diff options
Diffstat (limited to 'mysql-test/suite/roles/role_grant_propagate.test')
-rw-r--r-- | mysql-test/suite/roles/role_grant_propagate.test | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/mysql-test/suite/roles/role_grant_propagate.test b/mysql-test/suite/roles/role_grant_propagate.test new file mode 100644 index 00000000..02d451f0 --- /dev/null +++ b/mysql-test/suite/roles/role_grant_propagate.test @@ -0,0 +1,212 @@ +--source include/not_embedded.inc + +--echo # +--echo # MDEV-29458 Role grant commands do not propagate all grants +--echo # + +create user foo; +create database some_db; +create table some_db.t1 (a int, b int, secret int); + +delimiter //; +CREATE PROCEDURE some_db.p1 (OUT param1 INT) + BEGIN + SELECT COUNT(*) INTO param1 FROM some_db.t1; + END; +// +delimiter ;// + +delimiter //; +CREATE FUNCTION some_db.f1 (param1 INT) RETURNS INT + BEGIN + DECLARE c INT; + SET c = 100; + RETURN param1 + c; + END; +// +delimiter ;// + +--echo # +--echo # These roles will form a two level hierarchy. +--echo # The "select" role will have the select privilege, while +--echo # the active role will inherit the select role. +--echo # +--echo # The active role will be granted a different privilege but on the same +--echo # level (global, database, table, proc respectively) *after* the 'select' +--echo # role has been granted its select privilege. +--echo # + +create role r_select_global; +create role r_active_global; + +create role r_select_database; +create role r_active_database; + +create role r_select_table; +create role r_active_table; + +create role r_select_column; +create role r_active_column; + +create role r_execute_proc; +create role r_active_proc; + +create role r_execute_func; +create role r_active_func; + +grant r_select_global to r_active_global; +grant r_select_database to r_active_database; +grant r_select_table to r_active_table; +grant r_select_column to r_active_column; +grant r_execute_proc to r_active_proc; +grant r_execute_func to r_active_func; + +--echo # +--echo # These 3 roles form a chain, where only the upper level has select +--echo # privileges and the middle level will receive a grant for the same level +--echo # privilege, but different kind (for example select on upper and insert +--echo # on middle). +--echo # +--echo # The lower level should inherit both rights. +--echo # +create role upper_level; +create role middle_level; +create role lower_level; + +grant upper_level to middle_level; +grant middle_level to lower_level; + +grant r_active_global to foo; +grant r_active_database to foo; +grant r_active_table to foo; +grant r_active_column to foo; +grant r_active_proc to foo; +grant r_active_func to foo; +grant lower_level to foo; + +grant select on *.* to r_select_global; +grant select on some_db.* to r_select_database; +grant select on some_db.t1 to r_select_table; +grant select(a) on some_db.t1 to r_select_column; +grant select on *.* to upper_level; + +grant execute on procedure some_db.p1 to r_execute_proc; +grant execute on function some_db.f1 to r_execute_func; + + +--echo # +--echo # Granting a privilege different than select on the corresponding level. +--echo # This tests that the base role correctly inherits its granted roles +--echo # privileges. +--echo # +grant insert on *.* to r_active_global; +grant insert on some_db.* to r_active_database; +grant insert on some_db.t1 to r_active_table; +grant insert(a) on some_db.t1 to r_active_column; +grant insert on *.* to middle_level; + +grant alter routine on procedure some_db.p1 to r_active_proc; +grant alter routine on function some_db.f1 to r_active_func; + +--connect (con1, localhost, foo,,) +--error ER_TABLEACCESS_DENIED_ERROR +select * from some_db.t1; + +--echo # +--echo # Before MDEV-29458 fix, all these commands would return +--echo # ER_TABLEACCESS_DENIED_ERROR +--echo # +set role r_active_global; +select * from some_db.t1; +set role r_active_database; +select * from some_db.t1; +set role r_active_table; +select * from some_db.t1; +set role r_active_column; +select a from some_db.t1; +set role lower_level; +select * from some_db.t1; + +set role r_active_proc; +set @var=100; +call some_db.p1(@var); + +set role r_active_func; +select some_db.f1(10); + +disconnect con1; + +--echo # +--echo # Cleanup. +--echo # +connection default; + +drop database some_db; +drop role r_select_global, r_select_database, r_select_table, r_select_column; +drop role r_active_global, r_active_database, r_active_table, r_active_column; +drop role r_execute_proc, r_execute_func; +drop role r_active_proc, r_active_func; +drop role upper_level, middle_level, lower_level; +drop user foo; + +--echo # +--echo # Test that dropping of roles clears the intermediate generated +--echo # (such as an `acl_dbs` element with 0 init_access, but with access != 0) +--echo # datastructures. +--echo # +create role test_role1; +create role test_role2; + +grant test_role2 to test_role1; +grant select on mysql.* to test_role2; +grant select on mysql.user to test_role2; +grant select(user) on mysql.user to test_role2; +drop role test_role1, test_role2; + +create role test_role1; +drop role test_role1; + +--echo # +--echo # MDEV-29851 Cached role privileges are not invalidated when needed +--echo # +create role admin; +create role student; +create database crm; +grant create on crm.* to admin; +grant select on crm.* to student; +create user intern@localhost; +grant student to intern@localhost; +set default role student for intern@localhost; + +connect con1, localhost, intern; +use crm; +disconnect con1; + +connection default; +grant admin to student; + +connect con1, localhost, intern; +use crm; +create table t1 (a int); +disconnect con1; + +connection default; +drop user intern@localhost; +drop role student; +drop role admin; +drop database crm; + +--echo # +--echo # MDEV-30526 Assertion `rights == merged->cols' failed in update_role_columns +--echo # +create table t1 ( pk int, i int); +create role a; +grant select (i), update (pk) on t1 to a; +revoke update (pk) on t1 from a; +show grants for a; +drop role a; +drop table t1; + +--echo # +--echo # End of 10.3 tests +--echo # |