Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege: add privilege check for show stats (#19702) #19759

Merged
merged 9 commits into from
Sep 17, 2020
Merged

privilege: add privilege check for show stats (#19702) #19759

merged 9 commits into from
Sep 17, 2020

Conversation

ti-srebot
Copy link
Contributor

cherry-pick #19702 to release-3.0

What problem does this PR solve?

Issue Number: close #17782

Problem Summary:
Command like SHOW STATS_META and SHOW STATS_BUCKETS didn't check privilege before. This will lead to table information leak, any user could see some table information by using SHOW STATS.

What is changed and how it works?

What's Changed:
Add privilege check for SHOW STATS related command.

How it Works:
Only user with SELECT privilege on mysql database could execute SHOW STATS

Related changes

  • Need to cherry-pick to the release branch

Check List

Tests

  • Unit test

Side effects

  • Breaking backward compatibility

Release note

  • Add privilege check for SHOW STATS_META, SHOW STATS_BUCKET.

@ti-srebot
cherry pick pingcap#19702 to release-3.0
a1cdcc4 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot
Copy link
Contributor Author

/run-all-tests

@ti-srebot ti-srebot mentioned this pull request Sep 3, 2020
Merged
@tiancaiamao
Copy link
Contributor

Please address conflict @imtbkcat

zz-jason
zz-jason approved these changes Sep 7, 2020
View reviewed changes
Copy link
Member

@zz-jason zz-jason left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-srebot ti-srebot added the status/LGT1 Indicates that a PR has LGTM 1. label Sep 7, 2020
@zz-jason zz-jason added status/can-merge Indicates a PR has been approved by a committer. and removed status/require-change labels Sep 7, 2020
@ti-srebot
Copy link
Contributor Author

Your auto merge job has been accepted, waiting for:

  • 19681

@ti-srebot
Copy link
Contributor Author

/run-all-tests

@ti-srebot
Copy link
Contributor Author

@ti-srebot merge failed.

@tiancaiamao
Copy link
Contributor

LGTM

@ti-srebot ti-srebot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Sep 7, 2020
@SunRunAway
Copy link
Contributor

/merge

@SunRunAway SunRunAway removed their request for review September 8, 2020 11:55
@imtbkcat
Copy link

imtbkcat commented Sep 9, 2020

/merge

@ti-srebot
Copy link
Contributor Author

Sorry @imtbkcat, you don't have permission to trigger auto merge event on this branch.

@imtbkcat
Copy link

imtbkcat commented Sep 9, 2020

/run-unit-test

@ti-srebot
Copy link
Contributor Author

@ti-srebot, please update your pull request.

@wjhuang2016 wjhuang2016 added this to the 3.0.19 milestone Sep 17, 2020
@coocood
Copy link
Member

coocood commented Sep 17, 2020

/merge

@ti-srebot
Copy link
Contributor Author

/run-all-tests

@ti-srebot
Copy link
Contributor Author

@ti-srebot merge failed.

@wjhuang2016
Copy link
Member

/run-unit-test

@imtbkcat
Copy link

/build

@imtbkcat
Copy link

/run-all-tests

@bb7133 bb7133 merged commit 65f1801 into pingcap:release-3.0 Sep 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiancaiamao tiancaiamao tiancaiamao approved these changes

@zz-jason zz-jason zz-jason approved these changes

@lysu lysu Awaiting requested review from lysu

Assignees

@imtbkcat imtbkcat

Labels
component/privilege sig/execution SIG execution status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2. type/bugfix This PR fixes a bug. type/3.0-cherry-pick
Projects
None yet
Milestone
v3.0.19
Development

Successfully merging this pull request may close these issues.
8 participants
@ti-srebot @tiancaiamao @SunRunAway @imtbkcat @coocood @wjhuang2016 @zz-jason @bb7133