privilege: fix user change after show grants and add user existed c…

…heck for `show grants` (#19568) (#19587) Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
pingcap · Sep 3, 2020 · d0eaee9 · d0eaee9
1 parent 11a9b55
commit d0eaee9
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/executor/builder.go b/executor/builder.go
@@ -27,6 +27,7 @@ import (
 	"github.com/cznic/sortutil"
 	"github.com/pingcap/errors"
 	"github.com/pingcap/parser/ast"
+	"github.com/pingcap/parser/auth"
 	"github.com/pingcap/parser/model"
 	"github.com/pingcap/parser/mysql"
 	"github.com/pingcap/tidb/distsql"
@@ -599,9 +600,7 @@ func (b *executorBuilder) buildShow(v *plannercore.Show) Executor {
 		// Note: "show grants" result are different from "show grants for current_user",
 		// The former determine privileges with roles, while the later doesn't.
 		vars := e.ctx.GetSessionVars()
-		e.User = vars.User
-		e.User.Hostname = vars.User.AuthHostname
-		e.User.Username = vars.User.AuthUsername
+		e.User = &auth.UserIdentity{Username: vars.User.AuthUsername, Hostname: vars.User.AuthHostname}
 		e.Roles = vars.ActiveRoles
 	}
 	if e.Tp == ast.ShowMasterStatus {

diff --git a/executor/show_test.go b/executor/show_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/pingcap/parser/auth"
 	"github.com/pingcap/parser/model"
 	"github.com/pingcap/parser/mysql"
+	"github.com/pingcap/parser/terror"
 	"github.com/pingcap/tidb/domain"
 	"github.com/pingcap/tidb/executor"
 	plannercore "github.com/pingcap/tidb/planner/core"
@@ -159,6 +160,28 @@ func (s *testSuite2) TestShowGrantsPrivilege(c *C) {
 	tk2.MustQuery("show grants")
 }
 
+func (s *testSuite2) TestIssue18878(c *C) {
+	errNonexistingGrant := terror.ClassPrivilege.New(mysql.ErrNonexistingGrant, mysql.MySQLErrName[mysql.ErrNonexistingGrant])
+	tk := testkit.NewTestKit(c, s.store)
+	se, err := session.CreateSession4Test(s.store)
+	c.Assert(err, IsNil)
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "127.0.0.1", AuthHostname: "%"}, nil, nil), IsTrue)
+	tk.Se = se
+	tk.MustQuery("select user()").Check(testkit.Rows("root@127.0.0.1"))
+	tk.MustQuery("show grants")
+	tk.MustQuery("select user()").Check(testkit.Rows("root@127.0.0.1"))
+	err = tk.QueryToErr("show grants for root@127.0.0.1")
+	c.Assert(err.Error(), Equals, errNonexistingGrant.FastGenByArgs("root", "127.0.0.1").Error())
+	err = tk.QueryToErr("show grants for root@localhost")
+	c.Assert(err.Error(), Equals, errNonexistingGrant.FastGenByArgs("root", "localhost").Error())
+	err = tk.QueryToErr("show grants for root@1.1.1.1")
+	c.Assert(err.Error(), Equals, errNonexistingGrant.FastGenByArgs("root", "1.1.1.1").Error())
+	tk.MustExec("create user `show_grants`@`127.0.%`")
+	err = tk.QueryToErr("show grants for `show_grants`@`127.0.0.1`")
+	c.Assert(err.Error(), Equals, errNonexistingGrant.FastGenByArgs("show_grants", "127.0.0.1").Error())
+	tk.MustQuery("show grants for `show_grants`@`127.0.%`")
+}
+
 func (s *testSuite2) TestIssue3641(c *C) {
 	tk := testkit.NewTestKit(c, s.store)
 	_, err := tk.Exec("show tables;")

diff --git a/privilege/privileges/cache.go b/privilege/privileges/cache.go
@@ -897,7 +897,17 @@ func (p *MySQLPrivilege) showGrants(user, host string, roles []*auth.RoleIdentit
 	allRoles := p.FindAllRole(roles)
 	// Show global grants.
 	var currentPriv mysql.PrivilegeType
-	var hasGrantOptionPriv bool = false
+	var hasGrantOptionPriv, userExists = false, false
+	// Check whether user exists.
+	for _, record := range p.User {
+		if host == record.Host {
+			userExists = true
+			break
+		}
+	}
+	if !userExists {
+		return gs
+	}
 	var g string
 	for _, record := range p.User {
 		if record.User == user && record.Host == host {