File: roles-admin.result

package info (click to toggle)
mysql-8.0 8.0.43-3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,273,924 kB
  • sloc: cpp: 4,684,605; ansic: 412,450; pascal: 108,398; java: 83,641; perl: 30,221; cs: 27,067; sql: 26,594; sh: 24,181; python: 21,816; yacc: 17,169; php: 11,522; xml: 7,388; javascript: 7,076; makefile: 2,194; lex: 1,075; awk: 670; asm: 520; objc: 183; ruby: 97; lisp: 86
file content (286 lines) | stat: -rw-r--r-- 12,041 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
 
CREATE ROLE r1;
CREATE ROLE `admin-db1`;
CREATE ROLE `admin-db2`;
CREATE ROLE `admin-db1t1`;
CREATE ROLE `admin-db2t1`;
CREATE ROLE `app-updater`;
CREATE USER `app-middleware-db1`@`localhost` IDENTIFIED BY 'foo';
CREATE USER `app-middleware-db2`@`localhost` IDENTIFIED BY 'foo';
CREATE USER `app`@`localhost` IDENTIFIED BY 'foo';
GRANT `admin-db1` TO `app-middleware-db1`@`localhost`;
GRANT `admin-db2` TO `app-middleware-db2`@`localhost`;
GRANT `app-updater` TO `app-middleware-db1`@`localhost`;
CREATE DATABASE db1;
CREATE DATABASE db2;
CREATE TABLE db1.t1 (c1 INT, c2 INT, c3 INT);
CREATE TABLE db1.t2 (c1 INT, c2 INT, c3 INT);
CREATE TABLE db2.t1 (c1 INT, c2 INT, c3 INT);
CREATE TABLE db2.t2 (c1 INT, c2 INT, c3 INT);
++ admin-db1 can manage db2.t1 and admin-db2 can manage db1.t1
GRANT `admin-db2t1` TO `admin-db1`;
GRANT `admin-db1t1` TO `admin-db2`;
++ admin-db1 can promote anyone with the admin-db1t1 rights.
GRANT `admin-db1t1` TO `admin-db1` WITH ADMIN OPTION;
GRANT SELECT, UPDATE, CREATE, DROP, INSERT, DELETE ON db1.* TO `admin-db1`;
GRANT SELECT, UPDATE, CREATE, DROP, INSERT, DELETE ON db2.* TO `admin-db2`;
GRANT SELECT, UPDATE, CREATE, DROP, INSERT, DELETE ON db1.t1 TO `admin-db1t1`;
GRANT SELECT, UPDATE, CREATE, DROP, INSERT, DELETE ON db2.t1 TO `admin-db2t1`;
SET ROLE `admin-db1`;
SHOW GRANTS;
Grants for app-middleware-db1@localhost
GRANT USAGE ON *.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.`t1` TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db2`.`t1` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1`@`%`,`app-updater`@`%` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1t1`@`%` TO `app-middleware-db1`@`localhost` WITH ADMIN OPTION
++ Positive test
INSERT INTO db1.t1 VALUES (1,2,3);
INSERT INTO db1.t2 VALUES (1,2,3);
INSERT INTO db2.t1 VALUES (1,2,3);
SELECT * FROM db1.t1;
c1	c2	c3
1	2	3
SELECT * FROM db1.t2;
c1	c2	c3
1	2	3
SELECT * FROM db2.t1;
c1	c2	c3
1	2	3
GRANT `admin-db1t1` TO `app`@`localhost`;
GRANT r1 TO `app-middleware-db1`@`localhost` WITH ADMIN OPTION;
++ Connected as app-middleware-db1
SET ROLE `admin-db1`;
GRANT `admin-db1t1` TO `app`@`localhost`;
++ r1 and inherited role admin-db1t1 should be WITH ADMIN OPTION
SHOW GRANTS FOR CURRENT_USER() USING `admin-db1`;
Grants for app-middleware-db1@localhost
GRANT USAGE ON *.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.`t1` TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db2`.`t1` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1`@`%`,`app-updater`@`%` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1t1`@`%`,`r1`@`%` TO `app-middleware-db1`@`localhost` WITH ADMIN OPTION
++ Negative test
INSERT INTO db2.t2 VALUES (1,2,3);
ERROR 42000: INSERT command denied to user 'app-middleware-db1'@'localhost' for table 't2'
SELECT * FROM db2.t2;
ERROR 42000: SELECT command denied to user 'app-middleware-db1'@'localhost' for table 't2'
GRANT `admin-db2t1` TO `app`@`localhost`;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
++ Connected as root
++ Granting WITH ADMIN OPTION role WITH ADMIN OPTION privileges
++ app@localhost has admin-db1t1 granted.
++ Connected as app@localhost
SHOW GRANTS FOR CURRENT_USER();
Grants for app@localhost
GRANT USAGE ON *.* TO `app`@`localhost`
GRANT `admin-db1t1`@`%` TO `app`@`localhost`
++ Positive test ; setting a granted role.
SET ROLE `admin-db1t1`;
SELECT CURRENT_USER(), CURRENT_ROLE();
CURRENT_USER()	CURRENT_ROLE()
app@localhost	`admin-db1t1`@`%`
++ Negative tests ; Attempt to grant the granted role to 3rd party
++ app@localhost did not inherit the ability to grant WITH ADMIN OPTION
GRANT `admin-db1t1` TO `app-middleware-db2`@`localhost`;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
# only count nodes and edges as the sorting order is depending on platform
SELECT ExtractValue(ROLES_GRAPHML(),'count(//node)') as num_nodes;
num_nodes
13
SELECT ExtractValue(ROLES_GRAPHML(),'count(//edge)') as num_edges;
num_edges
8
++ Now grant admin-db1t1 to app@localhost WITH ADMIN OPTION
++ Positive test
++ Connected as app-middleware-db1@localhost
GRANT `admin-db1t1` TO `app`@`localhost` WITH ADMIN OPTION;
++ Connected as app@localhost
++ app@localhost should now be able to grant admin-db1t1 to app-middleware
SET ROLE ALL;
SELECT CURRENT_USER(), CURRENT_ROLE();
CURRENT_USER()	CURRENT_ROLE()
app@localhost	`admin-db1t1`@`%`
GRANT `admin-db1t1` TO `app-middleware-db2`@`localhost`;
++ Revoking roles require WITH ADMIN too
++ Positive tests
REVOKE `admin-db1t1` FROM `app-middleware-db2`@`localhost`;
++ Restorning grant for negative test
GRANT `admin-db1t1` TO `app-middleware-db2`@`localhost`;
++ Connected as app-middleware-db1@localhost
++ Remove WITH ADMIN grants by removing and re-granting role
REVOKE `admin-db1t1` FROM `app`@`localhost`;
GRANT `admin-db1t1` TO `app`@`localhost`;
++ Connected as app@localhost
++ Negative tests
REVOKE `admin-db1t1` FROM `app-middleware-db2`@`localhost`;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
++ Connected as app-middleware-db1@localhost
++ Positive test
SELECT CURRENT_USER(), CURRENT_ROLE();
CURRENT_USER()	CURRENT_ROLE()
app-middleware-db1@localhost	`admin-db1`@`%`
SHOW GRANTS;
Grants for app-middleware-db1@localhost
GRANT USAGE ON *.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.* TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db1`.`t1` TO `app-middleware-db1`@`localhost`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `db2`.`t1` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1`@`%`,`app-updater`@`%` TO `app-middleware-db1`@`localhost`
GRANT `admin-db1t1`@`%`,`r1`@`%` TO `app-middleware-db1`@`localhost` WITH ADMIN OPTION
++ User stil has WITH ADMIN and can revoke from `app-middleware-db2`@`localhost`
REVOKE `admin-db1t1` FROM `app-middleware-db2`@`localhost`;
DROP DATABASE db1;
DROP DATABASE db2;
DROP ROLE r1;
DROP ROLE `admin-db1`;
DROP ROLE `admin-db2`;
DROP ROLE `admin-db1t1`;
DROP ROLE `admin-db2t1`;
DROP ROLE `app-updater`;
DROP USER `app-middleware-db1`@`localhost`;
DROP USER `app-middleware-db2`@`localhost`;
DROP USER `app`@`localhost`;
+++++++++++++++++++++++++++++
++ WITH GRANT OPTION tests ++
+++++++++++++++++++++++++++++
CREATE USER u1@localhost IDENTIFIED BY 'foo';
CREATE USER u2@localhost IDENTIFIED BY 'foo';
CREATE ROLE r1;
CREATE DATABASE db1;
GRANT CREATE ON db1.* TO r1 WITH GRANT OPTION;
GRANT r1 TO u1@localhost;
++ Connected as u1@localhost
SET ROLE ALL;
GRANT CREATE ON db1.* TO u2@localhost;
SET ROLE NONE;
GRANT CREATE ON db1.* TO u2@localhost;
ERROR 42000: Access denied for user 'u1'@'localhost' to database 'db1'
++ Connected as root
DROP USER u1@localhost, u2@localhost;
DROP ROLE r1;
DROP DATABASE db1;
SELECT user,host FROM mysql.user;
user	host
mysql.infoschema	localhost
mysql.session	localhost
mysql.sys	localhost
root	localhost
#############################################
CREATE USER u1@localhost IDENTIFIED BY 'foo';
CREATE USER u2@localhost IDENTIFIED BY 'foo';
CREATE ROLE r1, r2;
use test;
GRANT CREATE ON test.* TO r1;
GRANT DROP ON test.* TO r2;
GRANT r1 TO u1@localhost WITH ADMIN OPTION;
GRANT r2 TO u1@localhost;
++ Connected as u1@localhost
SET ROLE ALL;
SHOW GRANTS;
Grants for u1@localhost
GRANT USAGE ON *.* TO `u1`@`localhost`
GRANT CREATE, DROP ON `test`.* TO `u1`@`localhost`
GRANT `r2`@`%` TO `u1`@`localhost`
GRANT `r1`@`%` TO `u1`@`localhost` WITH ADMIN OPTION
GRANT r1 TO u2@localhost WITH ADMIN OPTION;
GRANT r2 TO u2@localhost WITH ADMIN OPTION;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
++ Connected as root
#############################################################
++ Dynamic privilege ROLE_ADMIN grants the ability
++ to grant any role to anyone (but not grant any privileges)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CREATE USER u3@localhost IDENTIFIED BY 'foo';
CREATE ROLE role_admin, arbitrary_role;
GRANT ROLE_ADMIN ON *.* TO role_admin;
GRANT role_admin TO u3@localhost;
++ Connected as u3@localhost
SET ROLE role_admin;
GRANT arbitrary_role TO u1@localhost;
Granting a role not granted will also work.
GRANT r1 TO u1@localhost;
GRANT r1 TO u3@localhost;
But you can't grant any privileges
GRANT SELECT ON *.* TO r1;
ERROR 28000: Access denied for user 'u3'@'localhost' (using password: YES)
GRANT SELECT ON *.* TO u3@localhost;
ERROR 28000: Access denied for user 'u3'@'localhost' (using password: YES)
++ Connected as root
DROP USER u1@localhost, u2@localhost, u3@localhost;
DROP ROLE r1,r2,role_admin,arbitrary_role;
#############################################################
++ Check that WITH ADMIN properties are persistent
#############################################################
CREATE USER `u1`@`%` IDENTIFIED BY 'foo';
CREATE USER `u2`@`%` IDENTIFIED BY 'foo';
CREATE ROLE r1, r2, r3;
GRANT r2 TO r1;
GRANT r3 TO r2;
GRANT r2 TO u1;
GRANT r3 TO u2;
SET ROLE all;
GRANT r1 TO u2;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
GRANT r2 TO u2;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
GRANT r3 TO u2;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
GRANT r3 TO r2 WITH ADMIN OPTION;
SELECT * FROM mysql.role_edges;
FROM_HOST	FROM_USER	TO_HOST	TO_USER	WITH_ADMIN_OPTION
%	r2	%	r1	N
%	r2	%	u1	N
%	r3	%	r2	Y
%	r3	%	u2	N
SET ROLE all;
SHOW GRANTS;
Grants for u1@%
GRANT USAGE ON *.* TO `u1`@`%`
GRANT `r2`@`%` TO `u1`@`%`
GRANT `r3`@`%` TO `u1`@`%` WITH ADMIN OPTION
## We got WITH ADMIN on r3 through the stickiness of the edge property WITH ADMIN which arrived from r2->u1
GRANT r3 to u2;
## r1 is not granted to u2, and hence we cannot modify it, nor grant it to anyone else.
GRANT r1 TO u2;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
GRANT r1 TO u1;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
## r2 is indirectly granted to u2 but we don't have WITH ADMIN on this relation.
GRANT r2 TO u2;
ERROR 42000: Access denied; you need (at least one of) the WITH ADMIN, ROLE_ADMIN, SUPER privilege(s) for this operation
## (r3,u2) has been propagated as an effective WITH ADMIN privilege when r1 was activated.
GRANT r3 TO u2;
## Since we didn't grant the (r3,u2) relation to our current user we can't set it as active.
SET ROLE r3;
ERROR HY000: `r3`@`%` is not granted to `u1`@`%`
# but if we grant it explicitly to form the persistent relation(r3,u1) we can use it.
GRANT r3 TO u1 WITH ADMIN OPTION;
SET ROLE r3;
# Let's see if this stick after we flush the caches.
FLUSH PRIVILEGES;
SET ROLE r3;
GRANT r3 TO u2;
GRANT r3 TO u2 WITH ADMIN OPTION;
## The principle is that we don't remove privileges when we issue a GRANT - only elevate.
## As a result (r3,u2) should be WITH ADMIN
SELECT * FROM mysql.role_edges;
FROM_HOST	FROM_USER	TO_HOST	TO_USER	WITH_ADMIN_OPTION
%	r2	%	r1	N
%	r2	%	u1	N
%	r3	%	r2	Y
%	r3	%	u1	Y
%	r3	%	u2	Y
## But if we try to reverse this, then nothing should happen.
GRANT r3 TO u2;
## And (r3,u2) should still be WITH ADMIN.
SELECT * FROM mysql.role_edges;
FROM_HOST	FROM_USER	TO_HOST	TO_USER	WITH_ADMIN_OPTION
%	r2	%	r1	N
%	r2	%	u1	N
%	r3	%	r2	Y
%	r3	%	u1	Y
%	r3	%	u2	Y
DROP ROLE r1,r2,r3;
DROP USER u1,u2;