diff --git a/executor/builder.go b/executor/builder.go index e04a51245b824..2b5de81ee15e7 100644 --- a/executor/builder.go +++ b/executor/builder.go @@ -550,7 +550,12 @@ func (b *executorBuilder) buildShow(v *plannercore.Show) Executor { is: b.is, } if e.Tp == ast.ShowGrants && e.User == nil { - e.User = e.ctx.GetSessionVars().User + // The input is a "show grants" statement, fulfill the user and roles field. + // Note: "show grants" result are different from "show grants for current_user", + // The former determine privileges with roles, while the later doesn't. + vars := e.ctx.GetSessionVars() + e.User = vars.User + e.Roles = vars.ActiveRoles } if e.Tp == ast.ShowMasterStatus { // show master status need start ts. diff --git a/executor/show_test.go b/executor/show_test.go index 0e3ce9a481991..64218826245e8 100644 --- a/executor/show_test.go +++ b/executor/show_test.go @@ -157,6 +157,21 @@ func (s *testSuite2) TestIssue3641(c *C) { c.Assert(err.Error(), Equals, plannercore.ErrNoDB.Error()) } +func (s *testSuite2) TestIssue10549(c *C) { + tk := testkit.NewTestKit(c, s.store) + tk.MustExec("CREATE DATABASE newdb;") + tk.MustExec("CREATE ROLE 'app_developer';") + tk.MustExec("GRANT ALL ON newdb.* TO 'app_developer';") + tk.MustExec("CREATE USER 'dev';") + tk.MustExec("GRANT 'app_developer' TO 'dev';") + tk.MustExec("SET DEFAULT ROLE app_developer TO 'dev';") + + c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue) + tk.MustQuery("SHOW DATABASES;").Check(testkit.Rows("INFORMATION_SCHEMA", "newdb")) + tk.MustQuery("SHOW GRANTS;").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT ALL PRIVILEGES ON newdb.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'")) + tk.MustQuery("SHOW GRANTS FOR CURRENT_USER").Check(testkit.Rows("GRANT USAGE ON *.* TO 'dev'@'%'", "GRANT 'app_developer'@'%' TO 'dev'@'%'")) +} + // TestShow2 is moved from session_test func (s *testSuite2) TestShow2(c *C) { tk := testkit.NewTestKit(c, s.store) diff --git a/executor/simple.go b/executor/simple.go index 4ee51342d3838..87d76ba8bdf0b 100644 --- a/executor/simple.go +++ b/executor/simple.go @@ -221,17 +221,20 @@ func (e *SimpleExec) setDefaultRoleAll(s *ast.SetDefaultRoleStmt) error { return nil } -func (e *SimpleExec) executeSetDefaultRole(s *ast.SetDefaultRoleStmt) error { +func (e *SimpleExec) executeSetDefaultRole(s *ast.SetDefaultRoleStmt) (err error) { switch s.SetRoleOpt { case ast.SetRoleAll: - return e.setDefaultRoleAll(s) + err = e.setDefaultRoleAll(s) case ast.SetRoleNone: - return e.setDefaultRoleNone(s) + err = e.setDefaultRoleNone(s) case ast.SetRoleRegular: - return e.setDefaultRoleRegular(s) + err = e.setDefaultRoleRegular(s) } - err := domain.GetDomain(e.ctx).PrivilegeHandle().Update(e.ctx.(sessionctx.Context)) - return err + if err != nil { + return + } + domain.GetDomain(e.ctx).NotifyUpdatePrivilege(e.ctx) + return } func (e *SimpleExec) setRoleRegular(s *ast.SetRoleStmt) error { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 3a9e1b09b9cf3..b75dbeeac589c 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -494,7 +494,6 @@ func (s *testPrivilegeSuite) TestUseDB(c *C) { mustExec(c, se, `CREATE USER 'dev'@'localhost'`) mustExec(c, se, `GRANT 'app_developer' TO 'dev'@'localhost'`) mustExec(c, se, `SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'`) - mustExec(c, se, `FLUSH PRIVILEGES`) c.Assert(se.Auth(&auth.UserIdentity{Username: "dev", Hostname: "localhost", AuthUsername: "dev", AuthHostname: "localhost"}, nil, nil), IsTrue) _, err = se.Execute(context.Background(), "use app_db") c.Assert(err, IsNil)