Hi Vicentiu, Now, I have run test with embedded mysql server and it passes. May be embedded server does not support advance feature of grant like roles , I dont know.
Thanks sachin On Thu, Apr 26, 2018 at 5:39 PM, Vicențiu Ciorbaru <cvicen...@gmail.com> wrote: > Hi Sachin! > > Did you run this test on embedded server? Usually grant related tests > require some form of not_embedded.inc include. (check roles suite for > examples) > > Vicentiu > > On Thu, 26 Apr 2018 at 00:20 sachin <sachin.set...@mariadb.com> wrote: > >> revision-id: 326db1a2aaa9b275a1a21a863e8cd2d9fa1b1d5f >> (mariadb-10.3.6-46-g326db1a) >> parent(s): 9477a2a9ba17c0db362e2bb39d5048e369096f39 >> author: Sachin Setiya >> committer: Sachin Setiya >> timestamp: 2018-04-26 12:47:25 +0530 >> message: >> >> Mdev-14853 Grant does not work correctly when table contains... >> SYSTEM_INVISIBLE or COMPLETELY_INVISIBLE >> >> This commit does multiple things to solve this mdev >> 1st add field into the parameter of check_column_grant_in_table_ref, so >> that >> we can find out field invisibility. >> 2nd If field->invisible >= INVISIBLE_SYSTEM skip access check and simple >> grant access. >> >> --- >> mysql-test/main/invisible_field_grant.result | 111 >> +++++++++++++++++++++++++++ >> mysql-test/main/invisible_field_grant.test | 77 +++++++++++++++++++ >> sql/sp_rcontext.cc | 9 ++- >> sql/sql_acl.cc | 11 ++- >> sql/sql_acl.h | 2 +- >> sql/sql_base.cc | 4 +- >> 6 files changed, 206 insertions(+), 8 deletions(-) >> >> diff --git a/mysql-test/main/invisible_field_grant.result >> b/mysql-test/main/invisible_field_grant.result >> new file mode 100644 >> index 0000000..c3ccbb1 >> --- /dev/null >> +++ b/mysql-test/main/invisible_field_grant.result >> @@ -0,0 +1,111 @@ >> +set @old_debug= @@debug_dbug; >> +create user user_1; >> +show grants for user_1; >> +Grants for user_1@% >> +GRANT USAGE ON *.* TO 'user_1'@'%' >> +# create user >> +create database d; >> +use d; >> + >> +#System_Invisible >> +set debug_dbug= "+d,test_pseudo_invisible"; >> +create table t1(a int); >> +set debug_dbug=@old_debug; >> +insert into t1 values(1); >> +select a,invisible from t1; >> +a invisible >> +1 9 >> +grant insert(a) on t1 to user_1; >> +grant update(a) on t1 to user_1; >> +grant select(a) on t1 to user_1; >> +grant delete on t1 to user_1; >> +connect con1, localhost, user_1,,test; >> +connection con1; >> +select user(); >> +user() >> +user_1@localhost >> +use d; >> +select * from t1; >> +a >> +1 >> +insert into t1 values(2); >> +select * from t1; >> +a >> +1 >> +2 >> +insert into t1(a) values(3); >> +select * from t1; >> +a >> +1 >> +2 >> +3 >> +select invisible,a from t1; >> +invisible a >> +9 1 >> +9 2 >> +9 3 >> +delete from t1 where a =1; >> +update t1 set a=1 where a=3; >> +select * from t1; >> +a >> +2 >> +1 >> +disconnect con1; >> + >> +#Cleanup >> +connection default; >> +drop table t1; >> +REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_1; >> + >> +#Completely Invisible >> +set debug_dbug= "+d,test_completely_invisible"; >> +create table t1(a int); >> +insert into t1 values(1); >> +select a,invisible from t1; >> +a invisible >> +1 9 >> +set debug_dbug=@old_debug; >> +grant insert(a) on t1 to user_1; >> +grant update(a) on t1 to user_1; >> +grant select(a) on t1 to user_1; >> +grant delete on t1 to user_1; >> +connect con1, localhost, user_1,,test; >> +connection con1; >> +select user(); >> +user() >> +user_1@localhost >> +use d; >> +select * from t1; >> +a >> +1 >> +insert into t1 values(2); >> +select * from t1; >> +a >> +1 >> +2 >> +insert into t1(a) values(3); >> +select * from t1; >> +a >> +1 >> +2 >> +3 >> +select invisible,a from t1; >> +ERROR 42S22: Unknown column 'invisible' in 'field list' >> +delete from t1 where a =1; >> +update t1 set a=1 where a=3; >> +select * from t1; >> +a >> +2 >> +1 >> +disconnect con1; >> + >> +#Final Cleanup >> +connection default; >> +set debug_dbug= "+d,test_completely_invisible"; >> +select a,invisible from t1; >> +a invisible >> +2 9 >> +1 9 >> +drop user user_1; >> +drop database d; >> +set @old_debug= @@debug_dbug; >> diff --git a/mysql-test/main/invisible_field_grant.test >> b/mysql-test/main/invisible_field_grant.test >> new file mode 100644 >> index 0000000..0d627e5 >> --- /dev/null >> +++ b/mysql-test/main/invisible_field_grant.test >> @@ -0,0 +1,77 @@ >> +--source include/have_debug.inc >> +##TEST for invisible coloumn level 2 >> +set @old_debug= @@debug_dbug; >> +create user user_1; >> +show grants for user_1; >> +--echo # create user >> +create database d; >> +use d; >> + >> +--echo >> +--echo #System_Invisible >> +set debug_dbug= "+d,test_pseudo_invisible"; >> +create table t1(a int); >> +set debug_dbug=@old_debug; >> +insert into t1 values(1); >> +select a,invisible from t1; >> +grant insert(a) on t1 to user_1; >> +grant update(a) on t1 to user_1; >> +grant select(a) on t1 to user_1; >> +grant delete on t1 to user_1; >> +connect (con1, localhost, user_1,,test); >> +connection con1; >> +select user(); >> +use d; >> +select * from t1; >> +insert into t1 values(2); >> +select * from t1; >> +insert into t1(a) values(3); >> +select * from t1; >> +select invisible,a from t1; >> +delete from t1 where a =1; >> +update t1 set a=1 where a=3; >> +select * from t1; >> +disconnect con1; >> +--source include/wait_until_disconnected.inc >> + >> +--echo >> +--echo #Cleanup >> +--connection default >> +drop table t1; >> +REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_1; >> + >> +--echo >> +--echo #Completely Invisible >> +set debug_dbug= "+d,test_completely_invisible"; >> +create table t1(a int); >> +insert into t1 values(1); >> +select a,invisible from t1; >> +set debug_dbug=@old_debug; >> +grant insert(a) on t1 to user_1; >> +grant update(a) on t1 to user_1; >> +grant select(a) on t1 to user_1; >> +grant delete on t1 to user_1; >> +connect (con1, localhost, user_1,,test); >> +connection con1; >> +select user(); >> +use d; >> +select * from t1; >> +insert into t1 values(2); >> +select * from t1; >> +insert into t1(a) values(3); >> +select * from t1; >> +--error ER_BAD_FIELD_ERROR >> +select invisible,a from t1; >> +delete from t1 where a =1; >> +update t1 set a=1 where a=3; >> +select * from t1; >> +disconnect con1; >> +--source include/wait_until_disconnected.inc >> +--echo >> +--echo #Final Cleanup >> +connection default; >> +set debug_dbug= "+d,test_completely_invisible"; >> +select a,invisible from t1; >> +drop user user_1; >> +drop database d; >> +set @old_debug= @@debug_dbug; >> diff --git a/sql/sp_rcontext.cc b/sql/sp_rcontext.cc >> index 2e9ae23..dc103fa 100644 >> --- a/sql/sp_rcontext.cc >> +++ b/sql/sp_rcontext.cc >> @@ -196,11 +196,12 @@ bool sp_rcontext::init_var_table(THD *thd, >> */ >> static inline bool >> check_column_grant_for_type_ref(THD *thd, TABLE_LIST *table_list, >> - const char *str, size_t length) >> + const char *str, size_t length, >> + Field *fld) >> { >> #ifndef NO_EMBEDDED_ACCESS_CHECKS >> table_list->table->grant.want_privilege= SELECT_ACL; >> - return check_column_grant_in_table_ref(thd, table_list, str, length); >> + return check_column_grant_in_table_ref(thd, table_list, str, length, >> fld); >> #else >> return false; >> #endif >> @@ -238,7 +239,7 @@ bool Qualified_column_ident::resolve_type_ref(THD >> *thd, Column_definition *def) >> { >> if (!(rc= check_column_grant_for_type_ref(thd, table_list, >> m_column.str, >> - m_column.length))) >> + m_column.length, src))) >> { >> *def= Column_definition(thd, src, NULL/*No defaults,no >> constraints*/); >> def->flags&= (uint) ~NOT_NULL_FLAG; >> @@ -302,7 +303,7 @@ bool Table_ident::resolve_table_rowtype_ref(THD *thd, >> LEX_CSTRING tmp= src[0]->field_name; >> Spvar_definition *def; >> if ((rc= check_column_grant_for_type_ref(thd, table_list, >> - tmp.str, tmp.length)) || >> + tmp.str, >> tmp.length,src[0])) || >> (rc= !(src[0]->field_name.str= thd->strmake(tmp.str, >> tmp.length))) || >> (rc= !(def= new (thd->mem_root) Spvar_definition(thd, *src)))) >> break; >> diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc >> index de4e201..1c154a1 100644 >> --- a/sql/sql_acl.cc >> +++ b/sql/sql_acl.cc >> @@ -7775,6 +7775,8 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant, >> table_ref table reference where to check the field >> name name of field to check >> length length of name >> + fld use fld object to check invisibility when it is >> + not 0, not_found_field, view_ref_found >> >> DESCRIPTION >> Check the access rights to a column depending on the type of table >> @@ -7789,13 +7791,17 @@ bool check_grant_column(THD *thd, GRANT_INFO >> *grant, >> */ >> >> bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, >> - const char *name, size_t length) >> + const char *name, size_t length, >> + Field *fld) >> { >> GRANT_INFO *grant; >> const char *db_name; >> const char *table_name; >> Security_context *sctx= table_ref->security_ctx ? >> table_ref->security_ctx : thd->security_ctx; >> + if (fld && fld != not_found_field && fld != view_ref_found >> + && fld->invisible >= INVISIBLE_SYSTEM) >> + return false; >> >> if (table_ref->view || table_ref->field_translation) >> { >> @@ -7871,6 +7877,9 @@ bool check_grant_all_columns(THD *thd, ulong >> want_access_arg, >> >> for (; !fields->end_of_fields(); fields->next()) >> { >> + if (fields->field() && >> + fields->field()->invisible >= INVISIBLE_SYSTEM) >> + continue; >> LEX_CSTRING *field_name= fields->name(); >> >> if (table_name != fields->get_table_name()) >> diff --git a/sql/sql_acl.h b/sql/sql_acl.h >> index a608ef0..6da7d4d 100644 >> --- a/sql/sql_acl.h >> +++ b/sql/sql_acl.h >> @@ -239,7 +239,7 @@ bool check_grant_column (THD *thd, GRANT_INFO *grant, >> const char *db_name, const char *table_name, >> const char *name, size_t length, >> Security_context *sctx); >> bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, >> - const char *name, size_t length); >> + const char *name, size_t length, >> Field *fld); >> bool check_grant_all_columns(THD *thd, ulong want_access, >> Field_iterator_table_ref *fields); >> bool check_grant_routine(THD *thd, ulong want_access, >> diff --git a/sql/sql_base.cc b/sql/sql_base.cc >> index 0081365..383341c 100644 >> --- a/sql/sql_base.cc >> +++ b/sql/sql_base.cc >> @@ -5880,7 +5880,7 @@ find_field_in_table_ref(THD *thd, TABLE_LIST >> *table_list, >> #ifndef NO_EMBEDDED_ACCESS_CHECKS >> /* Check if there are sufficient access rights to the found field. */ >> if (check_privileges && >> - check_column_grant_in_table_ref(thd, *actual_table, name, >> length)) >> + check_column_grant_in_table_ref(thd, *actual_table, name, >> length, fld)) >> fld= WRONG_GRANT; >> else >> #endif >> @@ -6057,7 +6057,7 @@ find_field_in_tables(THD *thd, Item_ident *item, >> #ifndef NO_EMBEDDED_ACCESS_CHECKS >> /* Check if there are sufficient access rights to the found field. >> */ >> if (found && check_privileges && >> - check_column_grant_in_table_ref(thd, table_ref, name, length)) >> + check_column_grant_in_table_ref(thd, table_ref, name, length, >> found)) >> found= WRONG_GRANT; >> #endif >> } >> _______________________________________________ >> commits mailing list >> comm...@mariadb.org >> https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits > > -- Regards Sachin Setiya Software Engineer at MariaDB
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp