatePlacementPolicyStmt, *ast.AlterPlacementPolicyStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or PLACEMENT_ADMIN")
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "PLACEMENT_ADMIN", false, err)
case *ast.CreateResourceGroupStmt, *ast.DropResourceGroupStmt, *ast.AlterResourceGroupStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or RESOURCE_GROUP_ADMIN")
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "RESOURCE_GROUP_ADMIN", false, err)
}
p := &DDL{Statement: node}
return p, nil
Expand Down
1 change: 1 addition & 0 deletions privilege/privileges/privileges.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ var dynamicPrivs = []string{
"RESTRICTED_USER_ADMIN", // User can not have their access revoked by SUPER users.
"RESTRICTED_CONNECTION_ADMIN", // Can not be killed by PROCESS/CONNECTION_ADMIN privilege
"RESTRICTED_REPLICA_WRITER_ADMIN", // Can write to the sever even when tidb_restriced_read_only is turned on.
"RESOURCE_GROUP_ADMIN", // Create/Drop/Alter RESOURCE GROUP
}
var dynamicPrivLock sync.Mutex
var defaultTokenLife = 15 * time.Minute
Expand Down
40 changes: 40 additions & 0 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2571,6 +2571,46 @@ func TestPlacementPolicyStmt(t *testing.T) {
tk.MustExec(dropStmt)
}

func TestResourceGroupAdminDynamicPriv(t *testing.T) {
store := createStoreAndPrepareDB(t)

tk1 := testkit.NewTestKit(t, store)
// tk1 is the root user, create a new user for test.
tk1.Session().Auth(&auth.UserIdentity{
Username: "root",
Hostname: "localhost",
}, nil, nil)
tk1.MustExec("CREATE USER resource_group_user")
tk1.MustExec("set @@global.tidb_enable_resource_control = 1")

// tk2 is the new user.
tk2 := testkit.NewTestKit(t, store)
tk2.Session().Auth(&auth.UserIdentity{
Username: "resource_group_user",
Hostname: "localhost",
}, nil, nil)
err := tk2.ExecToErr("CREATE RESOURCE GROUP test RRU_PER_SEC = 666")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")

// grant the RESOURCE_GROUP_ADMIN dynamic privilege to the user.
tk1.MustExec("GRANT RESOURCE_GROUP_ADMIN ON *.* TO resource_group_user")
tk1.MustQuery("SHOW GRANTS FOR resource_group_user").Check(testkit.Rows(
`GRANT USAGE ON *.* TO 'resource_group_user'@'%'`,
`GRANT RESOURCE_GROUP_ADMIN ON *.* TO 'resource_group_user'@'%'`))

tk2.MustExec("CREATE RESOURCE GROUP test RRU_PER_SEC = 666")
tk2.MustExec("CREATE RESOURCE GROUP test2 WRU_PER_SEC = 999")

tk2.MustExec("ALTER RESOURCE GROUP test2 WRU_PER_SEC = 1000")
tk2.MustExec("DROP RESOURCE GROUP test2")

tk1.MustExec("REVOKE RESOURCE_GROUP_ADMIN ON *.* FROM resource_group_user")
err = tk2.ExecToErr("ALTER RESOURCE GROUP test RRU_PER_SEC = 667")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")
err = tk2.ExecToErr("DROP RESOURCE GROUP test")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")
}

func TestDBNameCaseSensitivityInTableLevel(t *testing.T) {
store := createStoreAndPrepareDB(t)
tk := testkit.NewTestKit(t, store)
Expand Down