MDEV-33554 Upgrade from 11.2 to 11.3 changes root's privileges
let ALL PRIVILEGES to always mean ALL PRIVILEGES over all upgrades, no matter what new privileges were added in later versions.
This commit is contained in:
Sergei Golubchik
parent
ec3d9dafe4
commit
53a359cf0d
@ -46,7 +46,7 @@ insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version
|
||||
flush privileges;
|
||||
show grants for foo7@bar;
|
||||
Grants for foo7@bar
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo7`@`bar` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `foo7`@`bar` WITH GRANT OPTION
|
||||
show grants for foo8@bar;
|
||||
Grants for foo8@bar
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo8`@`bar` WITH GRANT OPTION
|
||||
|
||||
@ -1906,7 +1906,7 @@ SET DEFAULT ROLE aRole;
|
||||
SHOW GRANTS;
|
||||
Grants for root@localhost
|
||||
GRANT `aRole` TO `root`@`localhost` WITH ADMIN OPTION
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `root`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` WITH GRANT OPTION
|
||||
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
|
||||
GRANT USAGE ON *.* TO `aRole`
|
||||
SET DEFAULT ROLE `aRole` FOR `root`@`localhost`
|
||||
@ -1914,7 +1914,7 @@ SET DEFAULT ROLE NONE;
|
||||
SHOW GRANTS;
|
||||
Grants for root@localhost
|
||||
GRANT `aRole` TO `root`@`localhost` WITH ADMIN OPTION
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `root`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` WITH GRANT OPTION
|
||||
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
|
||||
GRANT USAGE ON *.* TO `aRole`
|
||||
DROP ROLE `aRole`;
|
||||
@ -2135,7 +2135,7 @@ SET GLOBAL alter_algorithm=DEFAULT;
|
||||
SHOW GLOBAL VARIABLES LIKE 'alter_algorithm';
|
||||
Variable_name Value
|
||||
alter_algorithm DEFAULT
|
||||
End of 10.3 tests
|
||||
# End of 10.3 tests
|
||||
# switching from mysql.global_priv to mysql.user
|
||||
drop view mysql.user_bak;
|
||||
create user 'user3'@'localhost' identified with mysql_native_password as password('a_password');
|
||||
@ -2588,3 +2588,29 @@ mysql.user has data
|
||||
SELECT COUNT(*) > 0 AS `mysql.user has data` FROM mysql.user;
|
||||
mysql.user has data
|
||||
1
|
||||
# End of 10.5 tests
|
||||
#
|
||||
# MDEV-33554 Upgrade from 11.2 to 11.3 changes root's privileges
|
||||
#
|
||||
alter table mysql.db drop column show_create_routine_priv;
|
||||
flush privileges;
|
||||
create user foo@bar;
|
||||
grant all privileges on mysql.* to foo@bar;
|
||||
show grants for foo@bar;
|
||||
Grants for foo@bar
|
||||
GRANT USAGE ON *.* TO `foo`@`bar`
|
||||
GRANT ALL PRIVILEGES ON `mysql`.* TO `foo`@`bar`
|
||||
flush privileges;
|
||||
show grants for foo@bar;
|
||||
Grants for foo@bar
|
||||
GRANT USAGE ON *.* TO `foo`@`bar`
|
||||
GRANT ALL PRIVILEGES ON `mysql`.* TO `foo`@`bar`
|
||||
select show_create_routine_priv from mysql.db where user='foo';
|
||||
show_create_routine_priv
|
||||
Y
|
||||
show grants for foo@bar;
|
||||
Grants for foo@bar
|
||||
GRANT USAGE ON *.* TO `foo`@`bar`
|
||||
GRANT ALL PRIVILEGES ON `mysql`.* TO `foo`@`bar`
|
||||
drop user foo@bar;
|
||||
# End of 11.3 tests
|
||||
|
||||
@ -418,7 +418,7 @@ SET GLOBAL alter_algorithm=DEFAULT;
|
||||
SHOW GLOBAL VARIABLES LIKE 'alter_algorithm';
|
||||
--remove_file $MYSQLD_DATADIR/mariadb_upgrade_info
|
||||
|
||||
--echo End of 10.3 tests
|
||||
--echo # End of 10.3 tests
|
||||
|
||||
--source include/switch_to_mysql_user.inc
|
||||
drop view mysql.user_bak;
|
||||
@ -561,3 +561,25 @@ call mtr.add_suppression("Column count of mysql.proc is wrong. Expected 21, foun
|
||||
|
||||
--let $old_version= 10.4
|
||||
--source include/load_dump_and_upgrade.inc
|
||||
|
||||
--echo # End of 10.5 tests
|
||||
|
||||
--echo #
|
||||
--echo # MDEV-33554 Upgrade from 11.2 to 11.3 changes root's privileges
|
||||
--echo #
|
||||
alter table mysql.db drop column show_create_routine_priv;
|
||||
flush privileges;
|
||||
create user foo@bar;
|
||||
grant all privileges on mysql.* to foo@bar;
|
||||
show grants for foo@bar;
|
||||
flush privileges;
|
||||
show grants for foo@bar;
|
||||
|
||||
--exec $MYSQL_UPGRADE --force --silent 2>&1
|
||||
--remove_file $MYSQLD_DATADIR/mariadb_upgrade_info
|
||||
|
||||
select show_create_routine_priv from mysql.db where user='foo';
|
||||
show grants for foo@bar;
|
||||
drop user foo@bar;
|
||||
|
||||
--echo # End of 11.3 tests
|
||||
|
||||
@ -8,7 +8,7 @@ CREATE USER user_all@localhost;
|
||||
GRANT ALL PRIVILEGES ON *.* TO user_all@localhost WITH GRANT OPTION;
|
||||
SHOW GRANTS FOR user_all@localhost;
|
||||
Grants for user_all@localhost
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
|
||||
CREATE USER user_super@localhost;
|
||||
GRANT SUPER ON *.* TO user_super@localhost;
|
||||
SHOW GRANTS FOR user_super@localhost;
|
||||
@ -56,7 +56,7 @@ FLUSH PRIVILEGES;
|
||||
#
|
||||
SHOW GRANTS FOR user_all@localhost;
|
||||
Grants for user_all@localhost
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
|
||||
#
|
||||
# Should automatically get all new 10.5.2 priveleges that were splitted from SUPER
|
||||
#
|
||||
|
||||
@ -90,11 +90,11 @@ host='localhost' and user='good_version_id_100400';
|
||||
FLUSH PRIVILEGES;
|
||||
SHOW GRANTS FOR good_version_id_100400@localhost;
|
||||
Grants for good_version_id_100400@localhost
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
|
||||
GRANT REPLICATION MASTER ADMIN ON *.* TO good_version_id_100400@localhost;
|
||||
SHOW GRANTS FOR good_version_id_100400@localhost;
|
||||
Grants for good_version_id_100400@localhost
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
|
||||
GRANT ALL PRIVILEGES ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
|
||||
DROP USER good_version_id_100400@localhost;
|
||||
CREATE USER good_version_id_100500@localhost;
|
||||
GRANT SUPER ON *.* to good_version_id_100500@localhost;
|
||||
|
||||
@ -705,6 +705,9 @@ ALTER TABLE db change Truncate_versioning_priv Delete_history_priv enum('N','Y')
|
||||
SET @had_user_delete_history_priv := 0;
|
||||
SELECT @had_user_delete_history_priv :=1 FROM user WHERE Delete_history_priv IS NOT NULL;
|
||||
|
||||
SET @had_show_create_routine := 0;
|
||||
SELECT @had_show_create_routine:=1 FROM db WHERE Show_create_routine_priv IS NOT NULL;
|
||||
|
||||
ALTER TABLE user add Delete_history_priv enum('N','Y') COLLATE utf8mb3_general_ci NOT NULL DEFAULT 'N' after Create_tablespace_priv;
|
||||
ALTER TABLE user modify Delete_history_priv enum('N','Y') COLLATE utf8mb3_general_ci NOT NULL DEFAULT 'N';
|
||||
ALTER TABLE db add Delete_history_priv enum('N','Y') COLLATE utf8mb3_general_ci NOT NULL DEFAULT 'N' after Trigger_priv;
|
||||
@ -715,6 +718,15 @@ UPDATE user SET Delete_history_priv = Super_priv WHERE @had_user_delete_history_
|
||||
ALTER TABLE db ADD Show_create_routine_priv enum('N','Y') COLLATE utf8mb3_general_ci NOT NULL DEFAULT 'N' AFTER Delete_history_priv;
|
||||
ALTER TABLE db MODIFY Show_create_routine_priv enum('N','Y') COLLATE utf8mb3_general_ci NOT NULL DEFAULT 'N';
|
||||
|
||||
UPDATE db SET Show_create_routine_priv='Y' WHERE @had_show_create_routine=0
|
||||
AND Drop_priv='Y' AND Index_priv='Y' AND Alter_priv='Y'
|
||||
AND Event_priv='Y' AND Select_priv='Y' AND Insert_priv='Y'
|
||||
AND Update_priv='Y' AND Delete_priv='Y' AND Create_priv='Y'
|
||||
AND Execute_priv='Y' AND Trigger_priv='Y' AND Show_view_priv='Y'
|
||||
AND References_priv='Y' AND Lock_tables_priv='Y' AND Create_view_priv='Y'
|
||||
AND Alter_routine_priv='Y' AND Create_routine_priv='Y'
|
||||
AND Delete_history_priv='Y' AND Create_tmp_table_priv='Y';
|
||||
|
||||
ALTER TABLE user ADD plugin char(64) CHARACTER SET latin1 DEFAULT '' NOT NULL AFTER max_user_connections,
|
||||
ADD authentication_string TEXT NOT NULL AFTER plugin;
|
||||
ALTER TABLE user CHANGE auth_string authentication_string TEXT NOT NULL;
|
||||
|
||||
@ -128,7 +128,7 @@ constexpr privilege_t ALL_KNOWN_ACL_100508= ALL_KNOWN_BITS(LAST_100508_ACL);
|
||||
constexpr privilege_t ALL_KNOWN_ACL_100509= ALL_KNOWN_ACL_100508;
|
||||
|
||||
// A combination of all bits defined in 11.3.0
|
||||
constexpr privilege_t ALL_KNOWN_ACL_110300= ALL_KNOWN_BITS(LAST_110300_ACL);;
|
||||
constexpr privilege_t ALL_KNOWN_ACL_110300= ALL_KNOWN_BITS(LAST_110300_ACL);
|
||||
|
||||
// A combination of all bits defined as of the current version
|
||||
constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_BITS(LAST_CURRENT_ACL);
|
||||
|
||||
@ -1071,6 +1071,9 @@ class User_table_tabular: public User_table
|
||||
if (access & REPL_SLAVE_ACL)
|
||||
access|= SLAVE_MONITOR_ACL;
|
||||
|
||||
if ((access & ALL_KNOWN_ACL_100304) == ALL_KNOWN_ACL_100304)
|
||||
access|= SHOW_CREATE_ROUTINE_ACL;
|
||||
|
||||
return access & GLOBAL_ACLS;
|
||||
}
|
||||
|
||||
@ -1584,6 +1587,11 @@ class User_table_json: public User_table
|
||||
print_warning_bad_access(version_id, mask, orig_access);
|
||||
return NO_ACL;
|
||||
}
|
||||
|
||||
// ALL PRIVILEGES always means ALL PRIVILEGES
|
||||
if ((orig_access & mask) == mask)
|
||||
access= ALL_KNOWN_ACL;
|
||||
|
||||
return access & ALL_KNOWN_ACL;
|
||||
}
|
||||
|
||||
@ -2785,6 +2793,9 @@ static bool acl_load(THD *thd, const Grant_tables& tables)
|
||||
db.access|=REFERENCES_ACL | INDEX_ACL | ALTER_ACL;
|
||||
}
|
||||
#endif
|
||||
if (db_table.num_fields() <= 23)
|
||||
if ((db.access | SHOW_CREATE_ROUTINE_ACL | GRANT_ACL) == DB_ACLS)
|
||||
db.access|= SHOW_CREATE_ROUTINE_ACL;
|
||||
acl_dbs.push(db);
|
||||
}
|
||||
end_read_record(&read_record_info);
|
||||
@ -5039,6 +5050,9 @@ static int replace_db_table(TABLE *table, const char *db,
|
||||
}
|
||||
rights=get_access(table,3);
|
||||
rights=fix_rights_for_db(rights);
|
||||
if (table->s->fields <= 23)
|
||||
if ((rights | SHOW_CREATE_ROUTINE_ACL | GRANT_ACL) == DB_ACLS)
|
||||
rights|= SHOW_CREATE_ROUTINE_ACL;
|
||||
|
||||
if (old_row_exists)
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user