executor, privilege: require CONFIG privilege for is.cluster_config

executor/memtable_reader.go

@@ -30,6 +30,7 @@ import (
 	"github.com/pingcap/kvproto/pkg/diagnosticspb"
 	"github.com/pingcap/log"
 	"github.com/pingcap/parser/model"
+	"github.com/pingcap/parser/mysql"
 	"github.com/pingcap/parser/terror"
 	"github.com/pingcap/sysutil"
 	"github.com/pingcap/tidb/config"
@@ -158,6 +159,9 @@ func fetchClusterConfig(sctx sessionctx.Context, nodeTypes, nodeAddrs set.String
 		rows [][]types.Datum
 		err  error
 	}
+	if !hasPriv(sctx, mysql.ConfigPriv) {
+		return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("CONFIG")
+	}
 	serversInfo, err := infoschema.GetClusterServerInfo(sctx)
 	failpoint.Inject("mockClusterConfigServerInfo", func(val failpoint.Value) {
 		if s := val.(string); len(s) > 0 {

privilege/privileges/privileges_test.go

@@ -1449,10 +1449,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) {
 	tk.MustExec("GRANT SUPER ON *.* to uroot1 WITH GRANT OPTION") // super not process
 	tk.MustExec("GRANT SUPER, PROCESS, RESTRICTED_TABLES_ADMIN ON *.* to uroot2 WITH GRANT OPTION")
 	tk.Se.Auth(&auth.UserIdentity{
-		Username:     "uroot1",
-		Hostname:     "localhost",
-		AuthUsername: "uroot",
-		AuthHostname: "%",
+		Username: "uroot1",
+		Hostname: "localhost",
 	}, nil, nil)
 
 	sem.Enable()
@@ -1466,10 +1464,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) {
 
 	// That is unless we have the RESTRICTED_TABLES_ADMIN privilege
 	tk.Se.Auth(&auth.UserIdentity{
-		Username:     "uroot2",
-		Hostname:     "localhost",
-		AuthUsername: "uroot",
-		AuthHostname: "%",
+		Username: "uroot2",
+		Hostname: "localhost",
 	}, nil, nil)
 
 	// flip from is NOT NULL etc
@@ -1478,6 +1474,28 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) {
 	tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) = 36`).Check(testkit.Rows("0"))
 }
 
+func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec("CREATE USER ccnobody, ccconfig")
+	tk.MustExec("GRANT CONFIG ON *.* TO ccconfig")
+
+	// incorrect permissions
+	tk.Se.Auth(&auth.UserIdentity{
+		Username: "ccnobody",
+		Hostname: "localhost",
+	}, nil, nil)
+
+	err := tk.QueryToErr("SELECT * FROM information_schema.cluster_config")
+	c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation")
+
+	// With correct permissions
+	tk.Se.Auth(&auth.UserIdentity{
+		Username: "ccconfig",
+		Hostname: "localhost",
+	}, nil, nil)
+	tk.MustQuery("SELECT * FROM information_schema.cluster_config")
+}
+
 func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) {
 	// Without TiKV the status var list does not include tidb_gc_leader_desc
 	// So we can only test that the dynamic privilege is grantable.
@@ -1487,10 +1505,8 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) {
 	tk.MustExec("CREATE USER unostatus, ustatus")
 	tk.MustExec("GRANT RESTRICTED_STATUS_ADMIN ON *.* to ustatus")
 	tk.Se.Auth(&auth.UserIdentity{
-		Username:     "unostatus",
-		Hostname:     "localhost",
-		AuthUsername: "uroot",
-		AuthHostname: "%",
+		Username: "unostatus",
+		Hostname: "localhost",
 	}, nil, nil)
 
 }