File: grant.test

package info (click to toggle)
mariadb 1%3A11.8.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 772,520 kB
  • sloc: ansic: 2,414,714; cpp: 1,791,394; asm: 381,336; perl: 62,905; sh: 49,647; pascal: 40,897; java: 39,363; python: 20,791; yacc: 20,432; sql: 17,907; xml: 12,344; ruby: 8,544; cs: 6,542; makefile: 6,145; ada: 1,879; lex: 1,193; javascript: 996; objc: 80; tcl: 73; awk: 46; php: 22
file content (226 lines) | stat: -rw-r--r-- 6,114 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
 
#
# Test some grants with sequences
# Note that replication.test also does some grant testing
#

# Grant tests not performed with embedded server
-- source include/not_embedded.inc


SET @@SQL_MODE = REPLACE(@@SQL_MODE, 'NO_AUTO_CREATE_USER', '');
create database mysqltest_1;
use mysqltest_1;
grant all on mysqltest_1.* to 'normal'@'%';
grant select on mysqltest_1.* to 'read_only'@'%';
grant select,insert on mysqltest_1.* to 'read_write'@'%';
grant select,insert,alter on mysqltest_1.* to 'alter'@'%';
grant alter on mysqltest_1.* to only_alter@'%';

connect(normal,localhost,normal,,mysqltest_1);
connect(read_only,localhost,read_only,,mysqltest_1);
connect(read_write,localhost,read_write,,mysqltest_1);
connect(alter,localhost,alter,,mysqltest_1);
connect(only_alter, localhost, only_alter,,mysqltest_1);

--disable_ps2_protocol
connection normal;
create sequence s1;
select next value for s1;
alter sequence s1 restart= 11;
select * from s1;

connection read_only;
--error ER_TABLEACCESS_DENIED_ERROR
select next value for s1;
--error ER_TABLEACCESS_DENIED_ERROR
alter sequence s1 restart= 11;
select * from s1;

connection read_write;
select next value for s1;
--error ER_TABLEACCESS_DENIED_ERROR
alter sequence s1 restart= 11;
select * from s1;

connection alter;
select next value for s1;
alter sequence s1 restart= 11;
select * from s1;

connection only_alter;
--error ER_TABLEACCESS_DENIED_ERROR
select next value for s1;
alter sequence s1 restart= 11;
--error ER_TABLEACCESS_DENIED_ERROR
select * from s1;
--enable_ps2_protocol

#
# Cleanup
#

connection default;
drop user 'normal'@'%';
drop user 'read_only'@'%';
drop user 'read_write'@'%';
drop user 'alter'@'%';
drop user 'only_alter'@'%';
drop sequence s1;

--echo #
--echo # MDEV-36413  User without any privileges to a sequence can read from
--echo # it and modify it via column default
--echo #

create sequence s1;
create sequence s2;
select * from s2;
create table t2 (a int not null default(nextval(s1)));
insert into t2 values();

create user u;
grant create, insert, select, drop on mysqltest_1.t1 to u;
grant insert, select on mysqltest_1.s1 to u;
grant select on mysqltest_1.t2 to u;

--connect(con1,localhost,u,,mysqltest_1)
--error ER_TABLEACCESS_DENIED_ERROR
select nextval(s2);
--error ER_TABLEACCESS_DENIED_ERROR
show create sequence s2;

create table t1 (a int not null default(nextval(s1)));
drop table t1;
create table t1 (a int not null default(nextval(s1))) select a from t2;
insert into t1 values();
select * from t1;
drop table t1;
create table t1 (a int not null default(nextval(s1))) select a from (select t2.a from t2,t2 as t3 where t2.a=t3.a) as t4;
drop table t1;
--error ER_TABLEACCESS_DENIED_ERROR
create table t1 (a int not null default(nextval(s2)));
--error ER_TABLEACCESS_DENIED_ERROR
create table t1 (a int not null default(nextval(s1)),
                 b int not null default(nextval(s2)));
--disconnect con1
--connection default
drop user u;

# ALTER for table with DEFAULT NEXTVAL(seq) column needs INSERT/SELECT on seq
# just like CREATE does in the example above
create user u_alter;
create table t1 (id int);
grant alter on t1 to u_alter;
--connect(con_alter,localhost,u_alter,,mysqltest_1)
--error ER_TABLEACCESS_DENIED_ERROR
alter table t1 modify id int default nextval(s1);
--connection default
grant insert, select on s1 to u_alter;
--connection con_alter
alter table t1 modify id int default nextval(s1);
--disconnect con_alter
--connection default
drop user u_alter;
drop database mysqltest_1;

--echo #
--echo # MDEV-36870 Spurious unrelated permission error when selecting from table with default that uses nextval(sequence)
--echo #

# various tests for permission checking on sequences
create database db1;
use db1;
create sequence s1 cache 0;
create table t1 (id int unsigned default (10+nextval(s1)));
insert t1 values ();

create table t2 (id int unsigned default nextval(s1), b int default(default(id)));
insert t2 values ();

# INSERT affects prelocking, but is never actually executed
delimiter |;
create function f1(x int) returns int sql security invoker
begin
  select id+x into x from t1;
  return x;
  insert t1 values ();
end|
delimiter ;|

create user u1@localhost;
grant select on db1.* to u1@localhost;
grant execute on db1.* to u1@localhost;
grant all privileges on test.* to u1@localhost;

use test;
create table t3 (id int unsigned default (20+nextval(db1.s1)), b int);
insert t3 values ();

create sequence s2 cache 0;
create table t4 (id int unsigned default (10+nextval(s2)), b int);
insert t4 values ();

connect u1,localhost,u1,,db1;

# table already in the cache. must be re-fixed
# SELECT * - no error
select * from t1;

# not in cache
connection default;
flush tables;
connection u1;
# SELECT * - no error
select * from t1;

# SELECT DEFAULT() - error
--error ER_TABLEACCESS_DENIED_ERROR
select default(id) from t1;

# default(default(nextval))
select * from t2;

# SELECT but table has TL_WRITE because of prelocking
select f1(100);

# opening the table for I_S
select column_name, data_type, column_default from information_schema.columns where table_schema='db1' and table_name='t1';

use test;
# insert
--error ER_TABLEACCESS_DENIED_ERROR
insert t3 values ();
insert t4 values ();
#insert select
--error ER_TABLEACCESS_DENIED_ERROR
insert t3 (b) select 5;
insert t4 (b) select 5;
#update
--error ER_TABLEACCESS_DENIED_ERROR
update t3 set id=default;
update t4 set id=default;

# PS UPDATE with ? = DEFAULT
prepare stmt from "update t3 set id=?";
--error ER_TABLEACCESS_DENIED_ERROR
execute stmt using default;
prepare stmt from "update t4 set id=?";
execute stmt using default;
deallocate prepare stmt;

# SELECT * in a subquery, like INSERT t3 VALUES ((SELECT * FROM t1));
#   with sequences both on t3 and t1
insert t4 (b) values ((select * from db1.t1));
--error ER_TABLEACCESS_DENIED_ERROR
insert t4 (b) values ((select default(id) from db1.t1));

connection default;
disconnect u1;
--disable_ps2_protocol
select nextval(db1.s1) as 'must be 5';
--enable_ps2_protocol
drop user u1@localhost;
drop database db1;
drop table t3, t4, s2;

--echo # End of 10.6 tests