1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
# suite/funcs_1/t/is_user_privileges.test
#
# Check the layout of information_schema.user_privileges, permissions and
# the impact of CREATE/ALTER/DROP SCHEMA on it.
#
# Note:
# This test is not intended
# - to show information about the all time existing tables
# within the databases information_schema and mysql
# - for checking storage engine properties
# Therefore please do not alter $engine_type and $other_engine_type.
#
# Author:
# 2008-01-23 mleich WL#4203 Reorganize and fix the data dictionary tests of
# testsuite funcs_1
# Create this script based on older scripts and new code.
#
# This test cannot be used for the embedded server because we check here
# privileges.
--source include/not_embedded.inc
let $engine_type = MEMORY;
let $other_engine_type = MyISAM;
let $is_table = USER_PRIVILEGES;
let $REGEX_VERSION_ID=/$mysql_get_server_version/VERSION_ID/;
let $REGEX_PASSWORD_LAST_CHANGED=/password_last_changed": [0-9]*/password_last_changed": #/;
let $REGEX_GLOBAL_PRIV=$REGEX_PASSWORD_LAST_CHANGED $REGEX_VERSION_ID;
# The table INFORMATION_SCHEMA.USER_PRIVILEGES must exist
eval SHOW TABLES FROM information_schema LIKE '$is_table';
--echo #######################################################################
--echo # Testcase 3.2.1.1: INFORMATION_SCHEMA tables can be queried via SELECT
--echo #######################################################################
# Ensure that every INFORMATION_SCHEMA table can be queried with a SELECT
# statement, just as if it were an ordinary user-defined table.
#
--source suite/funcs_1/datadict/is_table_query.inc
--echo #########################################################################
--echo # Testcase 3.2.16.1: INFORMATION_SCHEMA.USER_PRIVILEGES layout
--echo #########################################################################
# Ensure that the INFORMATION_SCHEMA.USER_PRIVILEGES table has the following columns,
# in the following order:
#
# GRANTEE (shows a user to whom a user privilege has been granted),
# TABLE_CATALOG (always shows NULL),
# PRIVILEGE_TYPE (shows the granted privilege),
# IS_GRANTABLE (shows whether the privilege was granted WITH GRANT OPTION).
#
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval DESCRIBE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW CREATE TABLE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW COLUMNS FROM information_schema.$is_table;
# Note: Retrieval of information within information_schema.columns about
# information_schema.user_privileges is in is_columns_is.test.
# Show that TABLE_CATALOG is always 'def'.
SELECT grantee, table_catalog, privilege_type
FROM information_schema.user_privileges
WHERE table_catalog IS NULL OR table_catalog <> 'def';
--echo ##########################################################################
--echo # Testcases 3.2.16.2+3.2.16.3+3.2.16.4: INFORMATION_SCHEMA.USER_PRIVILEGES
--echo # accessible information
--echo ##########################################################################
# 3.2.16.2: Ensure that the table shows the relevant information on every user
# privilege which has been granted to the current user or to PUBLIC,
# or has been granted by the current user.
# 3.2.16.3: Ensure that the table does not show any information on any user
# privileges which have been granted to users other than the current
# user or have been granted by any user other than the current user.
# 3.2.16.4: Ensure that the table does not show any information on any
# privileges that are not user privileges for the current user.
#
CREATE DATABASE db_datadict;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser2'@'localhost';
CREATE USER 'testuser2'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser3'@'localhost';
CREATE USER 'testuser3'@'localhost';
GRANT SELECT ON db_datadict.* TO 'testuser1'@'localhost';
GRANT SELECT ON mysql.global_priv TO 'testuser1'@'localhost';
GRANT INSERT ON *.* TO 'testuser2'@'localhost';
GRANT UPDATE ON *.* TO 'testuser2'@'localhost';
let $my_select1= SELECT * FROM information_schema.user_privileges
WHERE grantee LIKE '''testuser%'''
ORDER BY grantee, table_catalog, privilege_type;
let $my_select2= SELECT host,user,json_detailed(priv) FROM mysql.global_priv
WHERE user LIKE 'testuser%' ORDER BY host, user;
let $my_show= SHOW GRANTS;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
--echo #
--echo # Add GRANT OPTION db_datadict.* to testuser1;
GRANT UPDATE ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, , db_datadict);
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
eval $my_show;
--echo
--echo # Now add SELECT on *.* to testuser1;
connection default;
GRANT SELECT ON *.* TO 'testuser1'@'localhost';
--echo #
--echo # Here <SELECT NO> is shown correctly for testuser1;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
GRANT SELECT ON *.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
--echo #
--echo # Here <SELECT YES> is shown correctly for testuser1;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
# check that this appears
connection testuser1;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
eval $my_show;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser2, localhost, testuser2, , db_datadict);
--vertical_results
eval $my_select1;
--error ER_TABLEACCESS_DENIED_ERROR
eval $my_select2;
--horizontal_results
eval $my_show;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser3, localhost, testuser3, ,"*NO-ONE*");
--vertical_results
eval $my_select1;
--error ER_TABLEACCESS_DENIED_ERROR
eval $my_select2;
--horizontal_results
eval $my_show;
--echo
--echo # Revoke privileges from testuser1;
connection default;
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
# check for changes
connection testuser1;
--vertical_results
eval $my_select1;
--error ER_TABLEACCESS_DENIED_ERROR
eval $my_select2;
--horizontal_results
eval $my_show;
# OK, testuser1 has no privs here
--error ER_TABLEACCESS_DENIED_ERROR
CREATE TABLE db_datadict.tb_55 ( c1 TEXT );
--vertical_results
eval $my_select1;
--error ER_TABLEACCESS_DENIED_ERROR
eval $my_select2;
--horizontal_results
eval $my_show;
# OK, testuser1 has no privs here
--error ER_TABLEACCESS_DENIED_ERROR
CREATE TABLE db_datadict.tb_66 ( c1 TEXT );
--echo
--echo # Add ALL on db_datadict.* (and select on mysql.global_priv) to testuser1;
connection default;
GRANT ALL ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
GRANT SELECT ON mysql.global_priv TO 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
connection testuser1;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
eval $my_show;
# OK, testuser1 has no privs here
--error ER_TABLEACCESS_DENIED_ERROR
CREATE TABLE db_datadict.tb_56 ( c1 TEXT );
# using 'USE' lets the server read the privileges new, so now the CREATE works
USE db_datadict;
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
eval $my_show;
--replace_result $other_engine_type <other_engine_type>
eval
CREATE TABLE tb_57 ( c1 TEXT )
ENGINE = $other_engine_type;
--echo
--echo # Revoke privileges from testuser1;
connection default;
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex $REGEX_GLOBAL_PRIV
eval $my_select2;
--horizontal_results
# check for changes
connection testuser1;
--vertical_results
eval $my_select1;
--error ER_TABLEACCESS_DENIED_ERROR
eval $my_select2;
--horizontal_results
eval $my_show;
# WORKS, as the existing old privileges are used!
--replace_result $other_engine_type <other_engine_type>
eval
CREATE TABLE db_datadict.tb_58 ( c1 TEXT )
ENGINE = $other_engine_type;
# existing privileges are "read" new when USE is called, user has no privileges
--error ER_DBACCESS_DENIED_ERROR
USE db_datadict;
#FIXME 3.2.16: check that it is correct that this now 'works': --error ER_TABLEACCESS_DENIED_ERROR
--replace_result $other_engine_type <other_engine_type>
eval
CREATE TABLE db_datadict.tb_59 ( c1 TEXT )
ENGINE = $other_engine_type;
# Cleanup
connection default;
disconnect testuser1;
disconnect testuser2;
disconnect testuser3;
DROP USER 'testuser1'@'localhost';
DROP USER 'testuser2'@'localhost';
DROP USER 'testuser3'@'localhost';
DROP DATABASE IF EXISTS db_datadict;
--echo ########################################################################################
--echo # Testcases 3.2.1.13+3.2.1.14+3.2.1.15: INFORMATION_SCHEMA.USER_PRIVILEGES modifications
--echo ########################################################################################
# 3.2.1.13: Ensure that the creation of any new database object (e.g. table or
# column) automatically inserts all relevant information on that
# object into every appropriate INFORMATION_SCHEMA table.
# 3.2.1.14: Ensure that the alteration of any existing database object
# automatically updates all relevant information on that object in
# every appropriate INFORMATION_SCHEMA table.
# 3.2.1.15: Ensure that the dropping of any existing database object
# automatically deletes all relevant information on that object from
# every appropriate INFORMATION_SCHEMA table.
#
let $my_select = SELECT * FROM information_schema.user_privileges
WHERE grantee = '''testuser1''@''localhost''';
let $my_show = SHOW GRANTS FOR 'testuser1'@'localhost';
--vertical_results
eval $my_select;
--horizontal_results
--error ER_NONEXISTING_GRANT
eval $my_show;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--vertical_results
eval $my_select;
--horizontal_results
eval $my_show;
GRANT SELECT, FILE ON *.* TO 'testuser1'@'localhost';
--vertical_results
eval $my_select;
--horizontal_results
eval $my_show;
DROP USER 'testuser1'@'localhost';
--vertical_results
eval $my_select;
--horizontal_results
--error ER_NONEXISTING_GRANT
eval $my_show;
--echo ########################################################################
--echo # Testcases 3.2.1.3-3.2.1.5 + 3.2.1.8-3.2.1.12: INSERT/UPDATE/DELETE and
--echo # DDL on INFORMATION_SCHEMA tables are not supported
--echo ########################################################################
# 3.2.1.3: Ensure that no user may execute an INSERT statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.4: Ensure that no user may execute an UPDATE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.5: Ensure that no user may execute a DELETE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.8: Ensure that no user may create an index on an
# INFORMATION_SCHEMA table.
# 3.2.1.9: Ensure that no user may alter the definition of an
# INFORMATION_SCHEMA table.
# 3.2.1.10: Ensure that no user may drop an INFORMATION_SCHEMA table.
# 3.2.1.11: Ensure that no user may move an INFORMATION_SCHEMA table to any
# other database.
# 3.2.1.12: Ensure that no user may directly add to, alter, or delete any data
# in an INFORMATION_SCHEMA table.
#
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--error ER_DBACCESS_DENIED_ERROR
INSERT INTO information_schema.user_privileges
SELECT * FROM information_schema.user_privileges;
--error ER_DBACCESS_DENIED_ERROR
UPDATE information_schema.user_privileges
SET PRIVILEGE_TYPE = 'gaming';
--error ER_DBACCESS_DENIED_ERROR
DELETE FROM information_schema.user_privileges
WHERE grantee = '''testuser1''@''localhost''';
--error ER_DBACCESS_DENIED_ERROR
TRUNCATE information_schema.user_privileges;
--error ER_DBACCESS_DENIED_ERROR
CREATE INDEX i1 ON information_schema.user_privileges(grantee);
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.user_privileges ADD f1 INT;
--error ER_DBACCESS_DENIED_ERROR
DROP TABLE information_schema.user_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.user_privileges
RENAME db_datadict.user_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.user_privileges
RENAME information_schema.xuser_privileges;
# Cleanup
DROP USER 'testuser1'@'localhost';
|
