Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion pkg/executor/show.go
Original file line number Diff line number Diff line change
Expand Up @@ -1748,7 +1748,7 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
`SELECT plugin, Account_locked, user_attributes->>'$.metadata', Token_issuer,
Password_reuse_history, Password_reuse_time, Password_expired, Password_lifetime,
user_attributes->>'$.Password_locking.failed_login_attempts',
user_attributes->>'$.Password_locking.password_lock_time_days'
user_attributes->>'$.Password_locking.password_lock_time_days', authentication_string
FROM %n.%n WHERE User=%? AND Host=%?`,
mysql.SystemDB, mysql.UserTable, userName, strings.ToLower(hostName))
if err != nil {
Expand Down Expand Up @@ -1823,6 +1823,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
passwordLockTimeDays = " PASSWORD_LOCK_TIME " + passwordLockTimeDays
}
}
authData := rows[0].GetString(10)

rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`, mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
if err != nil {
return errors.Trace(err)
Expand All @@ -1839,7 +1841,10 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
require = privValue.RequireStr()
}

<<<<<<< HEAD
authData := checker.GetEncodedPassword(e.User.Username, e.User.Hostname)
=======
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
authStr := ""
if !(authplugin == mysql.AuthSocket && authData == "") {
authStr = fmt.Sprintf(" AS '%s'", authData)
Expand Down
22 changes: 22 additions & 0 deletions pkg/executor/simple.go
Original file line number Diff line number Diff line change
Expand Up @@ -1762,15 +1762,26 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
if !(hasCreateUserPriv || hasSystemSchemaPriv) {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("CREATE USER")
}
<<<<<<< HEAD
if checker.RequestDynamicVerificationWithUser("SYSTEM_USER", false, spec.User) && !(hasSystemUserPriv || hasRestrictedUserPriv) {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("SYSTEM_USER or SUPER")
}
if sem.IsEnabled() && checker.RequestDynamicVerificationWithUser("RESTRICTED_USER_ADMIN", false, spec.User) && !hasRestrictedUserPriv {
=======
if !(hasSystemUserPriv || hasRestrictedUserPriv) && checker.RequestDynamicVerificationWithUser(ctx, "SYSTEM_USER", false, spec.User) {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("SYSTEM_USER or SUPER")
}
if sem.IsEnabled() && !hasRestrictedUserPriv && checker.RequestDynamicVerificationWithUser(ctx, "RESTRICTED_USER_ADMIN", false, spec.User) {
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("RESTRICTED_USER_ADMIN")
}
}

<<<<<<< HEAD
exists, err := userExistsInternal(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname)
=======
exists, currentAuthPlugin, err := userExistsInternal(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname)
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
if err != nil {
return err
}
Expand Down Expand Up @@ -2287,7 +2298,11 @@ func (e *SimpleExec) executeDropUser(ctx context.Context, s *ast.DropUserStmt) e
// Because in TiDB SUPER can be used as a substitute for any dynamic privilege, this effectively means that
// any user with SUPER requires a user with SUPER to be able to DROP the user.
// We also allow RESTRICTED_USER_ADMIN to count for simplicity.
<<<<<<< HEAD
if checker.RequestDynamicVerificationWithUser("SYSTEM_USER", false, user) && !(hasSystemUserPriv || hasRestrictedUserPriv) {
=======
if !(hasSystemUserPriv || hasRestrictedUserPriv) && checker.RequestDynamicVerificationWithUser(ctx, "SYSTEM_USER", false, user) {
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
if _, err := sqlExecutor.ExecuteInternal(internalCtx, "rollback"); err != nil {
return err
}
Expand Down Expand Up @@ -2487,7 +2502,11 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
return exeerrors.ErrDBaccessDenied.GenWithStackByArgs(currUser.Username, currUser.Hostname, "mysql")
}
}
<<<<<<< HEAD
exists, err := userExistsInternal(ctx, sqlExecutor, u, h)
=======
exists, authplugin, err := userExistsInternal(ctx, sqlExecutor, u, h)
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
if err != nil {
return err
}
Expand All @@ -2502,10 +2521,13 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
disableSandboxMode = true
}

<<<<<<< HEAD
authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h)
if err != nil {
return err
}
=======
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
if e.isValidatePasswordEnabled() {
if err := pwdValidator.ValidatePassword(e.Ctx().GetSessionVars(), s.Password); err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion pkg/extension/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ func TestAuthPlugin(t *testing.T) {
// Should authenticate using plugin impl.
p.AssertNumberOfCalls(t, "AuthenticateUser", 2)
p.AssertCalled(t, "ValidateAuthString", "encodedpassword")
p.AssertNumberOfCalls(t, "ValidateAuthString", 4)
p.AssertNumberOfCalls(t, "ValidateAuthString", 3)

// Change password should work using ALTER USER statement.
tk.MustExec("alter user 'u2'@'localhost' identified with 'authentication_test_plugin' by 'anotherrawpassword'")
Expand Down
3 changes: 3 additions & 0 deletions pkg/privilege/privilege.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,12 @@ type Manager interface {
// ShowGrants shows granted privileges for user.
ShowGrants(ctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) ([]string, error)

<<<<<<< HEAD
// GetEncodedPassword shows the encoded password for user.
GetEncodedPassword(user, host string) string

=======
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
// RequestVerification verifies user privilege for the request.
// If table is "", only check global/db scope privileges.
// If table is not "", check global/db/table scope privileges.
Expand Down
3 changes: 3 additions & 0 deletions pkg/privilege/privileges/privileges.go
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,7 @@ func (p *UserPrivileges) isValidHash(record *UserRecord) bool {
return false
}

<<<<<<< HEAD
// GetEncodedPassword implements the Manager interface.
func (p *UserPrivileges) GetEncodedPassword(user, host string) string {
mysqlPriv := p.Handle.Get()
Expand All @@ -328,6 +329,8 @@ func (p *UserPrivileges) GetEncodedPassword(user, host string) string {
return ""
}

=======
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
// GetAuthPluginForConnection gets the authentication plugin used in connection establishment.
func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error) {
if SkipWithGrant {
Expand Down
41 changes: 41 additions & 0 deletions pkg/privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2091,7 +2091,12 @@ func TestNilHandleInConnectionVerification(t *testing.T) {

func testShowGrantsSQLMode(t *testing.T, tk *testkit.TestKit, expected []string) {
pc := privilege.GetPrivilegeManager(tk.Session())
<<<<<<< HEAD
gs, err := pc.ShowGrants(tk.Session(), &auth.UserIdentity{Username: "show_sql_mode", Hostname: "localhost"}, nil)
=======
pc.MatchIdentity(context.Background(), "show_sql_mode", "localhost", false)
gs, err := pc.ShowGrants(context.Background(), tk.Session(), &auth.UserIdentity{Username: "show_sql_mode", Hostname: "localhost"}, nil)
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
require.NoError(t, err)
require.Len(t, gs, 2)
require.True(t, testutil.CompareUnorderedStringSlice(gs, expected), fmt.Sprintf("gs: %v, expected: %v", gs, expected))
Expand All @@ -2116,3 +2121,39 @@ func TestShowGrantsSQLMode(t *testing.T) {
"GRANT SELECT ON \"test\".* TO 'show_sql_mode'@'localhost'",
})
}
<<<<<<< HEAD
=======

func TestEnsureActiveUserCoverage(t *testing.T) {
store := createStoreAndPrepareDB(t)
tk := testkit.NewTestKit(t, store)
tk.MustExec("create user 'test'")
tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil, nil)

cases := []struct {
sql string
visited bool
}{
{"drop user if exists 'test1'", false},
{"alter user test identified by 'test1'", false},
{"set password for test = 'test2'", false},
{"show create user test", false},
{"create user test1", false},
{"show grants", true},
{"show grants for 'test'@'%'", true},
}

for ith, c := range cases {
var visited bool
ctx := context.WithValue(context.Background(), "mock", &visited)
rs, err := tk.ExecWithContext(ctx, c.sql)
require.NoError(t, err)

comment := fmt.Sprintf("testcase %d failed", ith)
if rs != nil {
tk.ResultSetToResultWithCtx(ctx, rs, comment)
}
require.Equal(t, c.visited, visited, comment)
}
}
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))
3 changes: 3 additions & 0 deletions tests/integrationtest/r/executor/simple.result
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,9 @@ create user test_all;
set default role all to test_all;
drop user if exists 'testflush'@'localhost';
CREATE USER 'testflush'@'localhost' IDENTIFIED BY '';
SHOW GRANTS FOR 'testflush'@'localhost';
Grants for testflush@localhost
GRANT USAGE ON *.* TO 'testflush'@'localhost'
UPDATE mysql.User SET Select_priv='Y' WHERE User="testflush" and Host="localhost";
SELECT authentication_string FROM mysql.User WHERE User="testflush" and Host="localhost";
Error 1142 (42000): SELECT command denied to user 'testflush'@'localhost' for table 'user'
Expand Down
47 changes: 47 additions & 0 deletions tests/integrationtest/t/executor/simple.test
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ disconnect conn1;
# TestFlushPrivileges
drop user if exists 'testflush'@'localhost';
CREATE USER 'testflush'@'localhost' IDENTIFIED BY '';
SHOW GRANTS FOR 'testflush'@'localhost';
UPDATE mysql.User SET Select_priv='Y' WHERE User="testflush" and Host="localhost";
connect (conn1, localhost, testflush,,);
--error 1142
Expand Down Expand Up @@ -487,3 +488,49 @@ rollback;
select * from auto_new;

set autocommit = default;
<<<<<<< HEAD
=======

# TestDefaultAuthPluginForCreateUser

connection default;

--error 1231
set global default_authentication_plugin = 'invalid_auth_plugin';
--error 1231
set global default_authentication_plugin = 'auth_socket';

set global default_authentication_plugin = 'tidb_sm3_password';
create user default_sm3_user;
show create user default_sm3_user;
select plugin from mysql.user where user = 'default_sm3_user';

set global default_authentication_plugin = 'caching_sha2_password';
create user default_sha2_user;
create user native_plugin_user identified with 'mysql_native_password';
create role default_sha2_role;
show create user default_sha2_user;
select plugin from mysql.user where user = 'default_sha2_user';
show create user native_plugin_user;
select plugin from mysql.user where user = 'native_plugin_user';
show create user default_sha2_role;
select plugin from mysql.user where user = 'default_sha2_role';

alter user default_sha2_user identified with 'tidb_sm3_password';
show create user default_sha2_user;
select plugin from mysql.user where user = 'default_sha2_user';

alter user default_sha2_user identified with 'authentication_ldap_simple';
show create user default_sha2_user;
select plugin from mysql.user where user = 'default_sha2_user';

alter user default_sha2_user identified with 'authentication_ldap_sasl';
show create user default_sha2_user;
select plugin from mysql.user where user = 'default_sha2_user';

drop user default_sm3_user;
drop user default_sha2_user;
drop user native_plugin_user;
drop user default_sha2_role;
set global default_authentication_plugin = default;
>>>>>>> c8ba4e3ace2 (*: avoid some unnecessary call of ensureActiveUser() (#57388))