Merge lp:~ansharyan015/drizzle/trunk-bug-931917 into lp:drizzle

Proposed by Anshu Kumar
Status: Merged
Merged at revision: 2538
Proposed branch: lp:~ansharyan015/drizzle/trunk-bug-931917
Merge into: lp:drizzle
Diff against target: 385 lines (+250/-36)
8 files modified
plugin/regex_policy/docs/index.rst (+14/-18)
plugin/regex_policy/module.cc (+1/-1)
plugin/regex_policy/policy.h (+6/-6)
plugin/regex_policy/tests/r/basic_deprecated.result (+72/-0)
plugin/regex_policy/tests/t/basic.policy (+11/-11)
plugin/regex_policy/tests/t/basic_deprecated-master.opt (+1/-0)
plugin/regex_policy/tests/t/basic_deprecated.policy (+15/-0)
plugin/regex_policy/tests/t/basic_deprecated.test (+130/-0)
To merge this branch: bzr merge lp:~ansharyan015/drizzle/trunk-bug-931917
Reviewer Review Type Date Requested Status
Henrik Ingo Approve
Review via email: mp+100298@code.launchpad.net

Description of the change

Changed regex plugin to support ALLOW/DENY policies. ACCEPT/REJECT can also be used but their use is deprecated. Corresponding changes done in docs and test cases added.

To post a comment you must log in.
Revision history for this message
Henrik Ingo (hingo) wrote :

I've reviewed this prior to merge proposal, see the linked bug for discussion. If you have any other comments, please continue review here.

review: Approve
Revision history for this message
Brian Aker (brianaker) wrote :

> I've reviewed this prior to merge proposal, see the linked bug for discussion.
> If you have any other comments, please continue review here.

So should this go to 7.1 or 7.2?

Revision history for this message
Vijay Samuel (vjsamuel) wrote :

7.2
On Apr 1, 2012 6:09 AM, "Brian Aker" <email address hidden> wrote:

> > I've reviewed this prior to merge proposal, see the linked bug for
> discussion.
> > If you have any other comments, please continue review here.
>
> So should this go to 7.1 or 7.2?
> --
>
> https://code.launchpad.net/~ansharyan015/drizzle/trunk-bug-931917/+merge/100298
> Your team Drizzle Trunk is subscribed to branch lp:drizzle.
>

Revision history for this message
Henrik Ingo (hingo) wrote :

7.2. (We could actually backport it to 7.1 at a later time but not now.)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'plugin/regex_policy/docs/index.rst'
2--- plugin/regex_policy/docs/index.rst 2011-10-23 05:45:09 +0000
3+++ plugin/regex_policy/docs/index.rst 2012-03-31 16:16:21 +0000
4@@ -64,30 +64,26 @@
5 The general line format of a regex policy file is::
6
7 USER_PATTERN SCHEMA_OBJECT_PATTERN POLICY
8+ In Drizzle 7 and Drizzle 7.1 the POLICY values supported were 'ACCEPT' and 'DENY'. Beginning with Drizzle 7.2.0, the values used should be 'ALLOW' and 'DENY'. Although 'ACCEPT' and 'REJECT' are also supported for backward compatibility, but their use is deprecated.
9
10 For example::
11
12 # This is a comment line and should be skipped
13- .+ schema=DATA_DICTIONARY ACCEPT
14- .+ schema=INFORMATION_SCHEMA ACCEPT
15- .+ schema=data_dictionary ACCEPT
16- .+ schema=information_schema ACCEPT
17- root table=.+ ACCEPT
18- root schema=.+ ACCEPT
19- root process=.+ ACCEPT
20- user1 schema=user1 ACCEPT
21- user2 schema=user2 ACCEPT
22- user1 process=user1 ACCEPT
23- user2 process=user2 ACCEPT
24+ .+ schema=DATA_DICTIONARY ALLOW
25+ .+ schema=INFORMATION_SCHEMA ALLOW
26+ .+ schema=data_dictionary ALLOW
27+ .+ schema=information_schema ALLOW
28+ root table=.+ ALLOW
29+ root schema=.+ ALLOW
30+ root process=.+ ALLOW
31+ user1 schema=user1 ALLOW
32+ user2 schema=user2 ALLOW
33+ user1 process=user1 ALLOW
34+ user2 process=user2 ALLOW
35 # Default to denying everything
36 .+ schema=.+ DENY
37 .+ process=.+ DENY
38
39-Examples
40---------
41-
42-Sorry, there are no examples for this plugin.
43-
44 .. _regex_policy_authors:
45
46 Authors
47@@ -100,7 +96,7 @@
48 Version
49 -------
50
51-This documentation applies to **regex_policy 1.0**.
52+This documentation applies to **regex_policy 2.0**.
53
54 To see which version of the plugin a Drizzle server is running, execute:
55
56@@ -111,6 +107,6 @@
57 Changelog
58 ---------
59
60-v1.0
61+v2.0
62 ^^^^
63 * First release.
64
65=== modified file 'plugin/regex_policy/module.cc'
66--- plugin/regex_policy/module.cc 2012-03-15 18:05:43 +0000
67+++ plugin/regex_policy/module.cc 2012-03-31 16:16:21 +0000
68@@ -361,7 +361,7 @@
69 {
70 DRIZZLE_VERSION_ID,
71 "regex_policy",
72- "1.0",
73+ "2.0",
74 "Clint Byrum",
75 N_("Authorization using a regex-matched policy file"),
76 PLUGIN_LICENSE_GPL,
77
78=== modified file 'plugin/regex_policy/policy.h'
79--- plugin/regex_policy/policy.h 2012-03-16 16:47:17 +0000
80+++ plugin/regex_policy/policy.h 2012-03-31 16:16:21 +0000
81@@ -46,9 +46,9 @@
82
83 static const char *comment_regex = "^[[:space:]]*#.*$";
84 static const char *empty_regex = "^[[:space:]]*$";
85-static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";
86-static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";
87-static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";
88+static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
89+static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
90+static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
91 /* These correspond to the parenthesis above and must stay in sync */
92 static const int MATCH_REGEX_USER_POS= 1;
93 static const int MATCH_REGEX_OBJECT_POS= 2;
94@@ -75,11 +75,11 @@
95 user_re(u),
96 object_re(obj)
97 {
98- if (act == "ACCEPT")
99+ if ((act == "ACCEPT")||(act == "ALLOW"))
100 {
101 action = POLICY_ACCEPT;
102 }
103- else if (act == "DENY")
104+ else if ((act == "REJECT")||(act == "DENY"))
105 {
106 action = POLICY_DENY;
107 }
108@@ -101,7 +101,7 @@
109 }
110 const char *getAction() const
111 {
112- return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";
113+ return action == POLICY_ACCEPT ? "ALLOW" : "DENY";
114 }
115 };
116
117
118=== added file 'plugin/regex_policy/tests/r/basic_deprecated.result'
119--- plugin/regex_policy/tests/r/basic_deprecated.result 1970-01-01 00:00:00 +0000
120+++ plugin/regex_policy/tests/r/basic_deprecated.result 2012-03-31 16:16:21 +0000
121@@ -0,0 +1,72 @@
122+create schema user1;
123+create schema user2;
124+SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
125+SCHEMA_NAME
126+DATA_DICTIONARY
127+INFORMATION_SCHEMA
128+mysql
129+test
130+user1
131+user2
132+use user2;
133+create table t1 (kill_id int);
134+insert into t1 values(connection_id());
135+SELECT * from user1.dont_exist;
136+ERROR 42S02: Unknown table 'user1.dont_exist'
137+SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
138+SCHEMA_NAME
139+DATA_DICTIONARY
140+INFORMATION_SCHEMA
141+user1
142+SELECT * from user2.dont_exist;
143+ERROR 42000: Access denied for user 'user1' to schema 'user2'
144+create schema authorize_fail;
145+ERROR 42000: Access denied for user 'user1' to schema 'authorize_fail'
146+drop schema user2;
147+ERROR 42000: Access denied for user 'user1' to schema 'user2'
148+create table t1 (kill_id int);
149+insert into t1 values(connection_id());
150+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
151+USERNAME DB
152+user1 user1
153+user1 user1
154+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
155+IF(((@id := kill_id) - kill_id), "NO", "YES")
156+YES
157+kill @id;
158+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
159+IF(((@id := kill_id) - kill_id), "NO", "YES")
160+YES
161+select @id != connection_id();
162+@id != connection_id()
163+1
164+update t1 set kill_id = connection_id();
165+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
166+USERNAME DB
167+user2 user2
168+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
169+IF(((@id := kill_id) - kill_id), "NO", "YES")
170+YES
171+kill @id;
172+ERROR HY000: Unknown session id: #
173+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
174+USERNAME DB
175+root user2
176+user1 user1
177+user1 user1
178+user2 user2
179+use user1;
180+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
181+IF(((@id := kill_id) - kill_id), "NO", "YES")
182+YES
183+kill @id;
184+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
185+IF(((@id := kill_id) - kill_id), "NO", "YES")
186+YES
187+select @id != connection_id();
188+@id != connection_id()
189+1
190+connect(localhost,authz,,authz_no,MASTER_PORT,);
191+ERROR 42000: Access denied for user 'authz' to schema 'authz_no'
192+drop schema user1;
193+drop schema user2;
194
195=== modified file 'plugin/regex_policy/tests/t/basic.policy'
196--- plugin/regex_policy/tests/t/basic.policy 2011-03-03 01:55:10 +0000
197+++ plugin/regex_policy/tests/t/basic.policy 2012-03-31 16:16:21 +0000
198@@ -1,15 +1,15 @@
199 # This is a comment line and should be skipped
200-.+ schema=DATA_DICTIONARY ACCEPT
201-.+ schema=INFORMATION_SCHEMA ACCEPT
202-.+ schema=data_dictionary ACCEPT
203-.+ schema=information_schema ACCEPT
204-root table=.+ ACCEPT
205-root schema=.+ ACCEPT
206-root process=.+ ACCEPT
207-user1 schema=user1 ACCEPT
208-user2 schema=user2 ACCEPT
209-user1 process=user1 ACCEPT
210-user2 process=user2 ACCEPT
211+.+ schema=DATA_DICTIONARY ALLOW
212+.+ schema=INFORMATION_SCHEMA ALLOW
213+.+ schema=data_dictionary ALLOW
214+.+ schema=information_schema ALLOW
215+root table=.+ ALLOW
216+root schema=.+ ALLOW
217+root process=.+ ALLOW
218+user1 schema=user1 ALLOW
219+user2 schema=user2 ALLOW
220+user1 process=user1 ALLOW
221+user2 process=user2 ALLOW
222 # Default to denying everything
223 .+ schema=.+ DENY
224 .+ process=.+ DENY
225
226=== added file 'plugin/regex_policy/tests/t/basic_deprecated-master.opt'
227--- plugin/regex_policy/tests/t/basic_deprecated-master.opt 1970-01-01 00:00:00 +0000
228+++ plugin/regex_policy/tests/t/basic_deprecated-master.opt 2012-03-31 16:16:21 +0000
229@@ -0,0 +1,1 @@
230+--plugin-add=regex_policy --regex-policy.policy=$TOP_SRCDIR/plugin/regex_policy/tests/t/basic_deprecated.policy --verbose=INSPECT
231
232=== added file 'plugin/regex_policy/tests/t/basic_deprecated.policy'
233--- plugin/regex_policy/tests/t/basic_deprecated.policy 1970-01-01 00:00:00 +0000
234+++ plugin/regex_policy/tests/t/basic_deprecated.policy 2012-03-31 16:16:21 +0000
235@@ -0,0 +1,15 @@
236+# This is a comment line and should be skipped
237+.+ schema=DATA_DICTIONARY ACCEPT
238+.+ schema=INFORMATION_SCHEMA ACCEPT
239+.+ schema=data_dictionary ACCEPT
240+.+ schema=information_schema ACCEPT
241+root table=.+ ACCEPT
242+root schema=.+ ACCEPT
243+root process=.+ ACCEPT
244+user1 schema=user1 ACCEPT
245+user2 schema=user2 ACCEPT
246+user1 process=user1 ACCEPT
247+user2 process=user2 ACCEPT
248+# Default to denying everything
249+.+ schema=.+ REJECT
250+.+ process=.+ REJECT
251
252=== added file 'plugin/regex_policy/tests/t/basic_deprecated.test'
253--- plugin/regex_policy/tests/t/basic_deprecated.test 1970-01-01 00:00:00 +0000
254+++ plugin/regex_policy/tests/t/basic_deprecated.test 2012-03-31 16:16:21 +0000
255@@ -0,0 +1,130 @@
256+# Check for error if no parameter provided
257+create schema user1;
258+create schema user2;
259+SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
260+
261+# Set up a table to be able to test not being able to kill other people
262+use user2;
263+create table t1 (kill_id int);
264+insert into t1 values(connection_id());
265+
266+# Test that we get a normal don't exist error for things that don't exist
267+--error ER_TABLE_UNKNOWN
268+SELECT * from user1.dont_exist;
269+
270+# Connect as user1 - should only see information_schema, user1 and
271+# data_dictionary
272+# Also tests that we are able to read data_dictionary, without which fail
273+# would happen
274+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
275+connect (should_succeed,localhost,user1,,user1,,);
276+connection should_succeed;
277+SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
278+
279+# Test that we get blocked on not being allowed to see user2 at all before
280+# we get blocked on the table not existing
281+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
282+--replace_regex /@'.*?'/@'LOCALHOST'/
283+--error ER_DBACCESS_DENIED_ERROR
284+SELECT * from user2.dont_exist;
285+
286+# Test that we can't create a schema that isn't named the same as we are
287+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
288+--replace_regex /@'.*?'/@'LOCALHOST'/
289+--error ER_DBACCESS_DENIED_ERROR
290+create schema authorize_fail;
291+
292+# Test that we can't drop a schema that isn't named the same as we are
293+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
294+--replace_regex /@'.*?'/@'LOCALHOST'/
295+--error ER_DBACCESS_DENIED_ERROR
296+drop schema user2;
297+
298+# Set up a table to test that we can kill other versions of us
299+create table t1 (kill_id int);
300+insert into t1 values(connection_id());
301+
302+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
303+connect (con1,localhost,user1,,user1,);
304+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
305+connect (con2,localhost,user2,,user2,);
306+connection con1;
307+
308+# Check that we don't see other people's connections
309+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
310+
311+# Check that we can kill a process that is owned by our user
312+--disable_reconnect
313+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
314+kill @id;
315+
316+connection should_succeed;
317+--sleep 2
318+
319+--disable_query_log
320+--disable_result_log
321+# One of the following statements should fail
322+--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
323+select 1;
324+--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
325+select 1;
326+--enable_query_log
327+--enable_result_log
328+--enable_reconnect
329+
330+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
331+select @id != connection_id();
332+
333+# Set the table to our current id now
334+update t1 set kill_id = connection_id();
335+
336+# Test that we cannot kill a process owned by someone else
337+connection con2;
338+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
339+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
340+
341+--replace_regex /Unknown session id: [0-9]+/Unknown session id: #/
342+--error ER_NO_SUCH_THREAD
343+kill @id;
344+
345+# Test that root can see everybody
346+connection default;
347+SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
348+
349+# Test that root can kill someone else
350+use user1;
351+--disable_reconnect
352+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
353+kill @id;
354+
355+connection should_succeed;
356+--sleep 2
357+
358+--disable_query_log
359+--disable_result_log
360+# One of the following statements should fail
361+--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
362+select 1;
363+--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
364+select 1;
365+--enable_query_log
366+--enable_result_log
367+--enable_reconnect
368+
369+select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
370+select @id != connection_id();
371+
372+
373+# Test failing initial connection
374+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
375+--replace_regex /@'.*?'/@'LOCALHOST'/
376+--error ER_DBACCESS_DENIED_ERROR
377+connect (should_fail,localhost,authz,,authz_no,,);
378+
379+# Clean up after ourselves
380+connection default;
381+drop schema user1;
382+drop schema user2;
383+disconnect con1;
384+disconnect con2;
385+disconnect should_succeed;

Subscribers

People subscribed via source and target branches

to all changes: