summaryrefslogtreecommitdiffstats
path: root/mysql-test/suite/perfschema/t/privilege.test
blob: 06e7cdf0cae24088bfec6ecb573f14a6996062ae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
# Tests for PERFORMANCE_SCHEMA

--source include/not_embedded.inc
--source include/have_perfschema.inc

show grants;

create user 'pfs_user_1'@localhost;
create user 'pfs_user_2'@localhost;
create user 'pfs_user_3'@localhost;
grant SELECT,INSERT,UPDATE,DELETE,DROP,CREATE on test.* to 'pfs_user_1'@localhost;
grant SELECT,INSERT,UPDATE,DELETE,DROP,CREATE on test.* to 'pfs_user_2'@localhost;
grant SELECT,INSERT,UPDATE,DELETE,DROP,CREATE on test.* to 'pfs_user_3'@localhost;
grant ALL on *.* to 'pfs_user_1'@localhost with GRANT OPTION;

# Test denied privileges on performance_schema.*

--error ER_DBACCESS_DENIED_ERROR
grant ALL on performance_schema.* to 'pfs_user_2'@localhost
  with GRANT OPTION;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant CREATE on performance_schema.* to 'pfs_user_2'@localhost;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant DROP on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant REFERENCES on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant INDEX on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant ALTER on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE TEMPORARY TABLES on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant EXECUTE on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE VIEW on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant SHOW VIEW on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE ROUTINE on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant ALTER ROUTINE on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant EVENT on performance_schema.* to 'pfs_user_2'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant TRIGGER on performance_schema.* to 'pfs_user_2'@localhost;

# Test allowed privileges on performance_schema.*

grant SELECT on performance_schema.* to 'pfs_user_2'@localhost;
grant INSERT on performance_schema.* to 'pfs_user_2'@localhost;
grant UPDATE on performance_schema.* to 'pfs_user_2'@localhost;
grant DELETE on performance_schema.* to 'pfs_user_2'@localhost;
grant LOCK TABLES on performance_schema.* to 'pfs_user_2'@localhost;

# Test denied privileges on specific performance_schema tables.
# setup_instrument : example of PFS_updatable_acl
# events_waits_current : example of PFS_truncatable_acl
# file_instances : example of PFS_readonly_acl

--error ER_DBACCESS_DENIED_ERROR
grant ALL on performance_schema.setup_instruments to 'pfs_user_3'@localhost
  with GRANT OPTION;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant CREATE on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant DROP on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant REFERENCES on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant INDEX on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant ALTER on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE VIEW on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant SHOW VIEW on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant TRIGGER on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant INSERT on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant DELETE on performance_schema.setup_instruments to 'pfs_user_3'@localhost;

grant SELECT on performance_schema.setup_instruments to 'pfs_user_3'@localhost
  with GRANT OPTION;

grant UPDATE on performance_schema.setup_instruments to 'pfs_user_3'@localhost
  with GRANT OPTION;

--error ER_DBACCESS_DENIED_ERROR
grant ALL on performance_schema.events_waits_current to 'pfs_user_3'@localhost
  with GRANT OPTION;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant CREATE on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant DROP on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant REFERENCES on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant INDEX on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant ALTER on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE VIEW on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant SHOW VIEW on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant TRIGGER on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant INSERT on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant UPDATE on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant DELETE on performance_schema.events_waits_current to 'pfs_user_3'@localhost;

grant SELECT on performance_schema.events_waits_current to 'pfs_user_3'@localhost
  with GRANT OPTION;

--error ER_DBACCESS_DENIED_ERROR
grant ALL on performance_schema.file_instances to 'pfs_user_3'@localhost
  with GRANT OPTION;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant CREATE on performance_schema.file_instances to 'pfs_user_3'@localhost;

# will be ER_DBACCESS_DENIED_ERROR once .FRM are removed
grant DROP on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant REFERENCES on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant INDEX on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant ALTER on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant CREATE VIEW on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant SHOW VIEW on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_DBACCESS_DENIED_ERROR
grant TRIGGER on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant INSERT on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant UPDATE on performance_schema.file_instances to 'pfs_user_3'@localhost;

--error ER_TABLEACCESS_DENIED_ERROR
grant DELETE on performance_schema.file_instances to 'pfs_user_3'@localhost;

grant SELECT on performance_schema.file_instances to 'pfs_user_3'@localhost
  with GRANT OPTION;

# See bug#45354 LOCK TABLES is not a TABLE privilege
grant LOCK TABLES on performance_schema.* to 'pfs_user_3'@localhost
  with GRANT OPTION;

flush privileges;

--source ../include/privilege.inc

connect (con1, localhost, pfs_user_1, , );

--source ../include/privilege.inc

--disconnect con1

connect (con2, localhost, pfs_user_2, , );

--source ../include/privilege.inc

--disconnect con2

connect (con3, localhost, pfs_user_3, , );

--source ../include/privilege.inc

--disconnect con3

--connection default

revoke all privileges, grant option from 'pfs_user_1'@localhost;
revoke all privileges, grant option from 'pfs_user_2'@localhost;
revoke all privileges, grant option from 'pfs_user_3'@localhost;
drop user 'pfs_user_1'@localhost;
drop user 'pfs_user_2'@localhost;
drop user 'pfs_user_3'@localhost;
flush privileges;

--echo # Test cases from WL#4818
--echo # Setup user

CREATE user pfs_user_4;
--connect (pfs_user_4, localhost, pfs_user_4, ,"*NO-ONE*")

--echo #
--echo # WL#4818, NFS4: Normal user does not have access to view data
--echo #                without grants
--echo #

--connection pfs_user_4
--echo # Select as pfs_user_4 should fail without grant

--error ER_TABLEACCESS_DENIED_ERROR
SELECT event_id FROM performance_schema.events_waits_history;

--error ER_TABLEACCESS_DENIED_ERROR
SELECT event_id FROM performance_schema.events_waits_history_long;

--error ER_TABLEACCESS_DENIED_ERROR
SELECT event_id FROM performance_schema.events_waits_current;

--error ER_TABLEACCESS_DENIED_ERROR
SELECT event_name FROM performance_schema.events_waits_summary_by_instance;

--error ER_TABLEACCESS_DENIED_ERROR
SELECT event_name FROM performance_schema.file_summary_by_instance;

--echo #
--echo # WL#4818, NFS3: Normal user does not have access to change what is
--echo #                instrumented without grants
--echo #

--connection pfs_user_4
--echo # User pfs_user_4 should not be allowed to tweak instrumentation without
--echo # explicit grant

--error ER_TABLEACCESS_DENIED_ERROR
UPDATE performance_schema.setup_instruments SET enabled = 'NO', timed = 'YES';

--error ER_TABLEACCESS_DENIED_ERROR
UPDATE performance_schema.setup_instruments SET enabled = 'YES'
WHERE name LIKE 'wait/synch/mutex/%'
   OR name LIKE 'wait/synch/rwlock/%';

--error ER_TABLEACCESS_DENIED_ERROR
UPDATE performance_schema.setup_consumers SET enabled = 'YES';

--error ER_TABLEACCESS_DENIED_ERROR
UPDATE performance_schema.setup_timers SET timer_name = 'TICK';

--error ER_TABLEACCESS_DENIED_ERROR
TRUNCATE TABLE performance_schema.events_waits_history_long;

--error ER_TABLEACCESS_DENIED_ERROR
TRUNCATE TABLE performance_schema.events_waits_history;

--error ER_TABLEACCESS_DENIED_ERROR
TRUNCATE TABLE performance_schema.events_waits_current;

--echo #
--echo # WL#4814, NFS1: Can use grants to give normal user access
--echo #                to turn on and off instrumentation
--echo #

--connection default
--echo # Grant access to change tables with the root account

GRANT UPDATE ON performance_schema.setup_consumers TO pfs_user_4;
GRANT UPDATE, SELECT ON performance_schema.setup_timers TO pfs_user_4;
GRANT UPDATE, SELECT ON performance_schema.setup_instruments TO pfs_user_4;
GRANT DROP ON performance_schema.events_waits_current TO pfs_user_4;
GRANT DROP ON performance_schema.events_waits_history TO pfs_user_4;
GRANT DROP ON performance_schema.events_waits_history_long TO pfs_user_4;

--connection pfs_user_4
--echo # User pfs_user_4 should now be allowed to tweak instrumentation

UPDATE performance_schema.setup_instruments SET enabled = 'NO', timed = 'YES';

UPDATE performance_schema.setup_instruments SET enabled = 'YES'
WHERE name LIKE 'wait/synch/mutex/%'
   OR name LIKE 'wait/synch/rwlock/%';

UPDATE performance_schema.setup_consumers SET enabled = 'YES';

# We do not touch "wait", to avoid restoring it at the end of the test,
# as its default value initialized at server startup is ambiguous:
# it can be CYCLE or NANOSECOND depending on platform

UPDATE performance_schema.setup_timers SET timer_name = 'TICK' WHERE name <> "wait";

TRUNCATE TABLE performance_schema.events_waits_history_long;
TRUNCATE TABLE performance_schema.events_waits_history;
TRUNCATE TABLE performance_schema.events_waits_current;

--echo # Clean up
--disconnect pfs_user_4
--source include/wait_until_disconnected.inc
--connection default
REVOKE ALL PRIVILEGES, GRANT OPTION FROM pfs_user_4;
DROP USER pfs_user_4;
flush privileges;
UPDATE performance_schema.setup_instruments SET enabled = 'YES', timed = 'YES';
UPDATE performance_schema.setup_consumers SET enabled = 'YES';

# Restore the default values for the timers that we changed.
# Note, we did not touch "wait", see above.
UPDATE performance_schema.setup_timers SET timer_name = 'MICROSECOND' where name="idle";
UPDATE performance_schema.setup_timers SET timer_name = 'NANOSECOND'  where name="stage";
UPDATE performance_schema.setup_timers SET timer_name = 'NANOSECOND'  where name="statement";

--echo #
--echo # WL#2284: Increase the length of a user name
--echo #

CREATE USER 'user_name_len_22_01234'@localhost;

--error ER_DBACCESS_DENIED_ERROR
GRANT ALL ON performance_schema.* TO 'user_name_len_22_01234'@localhost with GRANT OPTION;

REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'user_name_len_22_01234'@localhost;
DROP USER 'user_name_len_22_01234'@localhost;