From 0abbd0ca07b88ff90a1240db430b84d70b4f0cf6 Mon Sep 17 00:00:00 2001 From: Morgan Tocker Date: Tue, 2 Feb 2021 22:11:28 -0700 Subject: [PATCH 1/2] cherry pick #22523 to release-3.0 Signed-off-by: ti-srebot --- privilege/privileges/cache.go | 67 +++++++++- privilege/privileges/privileges_test.go | 164 +++++++++++++++++++----- 2 files changed, 192 insertions(+), 39 deletions(-) diff --git a/privilege/privileges/cache.go b/privilege/privileges/cache.go index ad283912425c5..a29bf6b3676ba 100644 --- a/privilege/privileges/cache.go +++ b/privilege/privileges/cache.go @@ -47,6 +47,23 @@ var ( const globalDBVisible = mysql.CreatePriv | mysql.SelectPriv | mysql.InsertPriv | mysql.UpdatePriv | mysql.DeletePriv | mysql.ShowDBPriv | mysql.DropPriv | mysql.AlterPriv | mysql.IndexPriv | mysql.CreateViewPriv | mysql.ShowViewPriv | mysql.GrantPriv | mysql.TriggerPriv | mysql.ReferencesPriv | mysql.ExecutePriv +const ( + sqlLoadRoleGraph = "SELECT HIGH_PRIORITY FROM_USER, FROM_HOST, TO_USER, TO_HOST FROM mysql.role_edges" + sqlLoadGlobalPrivTable = "SELECT HIGH_PRIORITY Host,User,Priv FROM mysql.global_priv" + sqlLoadDBTable = "SELECT HIGH_PRIORITY Host,DB,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,Index_priv,Alter_priv,Execute_priv,Create_view_priv,Show_view_priv FROM mysql.db ORDER BY host, db, user" + sqlLoadTablePrivTable = "SELECT HIGH_PRIORITY Host,DB,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv FROM mysql.tables_priv" + sqlLoadColumnsPrivTable = "SELECT HIGH_PRIORITY Host,DB,User,Table_name,Column_name,Timestamp,Column_priv FROM mysql.columns_priv" + sqlLoadDefaultRoles = "SELECT HIGH_PRIORITY HOST, USER, DEFAULT_ROLE_HOST, DEFAULT_ROLE_USER FROM mysql.default_roles" + // list of privileges from mysql.Priv2UserCol + sqlLoadUserTable = `SELECT HIGH_PRIORITY Host,User,authentication_string, + Create_priv, Select_priv, Insert_priv, Update_priv, Delete_priv, Show_db_priv, Super_priv, + Create_user_priv,Create_tablespace_priv,Trigger_priv,Drop_priv,Process_priv,Grant_priv, + References_priv,Alter_priv,Execute_priv,Index_priv,Create_view_priv,Show_view_priv, + Create_role_priv,Drop_role_priv,Create_tmp_table_priv,Lock_tables_priv,Create_routine_priv, + Alter_routine_priv,Event_priv,Shutdown_priv,Reload_priv,File_priv,Config_priv,Repl_client_priv,Repl_slave_priv, + account_locked FROM mysql.user` +) + func computePrivMask(privs []mysql.PrivilegeType) mysql.PrivilegeType { var mask mysql.PrivilegeType for _, p := range privs { @@ -322,7 +339,7 @@ func noSuchTable(err error) bool { // LoadRoleGraph loads the mysql.role_edges table from database. func (p *MySQLPrivilege) LoadRoleGraph(ctx sessionctx.Context) error { p.RoleGraph = make(map[string]roleGraphEdgesTable) - err := p.loadTable(ctx, "select FROM_USER, FROM_HOST, TO_USER, TO_HOST from mysql.role_edges;", p.decodeRoleEdgesTable) + err := p.loadTable(ctx, sqlLoadRoleGraph, p.decodeRoleEdgesTable) if err != nil { return errors.Trace(err) } @@ -331,12 +348,16 @@ func (p *MySQLPrivilege) LoadRoleGraph(ctx sessionctx.Context) error { // LoadUserTable loads the mysql.user table from database. func (p *MySQLPrivilege) LoadUserTable(ctx sessionctx.Context) error { +<<<<<<< HEAD userPrivCols := make([]string, 0, len(mysql.Priv2UserCol)) for _, v := range mysql.Priv2UserCol { userPrivCols = append(userPrivCols, v) } query := fmt.Sprintf("select HIGH_PRIORITY Host,User,Password,%s,account_locked from mysql.user;", strings.Join(userPrivCols, ", ")) err := p.loadTable(ctx, query, p.decodeUserTableRow) +======= + err := p.loadTable(ctx, sqlLoadUserTable, p.decodeUserTableRow) +>>>>>>> 26086b297... privilege: remove any string concat (#22523) if err != nil { return errors.Trace(err) } @@ -433,39 +454,71 @@ func (p MySQLPrivilege) SortUserTable() { // LoadGlobalPrivTable loads the mysql.global_priv table from database. func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sessionctx.Context) error { - return p.loadTable(ctx, "select HIGH_PRIORITY Host,User,Priv from mysql.global_priv", p.decodeGlobalPrivTableRow) + return p.loadTable(ctx, sqlLoadGlobalPrivTable, p.decodeGlobalPrivTableRow) } // LoadDBTable loads the mysql.db table from database. func (p *MySQLPrivilege) LoadDBTable(ctx sessionctx.Context) error { +<<<<<<< HEAD return p.loadTable(ctx, "select HIGH_PRIORITY Host,DB,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,Index_priv,Alter_priv,Execute_priv,Create_view_priv,Show_view_priv from mysql.db order by host, db, user;", p.decodeDBTableRow) +======= + err := p.loadTable(ctx, sqlLoadDBTable, p.decodeDBTableRow) + if err != nil { + return err + } + p.buildDBMap() + return nil +} + +func (p *MySQLPrivilege) buildDBMap() { + dbMap := make(map[string][]dbRecord, len(p.DB)) + for _, record := range p.DB { + dbMap[record.User] = append(dbMap[record.User], record) + } + p.DBMap = dbMap +>>>>>>> 26086b297... privilege: remove any string concat (#22523) } // LoadTablesPrivTable loads the mysql.tables_priv table from database. func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sessionctx.Context) error { +<<<<<<< HEAD return p.loadTable(ctx, "select HIGH_PRIORITY Host,DB,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv from mysql.tables_priv", p.decodeTablesPrivTableRow) +======= + err := p.loadTable(ctx, sqlLoadTablePrivTable, p.decodeTablesPrivTableRow) + if err != nil { + return err + } + p.buildTablesPrivMap() + return nil +} + +func (p *MySQLPrivilege) buildTablesPrivMap() { + tablesPrivMap := make(map[string][]tablesPrivRecord, len(p.TablesPriv)) + for _, record := range p.TablesPriv { + tablesPrivMap[record.User] = append(tablesPrivMap[record.User], record) + } + p.TablesPrivMap = tablesPrivMap +>>>>>>> 26086b297... privilege: remove any string concat (#22523) } // LoadColumnsPrivTable loads the mysql.columns_priv table from database. func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sessionctx.Context) error { - return p.loadTable(ctx, "select HIGH_PRIORITY Host,DB,User,Table_name,Column_name,Timestamp,Column_priv from mysql.columns_priv", p.decodeColumnsPrivTableRow) + return p.loadTable(ctx, sqlLoadColumnsPrivTable, p.decodeColumnsPrivTableRow) } // LoadDefaultRoles loads the mysql.columns_priv table from database. func (p *MySQLPrivilege) LoadDefaultRoles(ctx sessionctx.Context) error { - return p.loadTable(ctx, "select HOST, USER, DEFAULT_ROLE_HOST, DEFAULT_ROLE_USER from mysql.default_roles", p.decodeDefaultRoleTableRow) + return p.loadTable(ctx, sqlLoadDefaultRoles, p.decodeDefaultRoleTableRow) } func (p *MySQLPrivilege) loadTable(sctx sessionctx.Context, sql string, decodeTableRow func(chunk.Row, []*ast.ResultField) error) error { ctx := context.Background() - tmp, err := sctx.(sqlexec.SQLExecutor).Execute(ctx, sql) + rs, err := sctx.(sqlexec.SQLExecutor).ExecuteInternal(ctx, sql) if err != nil { return errors.Trace(err) } - rs := tmp[0] defer terror.Call(rs.Close) - fs := rs.Fields() req := rs.NewChunk() for { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 957842d230b93..a01967cd9cf0b 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -148,9 +148,9 @@ func (s *testPrivilegeSuite) TestCheckPointGetDBPrivilege(c *C) { se := newSession(c, s.store, s.dbName) c.Assert(se.Auth(&auth.UserIdentity{Username: "tester", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `use test;`) - _, err := se.Execute(context.Background(), `select * from test2.t where id = 1`) + _, err := se.ExecuteInternal(context.Background(), `select * from test2.t where id = 1`) c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) - _, err = se.Execute(context.Background(), "update test2.t set v = 2 where id = 1") + _, err = se.ExecuteInternal(context.Background(), "update test2.t set v = 2 where id = 1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) } @@ -397,7 +397,7 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) { // ctx.GetSessionVars().User = "drop@localhost" c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `SELECT * FROM todrop;`) - _, err := se.Execute(context.Background(), "DROP TABLE todrop;") + _, err := se.ExecuteInternal(context.Background(), "DROP TABLE todrop;") c.Assert(err, NotNil) se = newSession(c, s.store, s.dbName) @@ -424,7 +424,7 @@ func (s *testPrivilegeSuite) TestSetPasswdStmt(c *C) { // low privileged user trying to set password for other user (fails) c.Assert(se.Auth(&auth.UserIdentity{Username: "nobodyuser", Hostname: "localhost", AuthUsername: "nobodyuser", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'") + _, err := se.ExecuteInternal(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'") c.Assert(err, NotNil) } @@ -447,7 +447,7 @@ func (s *testPrivilegeSuite) TestSelectViewSecurity(c *C) { ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"} mustExec(c, se, "SELECT * FROM test.selectviewsecurity") mustExec(c, se, `REVOKE Select ON test.viewsecurity FROM 'selectusr'@'localhost';`) - _, err := se.Execute(context.Background(), "select * from test.selectviewsecurity") + _, err := se.ExecuteInternal(context.Background(), "select * from test.selectviewsecurity") c.Assert(err.Error(), Equals, core.ErrViewInvalid.GenWithStackByArgs("test", "selectviewsecurity").Error()) } @@ -466,7 +466,7 @@ func (s *testPrivilegeSuite) TestRoleAdminSecurity(c *C) { mustExec(c, se, `create role r_test1@localhost`) c.Assert(se.Auth(&auth.UserIdentity{Username: "ar2", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), `create role r_test2@localhost`) + _, err := se.ExecuteInternal(context.Background(), `create role r_test2@localhost`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) } @@ -736,7 +736,7 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, "GRANT ALL ON *.* TO 'usesuper'") //without grant option c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) - _, e := se.Execute(context.Background(), "GRANT SELECT ON mysql.* TO 'usenobody'") + _, e := se.ExecuteInternal(context.Background(), "GRANT SELECT ON mysql.* TO 'usenobody'") c.Assert(e, NotNil) //with grant option se = newSession(c, s.store, s.dbName) @@ -746,14 +746,14 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, "use mysql") // low privileged user c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), "use mysql") + _, err := se.ExecuteInternal(context.Background(), "use mysql") c.Assert(err, NotNil) // try again after privilege granted c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT SELECT ON mysql.* TO 'usenobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "use mysql") + _, err = se.ExecuteInternal(context.Background(), "use mysql") c.Assert(err, IsNil) // test `use db` for role. @@ -765,9 +765,9 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, `GRANT 'app_developer' TO 'dev'@'localhost'`) mustExec(c, se, `SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "use app_db") + _, err = se.ExecuteInternal(context.Background(), "use app_db") c.Assert(err, IsNil) - _, err = se.Execute(context.Background(), "use mysql") + _, err = se.ExecuteInternal(context.Background(), "use mysql") c.Assert(err, NotNil) } @@ -779,7 +779,7 @@ func (s *testPrivilegeSuite) TestRevokePrivileges(c *C) { mustExec(c, se, "GRANT ALL ON mysql.* TO 'withoutgrant'") // Without grant option c.Assert(se.Auth(&auth.UserIdentity{Username: "hasgrant", Hostname: "localhost", AuthUsername: "hasgrant", AuthHostname: "%"}, nil, nil), IsTrue) - _, e := se.Execute(context.Background(), "REVOKE SELECT ON mysql.* FROM 'withoutgrant'") + _, e := se.ExecuteInternal(context.Background(), "REVOKE SELECT ON mysql.* FROM 'withoutgrant'") c.Assert(e, NotNil) // With grant option se = newSession(c, s.store, s.dbName) @@ -799,7 +799,7 @@ func (s *testPrivilegeSuite) TestSetGlobal(c *C) { mustExec(c, se, `set global innodb_commit_concurrency=16`) c.Assert(se.Auth(&auth.UserIdentity{Username: "setglobal_b", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), `set global innodb_commit_concurrency=16`) + _, err := se.ExecuteInternal(context.Background(), `set global innodb_commit_concurrency=16`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) } @@ -810,9 +810,9 @@ func (s *testPrivilegeSuite) TestCreateDropUser(c *C) { // should fail c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd1", Hostname: "localhost", AuthUsername: "tcd1", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), `CREATE USER acdc`) + _, err := se.ExecuteInternal(context.Background(), `CREATE USER acdc`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) - _, err = se.Execute(context.Background(), `DROP USER tcd2`) + _, err = se.ExecuteInternal(context.Background(), `DROP USER tcd2`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) // should pass @@ -828,6 +828,27 @@ func (s *testPrivilegeSuite) TestCreateDropUser(c *C) { mustExec(c, se, `DROP USER tcd3`) } +<<<<<<< HEAD +======= +func (s *testPrivilegeSuite) TestConfigPrivilege(c *C) { + se := newSession(c, s.store, s.dbName) + mustExec(c, se, `DROP USER IF EXISTS tcd1`) + mustExec(c, se, `CREATE USER tcd1`) + mustExec(c, se, `GRANT ALL ON *.* to tcd1`) + mustExec(c, se, `DROP USER IF EXISTS tcd2`) + mustExec(c, se, `CREATE USER tcd2`) + mustExec(c, se, `GRANT ALL ON *.* to tcd2`) + mustExec(c, se, `REVOKE CONFIG ON *.* FROM tcd2`) + + c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd1", Hostname: "localhost", AuthHostname: "tcd1", AuthUsername: "%"}, nil, nil), IsTrue) + mustExec(c, se, `SET CONFIG TIKV testkey="testval"`) + c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd2", Hostname: "localhost", AuthHostname: "tcd2", AuthUsername: "%"}, nil, nil), IsTrue) + _, err := se.ExecuteInternal(context.Background(), `SET CONFIG TIKV testkey="testval"`) + c.Assert(err, ErrorMatches, ".*you need \\(at least one of\\) the CONFIG privilege\\(s\\) for this operation") + mustExec(c, se, `DROP USER tcd1, tcd2`) +} + +>>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestShowCreateTable(c *C) { se := newSession(c, s.store, s.dbName) mustExec(c, se, `CREATE USER tsct1, tsct2`) @@ -835,7 +856,7 @@ func (s *testPrivilegeSuite) TestShowCreateTable(c *C) { // should fail c.Assert(se.Auth(&auth.UserIdentity{Username: "tsct1", Hostname: "localhost", AuthUsername: "tsct1", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), `SHOW CREATE TABLE mysql.user`) + _, err := se.ExecuteInternal(context.Background(), `SHOW CREATE TABLE mysql.user`) c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) // should pass @@ -858,25 +879,25 @@ func (s *testPrivilegeSuite) TestAnalyzeTable(c *C) { mustExec(c, se, "analyze table mysql.user") // low privileged user c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), "analyze table t1") + _, err := se.ExecuteInternal(context.Background(), "analyze table t1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) c.Assert(err.Error(), Equals, "[planner:1142]INSERT command denied to user 'anobody'@'%' for table 't1'") - _, err = se.Execute(context.Background(), "select * from t1") + _, err = se.ExecuteInternal(context.Background(), "select * from t1") c.Assert(err.Error(), Equals, "[planner:1142]SELECT command denied to user 'anobody'@'%' for table 't1'") // try again after SELECT privilege granted c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT SELECT ON atest.* TO 'anobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "analyze table t1") + _, err = se.ExecuteInternal(context.Background(), "analyze table t1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) c.Assert(err.Error(), Equals, "[planner:1142]INSERT command denied to user 'anobody'@'%' for table 't1'") // Add INSERT privilege and it should work. c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT INSERT ON atest.* TO 'anobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "analyze table t1") + _, err = se.ExecuteInternal(context.Background(), "analyze table t1") c.Assert(err, IsNil) } @@ -888,21 +909,43 @@ func (s *testPrivilegeSuite) TestSystemSchema(c *C) { c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `select * from information_schema.tables`) mustExec(c, se, `select * from information_schema.key_column_usage`) - _, err := se.Execute(context.Background(), "create table information_schema.t(a int)") + _, err := se.ExecuteInternal(context.Background(), "create table information_schema.t(a int)") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) - _, err = se.Execute(context.Background(), "drop table information_schema.tables") + _, err = se.ExecuteInternal(context.Background(), "drop table information_schema.tables") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) - _, err = se.Execute(context.Background(), "update information_schema.tables set table_name = 'tst' where table_name = 'mysql'") + _, err = se.ExecuteInternal(context.Background(), "update information_schema.tables set table_name = 'tst' where table_name = 'mysql'") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) // Test performance_schema. mustExec(c, se, `select * from performance_schema.events_statements_summary_by_digest`) - _, err = se.Execute(context.Background(), "drop table performance_schema.events_statements_summary_by_digest") + _, err = se.ExecuteInternal(context.Background(), "drop table performance_schema.events_statements_summary_by_digest") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) +<<<<<<< HEAD _, err = se.Execute(context.Background(), "update performance_schema.events_statements_summary_by_digest set table_names = 'tst'") +======= + _, err = se.ExecuteInternal(context.Background(), "update performance_schema.events_statements_summary_by_digest set schema_name = 'tst'") +>>>>>>> 26086b297... privilege: remove any string concat (#22523) + c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) + _, err = se.ExecuteInternal(context.Background(), "delete from performance_schema.events_statements_summary_by_digest") + c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) +<<<<<<< HEAD +======= + _, err = se.ExecuteInternal(context.Background(), "create table performance_schema.t(a int)") + c.Assert(err, NotNil) + c.Assert(strings.Contains(err.Error(), "CREATE command denied"), IsTrue, Commentf(err.Error())) + + // Test metric_schema. + mustExec(c, se, `select * from metrics_schema.tidb_query_duration`) + _, err = se.ExecuteInternal(context.Background(), "drop table metrics_schema.tidb_query_duration") + c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) + _, err = se.ExecuteInternal(context.Background(), "update metrics_schema.tidb_query_duration set instance = 'tst'") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.Execute(context.Background(), "delete from performance_schema.events_statements_summary_by_digest") + _, err = se.ExecuteInternal(context.Background(), "delete from metrics_schema.tidb_query_duration") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) + _, err = se.ExecuteInternal(context.Background(), "create table metric_schema.t(a int)") + c.Assert(err, NotNil) + c.Assert(strings.Contains(err.Error(), "CREATE command denied"), IsTrue, Commentf(err.Error())) +>>>>>>> 26086b297... privilege: remove any string concat (#22523) } func (s *testPrivilegeSuite) TestAdminCommand(c *C) { @@ -912,16 +955,61 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) { mustExec(c, se, `CREATE TABLE t(a int)`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") + _, err := se.ExecuteInternal(context.Background(), "ADMIN SHOW DDL JOBS") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.Execute(context.Background(), "ADMIN CHECK TABLE t") + _, err = se.ExecuteInternal(context.Background(), "ADMIN CHECK TABLE t") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") + _, err = se.ExecuteInternal(context.Background(), "ADMIN SHOW DDL JOBS") c.Assert(err, IsNil) } +<<<<<<< HEAD +======= +func (s *testPrivilegeSuite) TestTableNotExistNoPermissions(c *C) { + se := newSession(c, s.store, s.dbName) + c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) + mustExec(c, se, `CREATE USER 'testnotexist'@'localhost';`) + mustExec(c, se, `CREATE DATABASE dbexists`) + mustExec(c, se, `CREATE TABLE dbexists.t1 (a int)`) + + c.Assert(se.Auth(&auth.UserIdentity{Username: "testnotexist", Hostname: "localhost"}, nil, nil), IsTrue) + + tests := []struct { + stmt string + stmtType string + }{ + { + "SELECT * FROM %s.%s", + "SELECT", + }, + { + "SHOW CREATE TABLE %s.%s", + "SHOW", + }, + { + "DELETE FROM %s.%s", + "DELETE", + }, + } + + for _, t := range tests { + + _, err1 := se.ExecuteInternal(context.Background(), fmt.Sprintf(t.stmt, "dbexists", "t1")) + _, err2 := se.ExecuteInternal(context.Background(), fmt.Sprintf(t.stmt, "dbnotexists", "t1")) + + // Check the error is the same whether table exists or not. + c.Assert(terror.ErrorEqual(err1, err2), IsTrue) + + // Check it is permission denied, not not found. + c.Assert(err2.Error(), Equals, fmt.Sprintf("[planner:1142]%s command denied to user 'testnotexist'@'localhost' for table 't1'", t.stmtType)) + + } + +} + +>>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) { // Create file. path := "/tmp/load_data_priv.csv" @@ -942,15 +1030,27 @@ func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) { mustExec(c, se, `CREATE TABLE t_load(a int)`) mustExec(c, se, `GRANT SELECT on *.* to 'test_load'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_load", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") + _, err = se.ExecuteInternal(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") c.Assert(strings.Contains(err.Error(), "INSERT command denied to user 'test_load'@'localhost' for table 't_load'"), IsTrue) c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `GRANT INSERT on *.* to 'test_load'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_load", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.Execute(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") + _, err = se.ExecuteInternal(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") c.Assert(err, IsNil) } +<<<<<<< HEAD +======= +func (s *testPrivilegeSuite) TestSelectIntoNoPremissions(c *C) { + se := newSession(c, s.store, s.dbName) + mustExec(c, se, `CREATE USER 'nofile'@'localhost';`) + c.Assert(se.Auth(&auth.UserIdentity{Username: "nofile", Hostname: "localhost"}, nil, nil), IsTrue) + _, err := se.ExecuteInternal(context.Background(), `select 1 into outfile '/tmp/doesntmatter-no-permissions'`) + message := "Access denied; you need (at least one of) the FILE privilege(s) for this operation" + c.Assert(strings.Contains(err.Error(), message), IsTrue) +} + +>>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestGetEncodedPassword(c *C) { se := newSession(c, s.store, s.dbName) mustExec(c, se, `CREATE USER 'test_encode_u'@'localhost' identified by 'root';`) @@ -969,7 +1069,7 @@ func (s *testPrivilegeSuite) TestAuthHost(c *C) { mustExec(c, se, "GRANT SELECT ON *.* TO 'test_auth_host'@'192.168.%';") c.Assert(se.Auth(&auth.UserIdentity{Username: "test_auth_host", Hostname: "192.168.0.10"}, nil, nil), IsTrue) - _, err := se.Execute(context.Background(), "create user test_auth_host_a") + _, err := se.ExecuteInternal(context.Background(), "create user test_auth_host_a") c.Assert(err, NotNil) mustExec(c, rootSe, "DROP USER 'test_auth_host'@'192.168.%';") @@ -1024,7 +1124,7 @@ func (s *testPrivilegeSuite) TestUserTableConsistency(c *C) { tk.MustQuery(buf.String()).Check(testkit.Rows(res.String())) } func mustExec(c *C, se session.Session, sql string) { - _, err := se.Execute(context.Background(), sql) + _, err := se.ExecuteInternal(context.Background(), sql) c.Assert(err, IsNil) } From 37d1191cc385999b920f80abceee76333f2650dc Mon Sep 17 00:00:00 2001 From: Morgan Tocker Date: Wed, 3 Feb 2021 14:08:47 -0700 Subject: [PATCH 2/2] Fix conflicts --- privilege/privileges/cache.go | 62 ++------- privilege/privileges/privileges_test.go | 164 +++++------------------- 2 files changed, 41 insertions(+), 185 deletions(-) diff --git a/privilege/privileges/cache.go b/privilege/privileges/cache.go index a29bf6b3676ba..2b2cd85dec10d 100644 --- a/privilege/privileges/cache.go +++ b/privilege/privileges/cache.go @@ -17,12 +17,13 @@ import ( "context" "encoding/json" "fmt" - "go.uber.org/zap" "sort" "strings" "sync/atomic" "time" + "go.uber.org/zap" + "github.com/pingcap/errors" "github.com/pingcap/parser/ast" "github.com/pingcap/parser/auth" @@ -55,13 +56,11 @@ const ( sqlLoadColumnsPrivTable = "SELECT HIGH_PRIORITY Host,DB,User,Table_name,Column_name,Timestamp,Column_priv FROM mysql.columns_priv" sqlLoadDefaultRoles = "SELECT HIGH_PRIORITY HOST, USER, DEFAULT_ROLE_HOST, DEFAULT_ROLE_USER FROM mysql.default_roles" // list of privileges from mysql.Priv2UserCol - sqlLoadUserTable = `SELECT HIGH_PRIORITY Host,User,authentication_string, - Create_priv, Select_priv, Insert_priv, Update_priv, Delete_priv, Show_db_priv, Super_priv, - Create_user_priv,Create_tablespace_priv,Trigger_priv,Drop_priv,Process_priv,Grant_priv, - References_priv,Alter_priv,Execute_priv,Index_priv,Create_view_priv,Show_view_priv, - Create_role_priv,Drop_role_priv,Create_tmp_table_priv,Lock_tables_priv,Create_routine_priv, - Alter_routine_priv,Event_priv,Shutdown_priv,Reload_priv,File_priv,Config_priv,Repl_client_priv,Repl_slave_priv, - account_locked FROM mysql.user` + sqlLoadUserTable = `SELECT HIGH_PRIORITY Host,User,Password,Create_priv,Select_priv,Insert_priv,Update_priv,Delete_priv, + Show_db_priv,Super_priv,Create_user_priv,Create_tablespace_priv,Trigger_priv,Drop_priv,Process_priv,Grant_priv,References_priv, + Alter_priv,Execute_priv,Index_priv,Create_view_priv,Show_view_priv,Create_role_priv,Drop_role_priv,Create_tmp_table_priv, + Lock_tables_priv,Create_routine_priv,Alter_routine_priv,Event_priv,Shutdown_priv,Reload_priv,File_priv,Config_priv, + Repl_client_priv,Repl_slave_priv account_locked FROM mysql.user` ) func computePrivMask(privs []mysql.PrivilegeType) mysql.PrivilegeType { @@ -348,16 +347,7 @@ func (p *MySQLPrivilege) LoadRoleGraph(ctx sessionctx.Context) error { // LoadUserTable loads the mysql.user table from database. func (p *MySQLPrivilege) LoadUserTable(ctx sessionctx.Context) error { -<<<<<<< HEAD - userPrivCols := make([]string, 0, len(mysql.Priv2UserCol)) - for _, v := range mysql.Priv2UserCol { - userPrivCols = append(userPrivCols, v) - } - query := fmt.Sprintf("select HIGH_PRIORITY Host,User,Password,%s,account_locked from mysql.user;", strings.Join(userPrivCols, ", ")) - err := p.loadTable(ctx, query, p.decodeUserTableRow) -======= err := p.loadTable(ctx, sqlLoadUserTable, p.decodeUserTableRow) ->>>>>>> 26086b297... privilege: remove any string concat (#22523) if err != nil { return errors.Trace(err) } @@ -459,46 +449,12 @@ func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sessionctx.Context) error { // LoadDBTable loads the mysql.db table from database. func (p *MySQLPrivilege) LoadDBTable(ctx sessionctx.Context) error { -<<<<<<< HEAD - return p.loadTable(ctx, "select HIGH_PRIORITY Host,DB,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,Index_priv,Alter_priv,Execute_priv,Create_view_priv,Show_view_priv from mysql.db order by host, db, user;", p.decodeDBTableRow) -======= - err := p.loadTable(ctx, sqlLoadDBTable, p.decodeDBTableRow) - if err != nil { - return err - } - p.buildDBMap() - return nil -} - -func (p *MySQLPrivilege) buildDBMap() { - dbMap := make(map[string][]dbRecord, len(p.DB)) - for _, record := range p.DB { - dbMap[record.User] = append(dbMap[record.User], record) - } - p.DBMap = dbMap ->>>>>>> 26086b297... privilege: remove any string concat (#22523) + return p.loadTable(ctx, sqlLoadDBTable, p.decodeDBTableRow) } // LoadTablesPrivTable loads the mysql.tables_priv table from database. func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sessionctx.Context) error { -<<<<<<< HEAD - return p.loadTable(ctx, "select HIGH_PRIORITY Host,DB,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv from mysql.tables_priv", p.decodeTablesPrivTableRow) -======= - err := p.loadTable(ctx, sqlLoadTablePrivTable, p.decodeTablesPrivTableRow) - if err != nil { - return err - } - p.buildTablesPrivMap() - return nil -} - -func (p *MySQLPrivilege) buildTablesPrivMap() { - tablesPrivMap := make(map[string][]tablesPrivRecord, len(p.TablesPriv)) - for _, record := range p.TablesPriv { - tablesPrivMap[record.User] = append(tablesPrivMap[record.User], record) - } - p.TablesPrivMap = tablesPrivMap ->>>>>>> 26086b297... privilege: remove any string concat (#22523) + return p.loadTable(ctx, sqlLoadTablePrivTable, p.decodeTablesPrivTableRow) } // LoadColumnsPrivTable loads the mysql.columns_priv table from database. diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index a01967cd9cf0b..957842d230b93 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -148,9 +148,9 @@ func (s *testPrivilegeSuite) TestCheckPointGetDBPrivilege(c *C) { se := newSession(c, s.store, s.dbName) c.Assert(se.Auth(&auth.UserIdentity{Username: "tester", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `use test;`) - _, err := se.ExecuteInternal(context.Background(), `select * from test2.t where id = 1`) + _, err := se.Execute(context.Background(), `select * from test2.t where id = 1`) c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "update test2.t set v = 2 where id = 1") + _, err = se.Execute(context.Background(), "update test2.t set v = 2 where id = 1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) } @@ -397,7 +397,7 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) { // ctx.GetSessionVars().User = "drop@localhost" c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `SELECT * FROM todrop;`) - _, err := se.ExecuteInternal(context.Background(), "DROP TABLE todrop;") + _, err := se.Execute(context.Background(), "DROP TABLE todrop;") c.Assert(err, NotNil) se = newSession(c, s.store, s.dbName) @@ -424,7 +424,7 @@ func (s *testPrivilegeSuite) TestSetPasswdStmt(c *C) { // low privileged user trying to set password for other user (fails) c.Assert(se.Auth(&auth.UserIdentity{Username: "nobodyuser", Hostname: "localhost", AuthUsername: "nobodyuser", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'") + _, err := se.Execute(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'") c.Assert(err, NotNil) } @@ -447,7 +447,7 @@ func (s *testPrivilegeSuite) TestSelectViewSecurity(c *C) { ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"} mustExec(c, se, "SELECT * FROM test.selectviewsecurity") mustExec(c, se, `REVOKE Select ON test.viewsecurity FROM 'selectusr'@'localhost';`) - _, err := se.ExecuteInternal(context.Background(), "select * from test.selectviewsecurity") + _, err := se.Execute(context.Background(), "select * from test.selectviewsecurity") c.Assert(err.Error(), Equals, core.ErrViewInvalid.GenWithStackByArgs("test", "selectviewsecurity").Error()) } @@ -466,7 +466,7 @@ func (s *testPrivilegeSuite) TestRoleAdminSecurity(c *C) { mustExec(c, se, `create role r_test1@localhost`) c.Assert(se.Auth(&auth.UserIdentity{Username: "ar2", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `create role r_test2@localhost`) + _, err := se.Execute(context.Background(), `create role r_test2@localhost`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) } @@ -736,7 +736,7 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, "GRANT ALL ON *.* TO 'usesuper'") //without grant option c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) - _, e := se.ExecuteInternal(context.Background(), "GRANT SELECT ON mysql.* TO 'usenobody'") + _, e := se.Execute(context.Background(), "GRANT SELECT ON mysql.* TO 'usenobody'") c.Assert(e, NotNil) //with grant option se = newSession(c, s.store, s.dbName) @@ -746,14 +746,14 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, "use mysql") // low privileged user c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), "use mysql") + _, err := se.Execute(context.Background(), "use mysql") c.Assert(err, NotNil) // try again after privilege granted c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT SELECT ON mysql.* TO 'usenobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "use mysql") + _, err = se.Execute(context.Background(), "use mysql") c.Assert(err, IsNil) // test `use db` for role. @@ -765,9 +765,9 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, `GRANT 'app_developer' TO 'dev'@'localhost'`) mustExec(c, se, `SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "use app_db") + _, err = se.Execute(context.Background(), "use app_db") c.Assert(err, IsNil) - _, err = se.ExecuteInternal(context.Background(), "use mysql") + _, err = se.Execute(context.Background(), "use mysql") c.Assert(err, NotNil) } @@ -779,7 +779,7 @@ func (s *testPrivilegeSuite) TestRevokePrivileges(c *C) { mustExec(c, se, "GRANT ALL ON mysql.* TO 'withoutgrant'") // Without grant option c.Assert(se.Auth(&auth.UserIdentity{Username: "hasgrant", Hostname: "localhost", AuthUsername: "hasgrant", AuthHostname: "%"}, nil, nil), IsTrue) - _, e := se.ExecuteInternal(context.Background(), "REVOKE SELECT ON mysql.* FROM 'withoutgrant'") + _, e := se.Execute(context.Background(), "REVOKE SELECT ON mysql.* FROM 'withoutgrant'") c.Assert(e, NotNil) // With grant option se = newSession(c, s.store, s.dbName) @@ -799,7 +799,7 @@ func (s *testPrivilegeSuite) TestSetGlobal(c *C) { mustExec(c, se, `set global innodb_commit_concurrency=16`) c.Assert(se.Auth(&auth.UserIdentity{Username: "setglobal_b", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `set global innodb_commit_concurrency=16`) + _, err := se.Execute(context.Background(), `set global innodb_commit_concurrency=16`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) } @@ -810,9 +810,9 @@ func (s *testPrivilegeSuite) TestCreateDropUser(c *C) { // should fail c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd1", Hostname: "localhost", AuthUsername: "tcd1", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `CREATE USER acdc`) + _, err := se.Execute(context.Background(), `CREATE USER acdc`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) - _, err = se.ExecuteInternal(context.Background(), `DROP USER tcd2`) + _, err = se.Execute(context.Background(), `DROP USER tcd2`) c.Assert(terror.ErrorEqual(err, core.ErrSpecificAccessDenied), IsTrue) // should pass @@ -828,27 +828,6 @@ func (s *testPrivilegeSuite) TestCreateDropUser(c *C) { mustExec(c, se, `DROP USER tcd3`) } -<<<<<<< HEAD -======= -func (s *testPrivilegeSuite) TestConfigPrivilege(c *C) { - se := newSession(c, s.store, s.dbName) - mustExec(c, se, `DROP USER IF EXISTS tcd1`) - mustExec(c, se, `CREATE USER tcd1`) - mustExec(c, se, `GRANT ALL ON *.* to tcd1`) - mustExec(c, se, `DROP USER IF EXISTS tcd2`) - mustExec(c, se, `CREATE USER tcd2`) - mustExec(c, se, `GRANT ALL ON *.* to tcd2`) - mustExec(c, se, `REVOKE CONFIG ON *.* FROM tcd2`) - - c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd1", Hostname: "localhost", AuthHostname: "tcd1", AuthUsername: "%"}, nil, nil), IsTrue) - mustExec(c, se, `SET CONFIG TIKV testkey="testval"`) - c.Assert(se.Auth(&auth.UserIdentity{Username: "tcd2", Hostname: "localhost", AuthHostname: "tcd2", AuthUsername: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `SET CONFIG TIKV testkey="testval"`) - c.Assert(err, ErrorMatches, ".*you need \\(at least one of\\) the CONFIG privilege\\(s\\) for this operation") - mustExec(c, se, `DROP USER tcd1, tcd2`) -} - ->>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestShowCreateTable(c *C) { se := newSession(c, s.store, s.dbName) mustExec(c, se, `CREATE USER tsct1, tsct2`) @@ -856,7 +835,7 @@ func (s *testPrivilegeSuite) TestShowCreateTable(c *C) { // should fail c.Assert(se.Auth(&auth.UserIdentity{Username: "tsct1", Hostname: "localhost", AuthUsername: "tsct1", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `SHOW CREATE TABLE mysql.user`) + _, err := se.Execute(context.Background(), `SHOW CREATE TABLE mysql.user`) c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) // should pass @@ -879,25 +858,25 @@ func (s *testPrivilegeSuite) TestAnalyzeTable(c *C) { mustExec(c, se, "analyze table mysql.user") // low privileged user c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), "analyze table t1") + _, err := se.Execute(context.Background(), "analyze table t1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) c.Assert(err.Error(), Equals, "[planner:1142]INSERT command denied to user 'anobody'@'%' for table 't1'") - _, err = se.ExecuteInternal(context.Background(), "select * from t1") + _, err = se.Execute(context.Background(), "select * from t1") c.Assert(err.Error(), Equals, "[planner:1142]SELECT command denied to user 'anobody'@'%' for table 't1'") // try again after SELECT privilege granted c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT SELECT ON atest.* TO 'anobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "analyze table t1") + _, err = se.Execute(context.Background(), "analyze table t1") c.Assert(terror.ErrorEqual(err, core.ErrTableaccessDenied), IsTrue) c.Assert(err.Error(), Equals, "[planner:1142]INSERT command denied to user 'anobody'@'%' for table 't1'") // Add INSERT privilege and it should work. c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT INSERT ON atest.* TO 'anobody'") c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "analyze table t1") + _, err = se.Execute(context.Background(), "analyze table t1") c.Assert(err, IsNil) } @@ -909,43 +888,21 @@ func (s *testPrivilegeSuite) TestSystemSchema(c *C) { c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `select * from information_schema.tables`) mustExec(c, se, `select * from information_schema.key_column_usage`) - _, err := se.ExecuteInternal(context.Background(), "create table information_schema.t(a int)") + _, err := se.Execute(context.Background(), "create table information_schema.t(a int)") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "drop table information_schema.tables") + _, err = se.Execute(context.Background(), "drop table information_schema.tables") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "update information_schema.tables set table_name = 'tst' where table_name = 'mysql'") + _, err = se.Execute(context.Background(), "update information_schema.tables set table_name = 'tst' where table_name = 'mysql'") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) // Test performance_schema. mustExec(c, se, `select * from performance_schema.events_statements_summary_by_digest`) - _, err = se.ExecuteInternal(context.Background(), "drop table performance_schema.events_statements_summary_by_digest") + _, err = se.Execute(context.Background(), "drop table performance_schema.events_statements_summary_by_digest") c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) -<<<<<<< HEAD _, err = se.Execute(context.Background(), "update performance_schema.events_statements_summary_by_digest set table_names = 'tst'") -======= - _, err = se.ExecuteInternal(context.Background(), "update performance_schema.events_statements_summary_by_digest set schema_name = 'tst'") ->>>>>>> 26086b297... privilege: remove any string concat (#22523) - c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "delete from performance_schema.events_statements_summary_by_digest") - c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) -<<<<<<< HEAD -======= - _, err = se.ExecuteInternal(context.Background(), "create table performance_schema.t(a int)") - c.Assert(err, NotNil) - c.Assert(strings.Contains(err.Error(), "CREATE command denied"), IsTrue, Commentf(err.Error())) - - // Test metric_schema. - mustExec(c, se, `select * from metrics_schema.tidb_query_duration`) - _, err = se.ExecuteInternal(context.Background(), "drop table metrics_schema.tidb_query_duration") - c.Assert(strings.Contains(err.Error(), "denied to user"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "update metrics_schema.tidb_query_duration set instance = 'tst'") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "delete from metrics_schema.tidb_query_duration") + _, err = se.Execute(context.Background(), "delete from performance_schema.events_statements_summary_by_digest") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "create table metric_schema.t(a int)") - c.Assert(err, NotNil) - c.Assert(strings.Contains(err.Error(), "CREATE command denied"), IsTrue, Commentf(err.Error())) ->>>>>>> 26086b297... privilege: remove any string concat (#22523) } func (s *testPrivilegeSuite) TestAdminCommand(c *C) { @@ -955,61 +912,16 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) { mustExec(c, se, `CREATE TABLE t(a int)`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), "ADMIN SHOW DDL JOBS") + _, err := se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "ADMIN CHECK TABLE t") + _, err = se.Execute(context.Background(), "ADMIN CHECK TABLE t") c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "ADMIN SHOW DDL JOBS") + _, err = se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") c.Assert(err, IsNil) } -<<<<<<< HEAD -======= -func (s *testPrivilegeSuite) TestTableNotExistNoPermissions(c *C) { - se := newSession(c, s.store, s.dbName) - c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) - mustExec(c, se, `CREATE USER 'testnotexist'@'localhost';`) - mustExec(c, se, `CREATE DATABASE dbexists`) - mustExec(c, se, `CREATE TABLE dbexists.t1 (a int)`) - - c.Assert(se.Auth(&auth.UserIdentity{Username: "testnotexist", Hostname: "localhost"}, nil, nil), IsTrue) - - tests := []struct { - stmt string - stmtType string - }{ - { - "SELECT * FROM %s.%s", - "SELECT", - }, - { - "SHOW CREATE TABLE %s.%s", - "SHOW", - }, - { - "DELETE FROM %s.%s", - "DELETE", - }, - } - - for _, t := range tests { - - _, err1 := se.ExecuteInternal(context.Background(), fmt.Sprintf(t.stmt, "dbexists", "t1")) - _, err2 := se.ExecuteInternal(context.Background(), fmt.Sprintf(t.stmt, "dbnotexists", "t1")) - - // Check the error is the same whether table exists or not. - c.Assert(terror.ErrorEqual(err1, err2), IsTrue) - - // Check it is permission denied, not not found. - c.Assert(err2.Error(), Equals, fmt.Sprintf("[planner:1142]%s command denied to user 'testnotexist'@'localhost' for table 't1'", t.stmtType)) - - } - -} - ->>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) { // Create file. path := "/tmp/load_data_priv.csv" @@ -1030,27 +942,15 @@ func (s *testPrivilegeSuite) TestLoadDataPrivilege(c *C) { mustExec(c, se, `CREATE TABLE t_load(a int)`) mustExec(c, se, `GRANT SELECT on *.* to 'test_load'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_load", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") + _, err = se.Execute(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") c.Assert(strings.Contains(err.Error(), "INSERT command denied to user 'test_load'@'localhost' for table 't_load'"), IsTrue) c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `GRANT INSERT on *.* to 'test_load'@'localhost'`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_load", Hostname: "localhost"}, nil, nil), IsTrue) - _, err = se.ExecuteInternal(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") + _, err = se.Execute(context.Background(), "LOAD DATA LOCAL INFILE '/tmp/load_data_priv.csv' INTO TABLE t_load") c.Assert(err, IsNil) } -<<<<<<< HEAD -======= -func (s *testPrivilegeSuite) TestSelectIntoNoPremissions(c *C) { - se := newSession(c, s.store, s.dbName) - mustExec(c, se, `CREATE USER 'nofile'@'localhost';`) - c.Assert(se.Auth(&auth.UserIdentity{Username: "nofile", Hostname: "localhost"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), `select 1 into outfile '/tmp/doesntmatter-no-permissions'`) - message := "Access denied; you need (at least one of) the FILE privilege(s) for this operation" - c.Assert(strings.Contains(err.Error(), message), IsTrue) -} - ->>>>>>> 26086b297... privilege: remove any string concat (#22523) func (s *testPrivilegeSuite) TestGetEncodedPassword(c *C) { se := newSession(c, s.store, s.dbName) mustExec(c, se, `CREATE USER 'test_encode_u'@'localhost' identified by 'root';`) @@ -1069,7 +969,7 @@ func (s *testPrivilegeSuite) TestAuthHost(c *C) { mustExec(c, se, "GRANT SELECT ON *.* TO 'test_auth_host'@'192.168.%';") c.Assert(se.Auth(&auth.UserIdentity{Username: "test_auth_host", Hostname: "192.168.0.10"}, nil, nil), IsTrue) - _, err := se.ExecuteInternal(context.Background(), "create user test_auth_host_a") + _, err := se.Execute(context.Background(), "create user test_auth_host_a") c.Assert(err, NotNil) mustExec(c, rootSe, "DROP USER 'test_auth_host'@'192.168.%';") @@ -1124,7 +1024,7 @@ func (s *testPrivilegeSuite) TestUserTableConsistency(c *C) { tk.MustQuery(buf.String()).Check(testkit.Rows(res.String())) } func mustExec(c *C, se session.Session, sql string) { - _, err := se.ExecuteInternal(context.Background(), sql) + _, err := se.Execute(context.Background(), sql) c.Assert(err, IsNil) }