You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The fix for #27218 was incomplete. It does not account for CURRENT_USER() + USING syntax. It's not commonly used, but we should fix it.
1. Minimal reproduce step (Required)
DROPUSER IF EXISTS joe, engineering, notgranted, otherrole, delete_stuff_privilege;
CREATEUSERjoe;
CREATE ROLE engineering;
CREATE ROLE admins;
CREATE ROLE notgranted;
CREATE ROLE otherrole;
GRANT INSERT ON test.* TO engineering;
GRANTDELETEON test.* TO admins;
GRANTSELECTon test.* to joe;
GRANT engineering TO joe;
GRANT admins TO joe;
SET DEFAULT ROLE admins TO joe;
GRANT otherrole TO joe;
GRANTUPDATEON role.* TO otherrole;
GRANTSELECTONmysql.user TO otherrole;
CREATE ROLE delete_stuff_privilege;
GRANTDELETEONmysql.user TO delete_stuff_privilege;
GRANT delete_stuff_privilege TO otherrole;
Then run:
# mysql -ujoe
SHOW GRANTS FOR CURRENT_USER() USING notgranted; -- incorrect; should be an error
SHOW GRANTS FOR current_user() USING otherrole; -- incorrect (see below)
SHOW GRANTS FOR joe USING otherrole; -- correct
2. What did you expect to see? (Required)
mysql [localhost:8024] {joe} ((none)) > SHOW GRANTS FOR CURRENT_USER() USING notgranted; -- incorrect; should be an error
ERROR 3530 (HY000): `notgranted`@`%` is not granted to `joe`@`%`
mysql [localhost:8024] {joe} ((none)) > SHOW GRANTS FOR current_user() USING otherrole; -- incorrect (see below)+-------------------------------------------------------------------+
| Grants for joe@% |
+-------------------------------------------------------------------+
| GRANT USAGE ON*.* TO `joe`@`%` |
| GRANTUPDATEON`role`.* TO `joe`@`%` |
| GRANTSELECTON`test`.* TO `joe`@`%` |
| GRANTSELECT, DELETEON`mysql`.`user` TO `joe`@`%` |
| GRANT`admins`@`%`,`engineering`@`%`,`otherrole`@`%` TO `joe`@`%` |
+-------------------------------------------------------------------+5 rows inset (0.00 sec)
mysql [localhost:8024] {joe} ((none)) > SHOW GRANTS FOR joe USING otherrole; -- correct+-------------------------------------------------------------------+
| Grants for joe@% |
+-------------------------------------------------------------------+
| GRANT USAGE ON*.* TO `joe`@`%` |
| GRANTUPDATEON`role`.* TO `joe`@`%` |
| GRANTSELECTON`test`.* TO `joe`@`%` |
| GRANTSELECT, DELETEON`mysql`.`user` TO `joe`@`%` |
| GRANT`admins`@`%`,`engineering`@`%`,`otherrole`@`%` TO `joe`@`%` |
+-------------------------------------------------------------------+5 rows inset (0.00 sec)
3. What did you see instead (Required)
mysql> SHOW GRANTS FOR CURRENT_USER() USING notgranted; -- incorrect; should be an error+---------------------------------------------------------------------+
| Grants for joe@127.0.0.1 |
+---------------------------------------------------------------------+
| GRANT USAGE ON*.* TO 'joe'@'%' |
| GRANTSELECT,DELETEON test.* TO 'joe'@'%' |
| GRANT'admins'@'%', 'engineering'@'%', 'otherrole'@'%' TO 'joe'@'%' |
+---------------------------------------------------------------------+3 rows inset (0.00 sec)
mysql> SHOW GRANTS FOR current_user() USING otherrole; -- incorrect (see below)+---------------------------------------------------------------------+
| Grants for joe@127.0.0.1 |
+---------------------------------------------------------------------+
| GRANT USAGE ON*.* TO 'joe'@'%' |
| GRANTSELECT,DELETEON test.* TO 'joe'@'%' |
| GRANT'admins'@'%', 'engineering'@'%', 'otherrole'@'%' TO 'joe'@'%' |
+---------------------------------------------------------------------+3 rows inset (0.00 sec)
mysql> SHOW GRANTS FOR joe USING otherrole; -- correct+---------------------------------------------------------------------+
| Grants for joe@% |
+---------------------------------------------------------------------+
| GRANT USAGE ON*.* TO 'joe'@'%' |
| GRANTUPDATEON role.* TO 'joe'@'%' |
| GRANTSELECTON test.* TO 'joe'@'%' |
| GRANTDELETEONmysql.user TO 'joe'@'%' |
| GRANT'admins'@'%', 'engineering'@'%', 'otherrole'@'%' TO 'joe'@'%' |
+---------------------------------------------------------------------+5 rows inset (0.01 sec)
Bug Report
The fix for #27218 was incomplete. It does not account for CURRENT_USER() + USING syntax. It's not commonly used, but we should fix it.
1. Minimal reproduce step (Required)
Then run:
2. What did you expect to see? (Required)
3. What did you see instead (Required)
4. What is your TiDB version? (Required)
The text was updated successfully, but these errors were encountered: