1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
# suite/funcs_1/t/is_schema_privileges.test
#
# Check the layout of information_schema.schema_privileges and the impact of
# CREATE/ALTER/DROP TABLE/VIEW/SCHEMA ... on it.
#
# Note:
# This test is not intended
# - to show information about the all time existing schemas
# information_schema and mysql
# - for checking storage engine properties
# Therefore please do not alter $engine_type and $other_engine_type.
#
# Author:
# 2008-01-23 mleich WL#4203 Reorganize and fix the data dictionary tests of
# testsuite funcs_1
# Create this script based on older scripts and new code.
#
# This test cannot be used for the embedded server because we check here
# privileges.
--source include/not_embedded.inc
let $engine_type = MEMORY;
let $other_engine_type = MyISAM;
let $is_table = SCHEMA_PRIVILEGES;
# The table INFORMATION_SCHEMA.SCHEMA_PRIVILEGES must exist
eval SHOW TABLES FROM information_schema LIKE '$is_table';
--echo #######################################################################
--echo # Testcase 3.2.1.1: INFORMATION_SCHEMA tables can be queried via SELECT
--echo #######################################################################
# Ensure that every INFORMATION_SCHEMA table can be queried with a SELECT
# statement, just as if it were an ordinary user-defined table.
#
--source suite/funcs_1/datadict/is_table_query.inc
--echo #########################################################################
--echo # Testcase 3.2.15.1: INFORMATION_SCHEMA.SCHEMA_PRIVILEGES layout
--echo #########################################################################
# Ensure that the INFORMATION_SCHEMA.SCHEMA_PRIVILEGES table has the following
# columns, in the following order:
#
# GRANTEE (shows a user to whom a schema privilege has been granted),
# TABLE_CATALOG (always shows NULL),
# TABLE_SCHEMA (shows the name of the database, or schema, on which the
# privilege has been granted),
# PRIVILEGE_TYPE (shows the granted privilege),
# IS_GRANTABLE (shows whether the privilege was granted WITH GRANT OPTION)
#
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval DESCRIBE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW CREATE TABLE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW COLUMNS FROM information_schema.$is_table;
# Note: Retrieval of information within information_schema.columns
# about information_schema.schema_privileges is in is_columns_is.test.
# Show that TABLE_CATALOG is always NULL.
SELECT GRANTEE, TABLE_CATALOG, TABLE_SCHEMA, PRIVILEGE_TYPE
FROM information_schema.schema_privileges WHERE table_catalog IS NOT NULL;
--echo ###############################################################################
--echo # Testcase 3.2.15.2-3.2.15.4 INFORMATION_SCHEMA.SCHEMA_PRIVILEGES accessibility
--echo ###############################################################################
# 3.2.15.2 Ensure that the table shows the relevant information on every
# schema-level privilege which has been granted to the current user
# or to PUBLIC, or has been granted by the current user.
# FIXME: Why is "or has been granted by the current user" invisible?
# 3.2.15.3 Ensure that the table does not show any information on any
# schema-level privileges which have been granted to users
# other than the current user or to PUBLIC, or that have been
# granted by any user other than the current user.
# 3.2.15.4 Ensure that the table does not show any information on any
# privileges that are not schema-level privileges for the
# current user.
#
# Note: Check of content within information_schema.schema_privileges about the
# databases information_schema, mysql and test is in
# is_schema_privileges_is_mysql_test.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict_1;
DROP DATABASE IF EXISTS db_datadict_2;
DROP DATABASE IF EXISTS db_datadict_3;
--enable_warnings
CREATE DATABASE db_datadict_1;
CREATE DATABASE db_datadict_2;
CREATE DATABASE db_datadict_3;
eval
CREATE TABLE db_datadict_2.t1(f1 INT, f2 INT, f3 INT)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser2'@'localhost';
CREATE USER 'testuser2'@'localhost';
GRANT INSERT ON db_datadict_1.* TO 'testuser1'@'localhost';
GRANT INSERT ON db_datadict_2.t1 TO 'testuser1'@'localhost';
GRANT SELECT ON db_datadict_4.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
GRANT SELECT ON db_datadict_3.* TO 'testuser2'@'localhost';
GRANT SELECT ON db_datadict_1.* TO 'testuser2'@'localhost';
let $my_select = SELECT * FROM information_schema.schema_privileges
WHERE table_schema LIKE 'db_datadict%'
ORDER BY grantee,table_schema,privilege_type;
let $show_testuser1 = SHOW GRANTS FOR 'testuser1'@'localhost';
let $show_testuser2 = SHOW GRANTS FOR 'testuser2'@'localhost';
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, ,"*NO-ONE*");
GRANT SELECT ON db_datadict_4.* TO 'testuser2'@'localhost';
--echo # Root granted INSERT db_datadict_1 to me -> visible
--echo # Root granted SELECT db_datadict_1 to testuser2 -> invisible
--echo # Root granted INSERT db_datadict_2.t1 (no schema-level priv!)
--echo # but not db_datadict_2 to me -> invisible
--echo # Root granted SELECT db_datadict_3. to testuser2 but not to me -> invisible
--echo # Root granted SELECT db_datadict_4. to me -> visible
--echo # I granted SELECT db_datadict_4. to testuser2 -> invisible (reality), visible(requirement)
--echo # FIXME
eval $my_select;
eval $show_testuser1;
--error ER_DBACCESS_DENIED_ERROR
eval $show_testuser2;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser2, localhost, testuser2, ,"*NO-ONE*");
--echo # Root granted SELECT db_datadict_1 to me -> visible
--echo # Root granted INSERT db_datadict_1 to testuser1 -> invisible
--echo # Root granted INSERT db_datadict_2.t1 but not db_datadict_1 to testuser1 -> invisible
--echo # Root granted SELECT db_datadict_3. to me -> visible
--echo # testuser1 granted SELECT db_datadict_4. to me -> visible
eval $my_select;
--error ER_DBACCESS_DENIED_ERROR
eval $show_testuser1;
eval $show_testuser2;
connection default;
disconnect testuser1;
disconnect testuser2;
eval $my_select;
eval $show_testuser1;
eval $show_testuser2;
# Cleanup
DROP USER 'testuser1'@'localhost';
DROP USER 'testuser2'@'localhost';
DROP DATABASE db_datadict_1;
DROP DATABASE db_datadict_2;
DROP DATABASE db_datadict_3;
--echo ################################################################################
--echo # 3.2.1.13+3.2.1.14+3.2.1.15: INFORMATION_SCHEMA.SCHEMA_PRIVILEGES modifications
--echo ################################################################################
# 3.2.1.13: Ensure that the creation of any new database object (e.g. table or
# column) automatically inserts all relevant information on that
# object into every appropriate INFORMATION_SCHEMA table.
# 3.2.1.14: Ensure that the alteration of any existing database object
# automatically updates all relevant information on that object in
# every appropriate INFORMATION_SCHEMA table.
# 3.2.1.15: Ensure that the dropping of any existing database object
# automatically deletes all relevant information on that object from
# every appropriate INFORMATION_SCHEMA table.
#
# Note (mleich):
# The MySQL privilege system allows to GRANT objects before they exist.
# (Exception: Grant privileges for columns of not existing tables/views.)
# There is also no migration of privileges if objects (tables, views, columns)
# are moved to other databases (tables only), renamed or dropped.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--error 0,ER_CANNOT_USER
DROP USER 'the_user'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT SELECT ON test.* TO 'testuser1'@'localhost';
let $my_select = SELECT * FROM information_schema.schema_privileges
WHERE table_schema = 'db_datadict'
ORDER BY grantee,table_schema,privilege_type;
############ Check grant SCHEMA
eval $my_select;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, , test);
eval $my_select;
connection default;
GRANT UPDATE ON db_datadict.* TO 'testuser1'@'localhost';
eval $my_select;
eval $my_select;
############ Check RENAME SCHEMA
# Implement this if RENAME SCHEMA is again available.
# Note(mleich): I expect that RENAME has no impact on the result sets, because
# the schema_name is not migrated.
# connection default;
# RENAME SCHEMA db_datadict TO db_datadictx;
# eval $my_select;
# eval $my_select;
# RENAME SCHEMA db_datadictx TO db_datadict;
############ Check extend PRIVILEGES (affects PRIVILEGE_TYPE) on SCHEMA
connection default;
GRANT SELECT ON db_datadict.* TO 'testuser1'@'localhost';
eval $my_select;
eval $my_select;
############ Check extend PRIVILEGES (affects IS_GRANTABLE) on SCHEMA
--echo # Switch to connection default
connection default;
GRANT SELECT ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
eval $my_select;
eval $my_select;
############ Check DROP SCHEMA
# No impact, because there is no "maintenance" of privileges.
connection default;
DROP SCHEMA db_datadict;
eval $my_select;
eval $my_select;
############ Check REVOKE PRIVILEGE
connection default;
REVOKE UPDATE ON db_datadict.* FROM 'testuser1'@'localhost';
eval $my_select;
eval $my_select;
############ Check RENAME USER
connection default;
RENAME USER 'testuser1'@'localhost' TO 'the_user'@'localhost';
eval $my_select;
eval $my_select;
disconnect testuser1;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (the_user, localhost, the_user, , test);
eval $my_select;
disconnect the_user;
############ Check DROP USER
connection default;
eval $my_select;
DROP USER 'the_user'@'localhost';
eval $my_select;
--echo ########################################################################
--echo # Testcases 3.2.1.3-3.2.1.5 + 3.2.1.8-3.2.1.12: INSERT/UPDATE/DELETE and
--echo # DDL on INFORMATION_SCHEMA table are not supported
--echo ########################################################################
# 3.2.1.3: Ensure that no user may execute an INSERT statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.4: Ensure that no user may execute an UPDATE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.5: Ensure that no user may execute a DELETE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.8: Ensure that no user may create an index on an INFORMATION_SCHEMA table.
# 3.2.1.9: Ensure that no user may alter the definition of an
# INFORMATION_SCHEMA table.
# 3.2.1.10: Ensure that no user may drop an INFORMATION_SCHEMA table.
# 3.2.1.11: Ensure that no user may move an INFORMATION_SCHEMA table to any
# other database.
# 3.2.1.12: Ensure that no user may directly add to, alter, or delete any data
# in an INFORMATION_SCHEMA table.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.t1 (f1 BIGINT, f2 BIGINT)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT SELECT ON db_datadict.* TO 'testuser1'@'localhost';
--error ER_DBACCESS_DENIED_ERROR
INSERT INTO information_schema.schema_privileges
SELECT * FROM information_schema.schema_privileges;
--error ER_DBACCESS_DENIED_ERROR
UPDATE information_schema.schema_privileges SET table_schema = 'test'
WHERE table_name = 't1';
--error ER_DBACCESS_DENIED_ERROR
DELETE FROM information_schema.schema_privileges
WHERE table_schema = 'db_datadict';
--error ER_DBACCESS_DENIED_ERROR
TRUNCATE information_schema.schema_privileges;
--error ER_DBACCESS_DENIED_ERROR
CREATE INDEX my_idx_on_tables
ON information_schema.schema_privileges(table_schema);
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.schema_privileges ADD f1 INT;
--error ER_DBACCESS_DENIED_ERROR
DROP TABLE information_schema.schema_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.schema_privileges
RENAME db_datadict.schema_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.schema_privileges
RENAME information_schema.xschema_privileges;
# Cleanup
DROP DATABASE db_datadict;
DROP USER 'testuser1'@'localhost';
|
