1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
#
# This file tests how privilege are propagated through a complex role graph.
# Here's a graph
#
# role1 ->- role2 -->- role4 -->- role6 ->- role8
# \ / \
# \->- role5 ->-/ \->- role9 ->- role10 ->- foo@localhost
# / \ /
# role3 ->-/ \->- role7 ->-/
#
# privilege checks verify that grants/revokes are propagated correctly
# from the role1 to role10. additionally debug status variables verify
# that propagation doesn't do unnecessary work (only touches the
# smallest possible number of nodes and doesn't merge privileges that
# didn't change)
#
source include/not_embedded.inc;
create user foo@localhost;
grant select on test.* to foo@localhost;
create role role1;
create role role2;
create role role3;
create role role4;
create role role5;
create role role6;
create role role7;
create role role8;
create role role9;
create role role10;
grant role1 to role2;
grant role2 to role4;
grant role2 to role5;
grant role3 to role5;
grant role4 to role6;
grant role5 to role6;
grant role5 to role7;
grant role6 to role8;
grant role6 to role9;
grant role7 to role9;
grant role9 to role10;
grant role10 to foo@localhost;
# try to create a cycle
--error ER_CANNOT_GRANT_ROLE
grant role10 to role2;
connect (foo, localhost, foo);
--sorted_result
show grants;
--sorted_result
select * from information_schema.applicable_roles;
show status like 'debug%';
#
# global privileges
#
connection default;
grant select on *.* to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
--sorted_result
select * from information_schema.enabled_roles;
connection default;
revoke select on *.* from role1;
show status like 'debug%';
connection foo;
# global privileges are cached in the THD, changes don't take effect immediately
select count(*) from mysql.roles_mapping;
set role none;
set role role10;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# database privileges
#
connection default;
grant select on mysql.* to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select on mysql.* from role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# table privileges
#
connection default;
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# column privileges
#
connection default;
grant select(User) on mysql.roles_mapping to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host,Role)) from mysql.roles_mapping;
select count(concat(User)) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
grant select(Host) on mysql.roles_mapping to role3;
show status like 'debug%';
connection foo;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host,Role)) from mysql.roles_mapping;
select count(concat(User,Host)) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select(User) on mysql.roles_mapping from role1;
show status like 'debug%';
connection foo;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host)) from mysql.roles_mapping;
select count(concat(Host)) from mysql.roles_mapping;
connection default;
revoke select(Host) on mysql.roles_mapping from role3;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(concat(Host)) from mysql.roles_mapping;
set role none;
#
# routine privileges
#
connection default;
create procedure pr1() select "pr1";
create function fn1() returns char(10) return "fn1";
grant execute on procedure test.pr1 to role1;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
call pr1();
set role role10;
call pr1();
--error ER_PROCACCESS_DENIED_ERROR
select fn1();
connection default;
grant execute on function test.fn1 to role5;
show status like 'debug%';
connection foo;
select fn1();
connection default;
revoke execute on procedure test.pr1 from role1;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
call pr1();
select fn1();
connection default;
revoke execute on function test.fn1 from role5;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
select fn1();
set role none;
connection default;
drop procedure pr1;
drop function fn1;
#
# test shortcuts
#
grant select on mysql.roles_mapping to role3;
show status like 'debug%';
# this grant only propagates to roles role2 and role4,
# and tries to propagate to role5, discovering that it already has it
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
# this only tries to propagate to role5 and exits early
revoke select on mysql.roles_mapping from role3;
show status like 'debug%';
# propagates to all 8 roles, normally
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
grant select on mysql.* to role1;
show status like 'debug%';
# only entries for `test` are merged, not for `mysql`
grant select on test.* to role1;
show status like 'debug%';
revoke select on mysql.* from role1;
show status like 'debug%';
revoke select on test.* from role1;
show status like 'debug%';
#
# cleanup
#
connection default;
drop user foo@localhost;
drop role role1;
drop role role2;
drop role role3;
drop role role4;
drop role role5;
drop role role6;
drop role role7;
drop role role8;
drop role role9;
drop role role10;
|