Skip to content

Commit

Permalink
domain, privilege: backport pingcap#8886 to release-2.1 (pingcap#8948)
Browse files Browse the repository at this point in the history
  • Loading branch information
@morgo @ngaut
morgo authored and ngaut committed Jan 8, 2019
1 parent ae225de commit 936b988
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 22 deletions.
6 changes: 6 additions & 0 deletions domain/domain.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
"github.com/pingcap/tidb/sessionctx/variable"
"github.com/pingcap/tidb/statistics"
"github.com/pingcap/tidb/util"
"github.com/pingcap/tidb/util/sqlexec"
log "github.com/sirupsen/logrus"
"golang.org/x/net/context"
"google.golang.org/grpc"
Expand Down Expand Up @@ -955,6 +956,11 @@ func (do *Domain) NotifyUpdatePrivilege(ctx sessionctx.Context) {
log.Warn("notify update privilege failed:", err)
}
}
// update locally
_, _, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, `FLUSH PRIVILEGES`)
if err != nil {
log.Errorf("Unable to update privileges: %s", err)
}
}

func recoverInDomain(funcName string, quit bool) {
Expand Down
22 changes: 0 additions & 22 deletions privilege/privileges/privileges_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,53 +103,45 @@ func (s *testPrivilegeSuite) TearDownTest(c *C) {
func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "testcheck", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'testcheck'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsTrue)
}

func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) {
rootSe := newSession(c, s.store, s.dbName)
mustExec(c, rootSe, `CREATE USER 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)

se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "test1", Hostname: "localhost"}, nil, nil), IsTrue)
pc := privilege.GetPrivilegeManager(se)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsFalse)

mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsFalse)

mustExec(c, rootSe, `GRANT Update ON test.* TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsTrue)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsFalse)

mustExec(c, rootSe, `GRANT Index ON test.test TO 'test1'@'localhost';`)
mustExec(c, rootSe, `FLUSH PRIVILEGES;`)
c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsTrue)
}

func (s *testPrivilegeSuite) TestShowGrants(c *C) {
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'show'@'localhost' identified by '123';`)
mustExec(c, se, `GRANT Index ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
pc := privilege.GetPrivilegeManager(se)

gs, err := pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
Expand All @@ -158,31 +150,27 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(gs[0], Equals, `GRANT Index ON *.* TO 'show'@'localhost'`)

mustExec(c, se, `GRANT Select ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Index ON *.* TO 'show'@'localhost'`)

// The order of privs is the same with AllGlobalPrivs
mustExec(c, se, `GRANT Update ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT Select,Update,Index ON *.* TO 'show'@'localhost'`)

// All privileges
mustExec(c, se, `GRANT ALL ON *.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 1)
c.Assert(gs[0], Equals, `GRANT ALL PRIVILEGES ON *.* TO 'show'@'localhost'`)

// Add db scope privileges
mustExec(c, se, `GRANT Select ON test.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 2)
Expand All @@ -191,7 +179,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT Index ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -201,7 +188,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue)

mustExec(c, se, `GRANT ALL ON test1.* TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 3)
Expand All @@ -212,7 +198,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {

// Add table scope privileges
mustExec(c, se, `GRANT Update ON test.test TO 'show'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
c.Assert(gs, HasLen, 4)
Expand All @@ -228,7 +213,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) {
mustExec(c, se, "TRUNCATE TABLE mysql.tables_priv")
mustExec(c, se, `GRANT ALL PRIVILEGES ON `+"`"+`te%`+"`"+`.* TO 'show'@'localhost'`)
mustExec(c, se, `REVOKE ALL PRIVILEGES ON `+"`"+`te%`+"`"+`.* FROM 'show'@'localhost'`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"})
c.Assert(err, IsNil)
// It should not be "GRANT ON `te%`.* to 'show'@'localhost'"
Expand All @@ -243,7 +227,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'drop'@'localhost';`)
mustExec(c, se, `GRANT Select ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

// ctx.GetSessionVars().User = "drop@localhost"
c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue)
Expand All @@ -254,7 +237,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) {
se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"}
mustExec(c, se, `GRANT Drop ON test.todrop TO 'drop'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)

se = newSession(c, s.store, s.dbName)
ctx.GetSessionVars().User = &auth.UserIdentity{Username: "drop", Hostname: "localhost"}
Expand All @@ -268,7 +250,6 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se, `CREATE USER 'u2'@'localhost' identified by 'abc';`)
mustExec(c, se, `CREATE USER 'u3@example.com'@'localhost';`)
mustExec(c, se, `CREATE USER u4@localhost;`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
salt := []byte{85, 92, 45, 22, 58, 79, 107, 6, 122, 125, 58, 80, 12, 90, 103, 32, 90, 10, 74, 82}
Expand All @@ -282,7 +263,6 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) {
mustExec(c, se1, "drop user 'u2'@'localhost'")
mustExec(c, se1, "drop user 'u3@example.com'@'localhost'")
mustExec(c, se1, "drop user u4@localhost")
mustExec(c, se1, `FLUSH PRIVILEGES;`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsFalse)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse)
Expand All @@ -295,7 +275,6 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
// This test tests no privilege check for INFORMATION_SCHEMA database.
se := newSession(c, s.store, s.dbName)
mustExec(c, se, `CREATE USER 'u1'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `select * from information_schema.tables`)
mustExec(c, se, `select * from information_schema.key_column_usage`)
Expand All @@ -305,7 +284,6 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
mustExec(c, se, `CREATE TABLE t(a int)`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)
Expand Down

0 comments on commit 936b988

Please sign in to comment.