From 45db3c199ca1e70fc4f52467e25a7662c9da1b86 Mon Sep 17 00:00:00 2001 From: Mattias Jonsson Date: Tue, 13 Jul 2021 16:14:48 +0200 Subject: [PATCH 1/4] executor, privilege: require CONFIG or Process privilege for is.cluster_* --- executor/infoschema_reader.go | 6 ++ executor/memtable_reader.go | 13 ++++ privilege/privileges/privileges_test.go | 81 ++++++++++++++++++++++++- 3 files changed, 97 insertions(+), 3 deletions(-) diff --git a/executor/infoschema_reader.go b/executor/infoschema_reader.go index e087ccc757ad0..305207b1791a5 100644 --- a/executor/infoschema_reader.go +++ b/executor/infoschema_reader.go @@ -78,6 +78,12 @@ type memtableRetriever struct { // retrieve implements the infoschemaRetriever interface func (e *memtableRetriever) retrieve(ctx context.Context, sctx sessionctx.Context) ([][]types.Datum, error) { + switch e.table.Name.O { + case infoschema.TableClusterInfo: + if !hasPriv(sctx, mysql.ProcessPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + } + } if e.retrieved { return nil, nil } diff --git a/executor/memtable_reader.go b/executor/memtable_reader.go index 4d338e0a6e325..0a5c6531182b6 100644 --- a/executor/memtable_reader.go +++ b/executor/memtable_reader.go @@ -293,6 +293,16 @@ type clusterServerInfoRetriever struct { // retrieve implements the memTableRetriever interface func (e *clusterServerInfoRetriever) retrieve(ctx context.Context, sctx sessionctx.Context) ([][]types.Datum, error) { + switch e.serverInfoType { + case diagnosticspb.ServerInfoType_LoadInfo, diagnosticspb.ServerInfoType_SystemInfo: + if !hasPriv(sctx, mysql.ProcessPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + } + case diagnosticspb.ServerInfoType_HardwareInfo: + if !hasPriv(sctx, mysql.ConfigPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("CONFIG") + } + } if e.extractor.SkipRequest || e.retrieved { return nil, nil } @@ -485,6 +495,9 @@ func (h *logResponseHeap) Pop() interface{} { } func (e *clusterLogRetriever) initialize(ctx context.Context, sctx sessionctx.Context) ([]chan logStreamResult, error) { + if !hasPriv(sctx, mysql.ProcessPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + } serversInfo, err := infoschema.GetClusterServerInfo(sctx) failpoint.Inject("mockClusterLogServerInfo", func(val failpoint.Value) { // erase the error diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 3cc81da2a4ab4..c44e6aef4e765 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1476,24 +1476,99 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { tk := testkit.NewTestKit(c, s.store) - tk.MustExec("CREATE USER ccnobody, ccconfig") + tk.MustExec("CREATE USER ccnobody, ccconfig, ccprocess") tk.MustExec("GRANT CONFIG ON *.* TO ccconfig") + tk.MustExec("GRANT Process ON *.* TO ccprocess") - // incorrect permissions + // Try to read all I_S.CLUSTER_* schemas so they might be cached + tk.MustQuery("SELECT * FROM information_schema.cluster_config") + tk.MustQuery("SELECT * FROM information_schema.cluster_hardware") + tk.MustQuery("SELECT * FROM information_schema.cluster_info") + tk.MustQuery("SELECT * FROM information_schema.cluster_load") + tk.MustQuery("SELECT * FROM information_schema.cluster_systeminfo") + /* Seems to make the test instable :( + tk.MustQuery("SELECT * FROM information_schema.cluster_log") + tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary_evicted") + tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary_history") + tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary") + tk.MustQuery("SELECT * FROM information_schema.cluster_tidb_trx") + tk.MustQuery("SELECT * FROM information_schema.cluster_slow_query") + tk.MustQuery("SELECT * FROM information_schema.cluster_deadlocks") + tk.MustQuery("SELECT * FROM information_schema.cluster_processlist") + */ + + // incorrect/no permissions tk.Se.Auth(&auth.UserIdentity{ Username: "ccnobody", Hostname: "localhost", }, nil, nil) + tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT USAGE ON *.* TO 'ccnobody'@'%'")) err := tk.QueryToErr("SELECT * FROM information_schema.cluster_config") + c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") - // With correct permissions + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_hardware") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") + + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_info") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_load") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_systeminfo") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + + // With correct/CONFIG permissions tk.Se.Auth(&auth.UserIdentity{ Username: "ccconfig", Hostname: "localhost", }, nil, nil) + tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT CONFIG ON *.* TO 'ccconfig'@'%'")) + // Needs CONFIG privilege tk.MustQuery("SELECT * FROM information_schema.cluster_config") + tk.MustQuery("SELECT * FROM information_schema.cluster_hardware") + // Missing Process privilege + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_info") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_load") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_systeminfo") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + + // With correct/Process permissions + tk.Se.Auth(&auth.UserIdentity{ + Username: "ccprocess", + Hostname: "localhost", + }, nil, nil) + tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT Process ON *.* TO 'ccprocess'@'%'")) + // Needs Process privilege + tk.MustQuery("SELECT * FROM information_schema.cluster_info") + tk.MustQuery("SELECT * FROM information_schema.cluster_load") + tk.MustQuery("SELECT * FROM information_schema.cluster_systeminfo") + tk.MustQuery("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '1970-07-13 00:00:00' AND '1970-07-13 02:00:00' AND message like '%'") + // Missing CONFIG privilege + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_config") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_hardware") + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") } func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) { From 6b4da1e8e1f8906e9bee91868f4d09062d45c66f Mon Sep 17 00:00:00 2001 From: Mattias Jonsson Date: Tue, 13 Jul 2021 23:27:28 +0200 Subject: [PATCH 2/4] Cleanup, removed no-needed tests, better formatting And testing different case of table names... --- executor/infoschema_reader.go | 7 ++--- executor/memtable_reader.go | 3 +- privilege/privileges/privileges_test.go | 39 +++++++------------------ 3 files changed, 15 insertions(+), 34 deletions(-) diff --git a/executor/infoschema_reader.go b/executor/infoschema_reader.go index 305207b1791a5..ce68c51ef8742 100644 --- a/executor/infoschema_reader.go +++ b/executor/infoschema_reader.go @@ -78,11 +78,8 @@ type memtableRetriever struct { // retrieve implements the infoschemaRetriever interface func (e *memtableRetriever) retrieve(ctx context.Context, sctx sessionctx.Context) ([][]types.Datum, error) { - switch e.table.Name.O { - case infoschema.TableClusterInfo: - if !hasPriv(sctx, mysql.ProcessPriv) { - return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") - } + if e.table.Name.O == infoschema.TableClusterInfo && !hasPriv(sctx, mysql.ProcessPriv) { + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") } if e.retrieved { return nil, nil diff --git a/executor/memtable_reader.go b/executor/memtable_reader.go index 0a5c6531182b6..f07035d38e1ca 100644 --- a/executor/memtable_reader.go +++ b/executor/memtable_reader.go @@ -294,7 +294,8 @@ type clusterServerInfoRetriever struct { // retrieve implements the memTableRetriever interface func (e *clusterServerInfoRetriever) retrieve(ctx context.Context, sctx sessionctx.Context) ([][]types.Datum, error) { switch e.serverInfoType { - case diagnosticspb.ServerInfoType_LoadInfo, diagnosticspb.ServerInfoType_SystemInfo: + case diagnosticspb.ServerInfoType_LoadInfo, + diagnosticspb.ServerInfoType_SystemInfo: if !hasPriv(sctx, mysql.ProcessPriv) { return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") } diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index c44e6aef4e765..402e04c5a29ac 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1480,23 +1480,6 @@ func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { tk.MustExec("GRANT CONFIG ON *.* TO ccconfig") tk.MustExec("GRANT Process ON *.* TO ccprocess") - // Try to read all I_S.CLUSTER_* schemas so they might be cached - tk.MustQuery("SELECT * FROM information_schema.cluster_config") - tk.MustQuery("SELECT * FROM information_schema.cluster_hardware") - tk.MustQuery("SELECT * FROM information_schema.cluster_info") - tk.MustQuery("SELECT * FROM information_schema.cluster_load") - tk.MustQuery("SELECT * FROM information_schema.cluster_systeminfo") - /* Seems to make the test instable :( - tk.MustQuery("SELECT * FROM information_schema.cluster_log") - tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary_evicted") - tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary_history") - tk.MustQuery("SELECT * FROM information_schema.cluster_statements_summary") - tk.MustQuery("SELECT * FROM information_schema.cluster_tidb_trx") - tk.MustQuery("SELECT * FROM information_schema.cluster_slow_query") - tk.MustQuery("SELECT * FROM information_schema.cluster_deadlocks") - tk.MustQuery("SELECT * FROM information_schema.cluster_processlist") - */ - // incorrect/no permissions tk.Se.Auth(&auth.UserIdentity{ Username: "ccnobody", @@ -1536,18 +1519,18 @@ func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT CONFIG ON *.* TO 'ccconfig'@'%'")) // Needs CONFIG privilege tk.MustQuery("SELECT * FROM information_schema.cluster_config") - tk.MustQuery("SELECT * FROM information_schema.cluster_hardware") + tk.MustQuery("SELECT * FROM information_schema.cluster_HARDWARE") // Missing Process privilege - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_info") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_INFO") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_load") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_LOAD") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_systeminfo") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_SYSTEMINFO") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") + err = tk.QueryToErr("SELECT * FROM information_schema.cluster_LOG WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") @@ -1558,15 +1541,15 @@ func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { }, nil, nil) tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT Process ON *.* TO 'ccprocess'@'%'")) // Needs Process privilege - tk.MustQuery("SELECT * FROM information_schema.cluster_info") - tk.MustQuery("SELECT * FROM information_schema.cluster_load") - tk.MustQuery("SELECT * FROM information_schema.cluster_systeminfo") - tk.MustQuery("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '1970-07-13 00:00:00' AND '1970-07-13 02:00:00' AND message like '%'") + tk.MustQuery("SELECT * FROM information_schema.CLUSTER_info") + tk.MustQuery("SELECT * FROM information_schema.CLUSTER_load") + tk.MustQuery("SELECT * FROM information_schema.CLUSTER_systeminfo") + tk.MustQuery("SELECT * FROM information_schema.CLUSTER_log WHERE time BETWEEN '1970-07-13 00:00:00' AND '1970-07-13 02:00:00' AND message like '%'") // Missing CONFIG privilege - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_config") + err = tk.QueryToErr("SELECT * FROM information_schema.CLUSTER_config") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") - err = tk.QueryToErr("SELECT * FROM information_schema.cluster_hardware") + err = tk.QueryToErr("SELECT * FROM information_schema.CLUSTER_hardware") c.Assert(err, NotNil) c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the CONFIG privilege(s) for this operation") } From 1f5f938fa8f8af6c92e6fe35159e45ee31f53728 Mon Sep 17 00:00:00 2001 From: ailinkid <314806019@qq.com> Date: Thu, 15 Jul 2021 17:35:36 +0800 Subject: [PATCH 3/4] fix telemetry problem Signed-off-by: ailinkid <314806019@qq.com> --- executor/infoschema_reader.go | 19 +++++++++++++++---- privilege/privileges/privileges_test.go | 4 +++- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/executor/infoschema_reader.go b/executor/infoschema_reader.go index ce68c51ef8742..d358b0db6d7b5 100644 --- a/executor/infoschema_reader.go +++ b/executor/infoschema_reader.go @@ -1021,10 +1021,21 @@ func (e *memtableRetriever) dataForTiKVStoreStatus(ctx sessionctx.Context) (err } func hasPriv(ctx sessionctx.Context, priv mysql.PrivilegeType) bool { - if pm := privilege.GetPrivilegeManager(ctx); pm != nil { - return pm.RequestVerification(ctx.GetSessionVars().ActiveRoles, "", "", "", priv) - } - return false + pm := privilege.GetPrivilegeManager(ctx) + if pm == nil { + // internal session created with createSession doesn't has the PrivilegeManager. For most experienced cases before, + // we use it like this: + // ``` + // checker := privilege.GetPrivilegeManager(ctx) + // if checker != nil && !checker.RequestVerification(ctx.GetSessionVars().ActiveRoles, schema.Name.L, table.Name.L, "", mysql.AllPrivMask) { + // continue + // } + // do something. + // ``` + // So once the privilege manager is nil, it's a signature of internal sql, so just passing the checker through. + return true + } + return pm.RequestVerification(ctx.GetSessionVars().ActiveRoles, "", "", "", priv) } func (e *memtableRetriever) setDataForTableDataLockWaits(ctx sessionctx.Context) error { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 402e04c5a29ac..c6a51665a54db 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1458,7 +1458,9 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { // Even though we have super, we still can't read protected information from tidb_servers_info, cluster_* tables tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NOT NULL`).Check(testkit.Rows("0")) - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NOT NULL`).Check(testkit.Rows("0")) + err := tk.QueryToErr(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NOT NULL`) + c.Assert(err, NotNil) + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") // 36 = a UUID. Normally it is an IP address. tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) != 36`).Check(testkit.Rows("0")) From b1b06e9cd5f93940be0e71590ccbb848c24c4025 Mon Sep 17 00:00:00 2001 From: Mattias Jonsson Date: Thu, 15 Jul 2021 11:58:21 +0200 Subject: [PATCH 4/4] Changed Process priv literal to PROCESS --- executor/infoschema_reader.go | 2 +- executor/memtable_reader.go | 4 ++-- privilege/privileges/privileges_test.go | 18 +++++++++--------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/executor/infoschema_reader.go b/executor/infoschema_reader.go index ce594cac4d076..c381f934af211 100644 --- a/executor/infoschema_reader.go +++ b/executor/infoschema_reader.go @@ -79,7 +79,7 @@ type memtableRetriever struct { // retrieve implements the infoschemaRetriever interface func (e *memtableRetriever) retrieve(ctx context.Context, sctx sessionctx.Context) ([][]types.Datum, error) { if e.table.Name.O == infoschema.TableClusterInfo && !hasPriv(sctx, mysql.ProcessPriv) { - return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("PROCESS") } if e.retrieved { return nil, nil diff --git a/executor/memtable_reader.go b/executor/memtable_reader.go index f07035d38e1ca..6fa43f9fe120d 100644 --- a/executor/memtable_reader.go +++ b/executor/memtable_reader.go @@ -297,7 +297,7 @@ func (e *clusterServerInfoRetriever) retrieve(ctx context.Context, sctx sessionc case diagnosticspb.ServerInfoType_LoadInfo, diagnosticspb.ServerInfoType_SystemInfo: if !hasPriv(sctx, mysql.ProcessPriv) { - return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("PROCESS") } case diagnosticspb.ServerInfoType_HardwareInfo: if !hasPriv(sctx, mysql.ConfigPriv) { @@ -497,7 +497,7 @@ func (h *logResponseHeap) Pop() interface{} { func (e *clusterLogRetriever) initialize(ctx context.Context, sctx sessionctx.Context) ([]chan logStreamResult, error) { if !hasPriv(sctx, mysql.ProcessPriv) { - return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("Process") + return nil, plannercore.ErrSpecificAccessDenied.GenWithStackByArgs("PROCESS") } serversInfo, err := infoschema.GetClusterServerInfo(sctx) failpoint.Inject("mockClusterLogServerInfo", func(val failpoint.Value) { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index c6a51665a54db..f4fa0cc8c8349 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1460,7 +1460,7 @@ func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NOT NULL`).Check(testkit.Rows("0")) err := tk.QueryToErr(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NOT NULL`) c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") // 36 = a UUID. Normally it is an IP address. tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) != 36`).Check(testkit.Rows("0")) @@ -1499,19 +1499,19 @@ func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { err = tk.QueryToErr("SELECT * FROM information_schema.cluster_info") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_load") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_systeminfo") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_log WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") // With correct/CONFIG permissions tk.Se.Auth(&auth.UserIdentity{ @@ -1525,16 +1525,16 @@ func (s *testPrivilegeSuite) TestClusterConfigInfoschema(c *C) { // Missing Process privilege err = tk.QueryToErr("SELECT * FROM information_schema.cluster_INFO") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_LOAD") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_SYSTEMINFO") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") err = tk.QueryToErr("SELECT * FROM information_schema.cluster_LOG WHERE time BETWEEN '2021-07-13 00:00:00' AND '2021-07-13 02:00:00' AND message like '%'") c.Assert(err, NotNil) - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the Process privilege(s) for this operation") + c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the PROCESS privilege(s) for this operation") // With correct/Process permissions tk.Se.Auth(&auth.UserIdentity{