diff --git a/executor/memtable_reader.go b/executor/memtable_reader.go index 30b3f6b3460e1..4d338e0a6e325 100644 --- a/executor/memtable_reader.go +++ b/executor/memtable_reader.go @@ -30,6 +30,7 @@ import ( "github.com/pingcap/kvproto/pkg/diagnosticspb" "github.com/pingcap/log" "github.com/pingcap/parser/model" + "github.com/pingcap/parser/mysql" "github.com/pingcap/parser/terror" "github.com/pingcap/sysutil" "github.com/pingcap/tidb/config" @@ -158,6 +159,9 @@ func fetchClusterConfig(sctx sessionctx.Context, nodeTypes, nodeAddrs set.String rows [][]types.Datum err error } + if !hasPriv(sctx, mysql.ConfigPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("CONFIG") + } serversInfo, err := infoschema.GetClusterServerInfo(sctx) failpoint.Inject("mockClusterConfigServerInfo", func(val failpoint.Value) { if s := val.(string); len(s) > 0 { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 96fe0a9c593fe..3cc81da2a4ab4 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1449,10 +1449,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { tk.MustExec("GRANT SUPER ON *.* to uroot1 WITH GRANT OPTION") // super not process tk.MustExec("GRANT SUPER, PROCESS, RESTRICTED_TABLES_ADMIN ON *.* to uroot2 WITH GRANT OPTION") tk.Se.Auth(&auth.UserIdentity{ - Username: "uroot1", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", + Username: "uroot1", + Hostname: "localhost", }, nil, nil) sem.Enable() @@ -1466,10 +1464,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { // That is unless we have the RESTRICTED_TABLES_ADMIN privilege tk.Se.Auth(&auth.UserIdentity{ - Username: "uroot2", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", + Username: "uroot2", + Hostname: "localhost", }, nil, nil) // flip from is NOT NULL etc @@ -1478,6 +1474,28 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) = 36`).Check(testkit.Rows("0")) } +func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { + tk := testkit.NewTestKit(c, s.store) + tk.MustExec("CREATE USER ccnobody, ccconfig") + tk.MustExec("GRANT CONFIG ON *.* TO ccconfig") + + // incorrect permissions + tk.Se.Auth(&auth.UserIdentity{ + Username: "ccnobody", + Hostname: "localhost", + }, nil, nil) + + err := tk.QueryToErr("SELECT * FROM information_schema.cluster_config") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") + + // With correct permissions + tk.Se.Auth(&auth.UserIdentity{ + Username: "ccconfig", + Hostname: "localhost", + }, nil, nil) + tk.MustQuery("SELECT * FROM information_schema.cluster_config") +} + func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) { // Without TiKV the status var list does not include tidb_gc_leader_desc // So we can only test that the dynamic privilege is grantable. @@ -1487,10 +1505,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) { tk.MustExec("CREATE USER unostatus, ustatus") tk.MustExec("GRANT RESTRICTED_STATUS_ADMIN ON *.* to ustatus") tk.Se.Auth(&auth.UserIdentity{ - Username: "unostatus", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", + Username: "unostatus", + Hostname: "localhost", }, nil, nil) }