diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index c0abca2290ec1..ffeb97e155f6d 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -1178,161 +1178,6 @@ func newSession(c *C, store kv.Storage, dbName string) session.Session { mustExec(c, se, "use "+dbName) return se } -<<<<<<< HEAD -======= - -func (s *testPrivilegeSuite) TestDynamicPrivs(c *C) { - rootSe := newSession(c, s.store, s.dbName) - mustExec(c, rootSe, "CREATE USER notsuper") - mustExec(c, rootSe, "CREATE USER otheruser") - mustExec(c, rootSe, "CREATE ROLE anyrolename") - mustExec(c, rootSe, "SET tidb_enable_dynamic_privileges=1") - - se := newSession(c, s.store, s.dbName) - c.Assert(se.Auth(&auth.UserIdentity{Username: "notsuper", Hostname: "%"}, nil, nil), IsTrue) - mustExec(c, se, "SET tidb_enable_dynamic_privileges=1") - - // test SYSTEM_VARIABLES_ADMIN - _, err := se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86400") - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation") - mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_admin ON *.* TO notsuper") - mustExec(c, se, "SET GLOBAL wait_timeout = 86400") - - // test ROLE_ADMIN - _, err = se.ExecuteInternal(context.Background(), "GRANT anyrolename TO otheruser") - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or ROLE_ADMIN privilege(s) for this operation") - mustExec(c, rootSe, "GRANT ROLE_ADMIN ON *.* TO notsuper") - mustExec(c, se, "GRANT anyrolename TO otheruser") - - // revoke SYSTEM_VARIABLES_ADMIN, confirm it is dropped - mustExec(c, rootSe, "REVOKE SYSTEM_VARIABLES_AdmIn ON *.* FROM notsuper") - _, err = se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86000") - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation") - - // grant super, confirm that it is also a substitute for SYSTEM_VARIABLES_ADMIN - mustExec(c, rootSe, "GRANT SUPER ON *.* TO notsuper") - mustExec(c, se, "SET GLOBAL wait_timeout = 86400") - - // revoke SUPER, assign SYSTEM_VARIABLES_ADMIN to anyrolename. - // confirm that a dynamic privilege can be inherited from a role. - mustExec(c, rootSe, "REVOKE SUPER ON *.* FROM notsuper") - mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_AdmIn ON *.* TO anyrolename") - mustExec(c, rootSe, "GRANT anyrolename TO notsuper") - - // It's not a default role, this should initially fail: - _, err = se.ExecuteInternal(context.Background(), "SET GLOBAL wait_timeout = 86400") - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation") - mustExec(c, se, "SET ROLE anyrolename") - mustExec(c, se, "SET GLOBAL wait_timeout = 87000") -} - -func (s *testPrivilegeSuite) TestDynamicGrantOption(c *C) { - rootSe := newSession(c, s.store, s.dbName) - mustExec(c, rootSe, "CREATE USER varuser1") - mustExec(c, rootSe, "CREATE USER varuser2") - mustExec(c, rootSe, "CREATE USER varuser3") - mustExec(c, rootSe, "SET tidb_enable_dynamic_privileges=1") - - mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser1") - mustExec(c, rootSe, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser2 WITH GRANT OPTION") - - se1 := newSession(c, s.store, s.dbName) - mustExec(c, se1, "SET tidb_enable_dynamic_privileges=1") - - c.Assert(se1.Auth(&auth.UserIdentity{Username: "varuser1", Hostname: "%"}, nil, nil), IsTrue) - _, err := se1.ExecuteInternal(context.Background(), "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser3") - c.Assert(err.Error(), Equals, "[planner:1227]Access denied; you need (at least one of) the GRANT OPTION privilege(s) for this operation") - - se2 := newSession(c, s.store, s.dbName) - mustExec(c, se2, "SET tidb_enable_dynamic_privileges=1") - - c.Assert(se2.Auth(&auth.UserIdentity{Username: "varuser2", Hostname: "%"}, nil, nil), IsTrue) - mustExec(c, se2, "GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO varuser3") -} - -func (s *testPrivilegeSuite) TestSecurityEnhancedModeRestrictedTables(c *C) { - // This provides an integration test of the tests in util/security/security_test.go - cloudAdminSe := newSession(c, s.store, s.dbName) - mustExec(c, cloudAdminSe, "CREATE USER cloudadmin") - mustExec(c, cloudAdminSe, "SET tidb_enable_dynamic_privileges=1") - mustExec(c, cloudAdminSe, "GRANT RESTRICTED_TABLES_ADMIN, SELECT ON *.* to cloudadmin") - mustExec(c, cloudAdminSe, "GRANT CREATE ON mysql.* to cloudadmin") - mustExec(c, cloudAdminSe, "CREATE USER uroot") - mustExec(c, cloudAdminSe, "GRANT ALL ON *.* to uroot WITH GRANT OPTION") // A "MySQL" all powerful user. - c.Assert(cloudAdminSe.Auth(&auth.UserIdentity{Username: "cloudadmin", Hostname: "%"}, nil, nil), IsTrue) - urootSe := newSession(c, s.store, s.dbName) - mustExec(c, urootSe, "SET tidb_enable_dynamic_privileges=1") - c.Assert(urootSe.Auth(&auth.UserIdentity{Username: "uroot", Hostname: "%"}, nil, nil), IsTrue) - - sem.Enable() - defer sem.Disable() - - _, err := urootSe.ExecuteInternal(context.Background(), "use metrics_schema") - c.Assert(err.Error(), Equals, "[executor:1044]Access denied for user 'uroot'@'%' to database 'metrics_schema'") - - _, err = urootSe.ExecuteInternal(context.Background(), "SELECT * FROM metrics_schema.uptime") - c.Assert(err.Error(), Equals, "[planner:1142]SELECT command denied to user 'uroot'@'%' for table 'uptime'") - - _, err = urootSe.ExecuteInternal(context.Background(), "CREATE TABLE mysql.abcd (a int)") - c.Assert(err.Error(), Equals, "[planner:1142]CREATE command denied to user 'uroot'@'%' for table 'abcd'") - - mustExec(c, cloudAdminSe, "USE metrics_schema") - mustExec(c, cloudAdminSe, "SELECT * FROM metrics_schema.uptime") - mustExec(c, cloudAdminSe, "CREATE TABLE mysql.abcd (a int)") -} - -func (s *testPrivilegeSuite) TestSecurityEnhancedModeInfoschema(c *C) { - tk := testkit.NewTestKit(c, s.store) - tk.MustExec("CREATE USER uroot1, uroot2, uroot3") - tk.MustExec("GRANT SUPER ON *.* to uroot1 WITH GRANT OPTION") // super not process - tk.MustExec("SET tidb_enable_dynamic_privileges=1") - tk.MustExec("GRANT SUPER, PROCESS, RESTRICTED_TABLES_ADMIN ON *.* to uroot2 WITH GRANT OPTION") - tk.Se.Auth(&auth.UserIdentity{ - Username: "uroot1", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", - }, nil, nil) - - sem.Enable() - defer sem.Disable() - - // Even though we have super, we still can't read protected information from tidb_servers_info, cluster_* tables - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NOT NULL`).Check(testkit.Rows("0")) - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NOT NULL`).Check(testkit.Rows("0")) - // 36 = a UUID. Normally it is an IP address. - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) != 36`).Check(testkit.Rows("0")) - - // That is unless we have the RESTRICTED_TABLES_ADMIN privilege - tk.Se.Auth(&auth.UserIdentity{ - Username: "uroot2", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", - }, nil, nil) - - // flip from is NOT NULL etc - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.tidb_servers_info WHERE ip IS NULL`).Check(testkit.Rows("0")) - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.cluster_info WHERE status_address IS NULL`).Check(testkit.Rows("0")) - tk.MustQuery(`SELECT COUNT(*) FROM information_schema.CLUSTER_STATEMENTS_SUMMARY WHERE length(instance) = 36`).Check(testkit.Rows("0")) -} - -func (s *testPrivilegeSuite) TestSecurityEnhancedModeStatusVars(c *C) { - // Without TiKV the status var list does not include tidb_gc_leader_desc - // So we can only test that the dynamic privilege is grantable. - // We will have to use an integration test to run SHOW STATUS LIKE 'tidb_gc_leader_desc' - // and verify if it appears. - tk := testkit.NewTestKit(c, s.store) - tk.MustExec("CREATE USER unostatus, ustatus") - tk.MustExec("SET tidb_enable_dynamic_privileges=1") - tk.MustExec("GRANT RESTRICTED_STATUS_ADMIN ON *.* to ustatus") - tk.Se.Auth(&auth.UserIdentity{ - Username: "unostatus", - Hostname: "localhost", - AuthUsername: "uroot", - AuthHostname: "%", - }, nil, nil) -} // TestViewDefiner tests that default roles are correctly applied in the algorithm definer // See: https://github.com/pingcap/tidb/issues/24414 @@ -1361,4 +1206,3 @@ func (s *testPrivilegeSuite) TestViewDefiner(c *C) { tk.MustExec("select * from test_view") tk.MustExec("select * from test_view2") } ->>>>>>> b8cad01be... privilege: fix RequestVerificationWithUser use of default roles (#24442)