Drizzle

Merge lp:~ansharyan015/drizzle/trunk-bug-931917 into lp:drizzle

  1. trunk-bug-931917
  2. Merge into 7.2
Proposed by Anshu Kumar
Status: Merged
Merged at revision: 2538
Proposed branch: lp:~ansharyan015/drizzle/trunk-bug-931917
Merge into: lp:drizzle
Diff against target: 385 lines (+250/-36)
8 files modified
plugin/regex_policy/docs/index.rst (+14/-18)
plugin/regex_policy/module.cc (+1/-1)
plugin/regex_policy/policy.h (+6/-6)
plugin/regex_policy/tests/r/basic_deprecated.result (+72/-0)
plugin/regex_policy/tests/t/basic.policy (+11/-11)
plugin/regex_policy/tests/t/basic_deprecated-master.opt (+1/-0)
plugin/regex_policy/tests/t/basic_deprecated.policy (+15/-0)
plugin/regex_policy/tests/t/basic_deprecated.test (+130/-0)
To merge this branch: bzr merge lp:~ansharyan015/drizzle/trunk-bug-931917
Reviewer Review Type Date Requested Status
Henrik Ingo Approve
Review via email: mp+100298@code.launchpad.net

Description of the change

Changed regex plugin to support ALLOW/DENY policies. ACCEPT/REJECT can also be used but their use is deprecated. Corresponding changes done in docs and test cases added.

To post a comment you must log in.
Revision history for this message
Henrik Ingo (hingo) wrote :

I've reviewed this prior to merge proposal, see the linked bug for discussion. If you have any other comments, please continue review here.

review: Approve
Revision history for this message
Brian Aker (brianaker) wrote :

> I've reviewed this prior to merge proposal, see the linked bug for discussion.
> If you have any other comments, please continue review here.

So should this go to 7.1 or 7.2?

Revision history for this message
Vijay Samuel (vjsamuel) wrote :

7.2
On Apr 1, 2012 6:09 AM, "Brian Aker" <email address hidden> wrote:

> > I've reviewed this prior to merge proposal, see the linked bug for
> discussion.
> > If you have any other comments, please continue review here.
>
> So should this go to 7.1 or 7.2?
> --
>
> https://code.launchpad.net/~ansharyan015/drizzle/trunk-bug-931917/+merge/100298
> Your team Drizzle Trunk is subscribed to branch lp:drizzle.
>

Revision history for this message
Henrik Ingo (hingo) wrote :

7.2. (We could actually backport it to 7.1 at a later time but not now.)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'plugin/regex_policy/docs/index.rst'
--- plugin/regex_policy/docs/index.rst 2011-10-23 05:45:09 +0000
+++ plugin/regex_policy/docs/index.rst 2012-03-31 16:16:21 +0000
@@ -64,30 +64,26 @@
64The general line format of a regex policy file is::64The general line format of a regex policy file is::
6565
66 USER_PATTERN SCHEMA_OBJECT_PATTERN POLICY66 USER_PATTERN SCHEMA_OBJECT_PATTERN POLICY
67 In Drizzle 7 and Drizzle 7.1 the POLICY values supported were 'ACCEPT' and 'DENY'. Beginning with Drizzle 7.2.0, the values used should be 'ALLOW' and 'DENY'. Although 'ACCEPT' and 'REJECT' are also supported for backward compatibility, but their use is deprecated.
6768
68For example::69For example::
6970
70 # This is a comment line and should be skipped71 # This is a comment line and should be skipped
71 .+ schema=DATA_DICTIONARY ACCEPT72 .+ schema=DATA_DICTIONARY ALLOW
72 .+ schema=INFORMATION_SCHEMA ACCEPT73 .+ schema=INFORMATION_SCHEMA ALLOW
73 .+ schema=data_dictionary ACCEPT74 .+ schema=data_dictionary ALLOW
74 .+ schema=information_schema ACCEPT75 .+ schema=information_schema ALLOW
75 root table=.+ ACCEPT76 root table=.+ ALLOW
76 root schema=.+ ACCEPT77 root schema=.+ ALLOW
77 root process=.+ ACCEPT78 root process=.+ ALLOW
78 user1 schema=user1 ACCEPT79 user1 schema=user1 ALLOW
79 user2 schema=user2 ACCEPT80 user2 schema=user2 ALLOW
80 user1 process=user1 ACCEPT81 user1 process=user1 ALLOW
81 user2 process=user2 ACCEPT82 user2 process=user2 ALLOW
82 # Default to denying everything83 # Default to denying everything
83 .+ schema=.+ DENY84 .+ schema=.+ DENY
84 .+ process=.+ DENY85 .+ process=.+ DENY
8586
86Examples
87--------
88
89Sorry, there are no examples for this plugin.
90
91.. _regex_policy_authors:87.. _regex_policy_authors:
9288
93Authors89Authors
@@ -100,7 +96,7 @@
100Version96Version
101-------97-------
10298
103This documentation applies to **regex_policy 1.0**.99This documentation applies to **regex_policy 2.0**.
104100
105To see which version of the plugin a Drizzle server is running, execute:101To see which version of the plugin a Drizzle server is running, execute:
106102
@@ -111,6 +107,6 @@
111Changelog107Changelog
112---------108---------
113109
114v1.0110v2.0
115^^^^111^^^^
116* First release.112* First release.
117113
=== modified file 'plugin/regex_policy/module.cc'
--- plugin/regex_policy/module.cc 2012-03-15 18:05:43 +0000
+++ plugin/regex_policy/module.cc 2012-03-31 16:16:21 +0000
@@ -361,7 +361,7 @@
361{361{
362 DRIZZLE_VERSION_ID,362 DRIZZLE_VERSION_ID,
363 "regex_policy",363 "regex_policy",
364 "1.0",364 "2.0",
365 "Clint Byrum",365 "Clint Byrum",
366 N_("Authorization using a regex-matched policy file"),366 N_("Authorization using a regex-matched policy file"),
367 PLUGIN_LICENSE_GPL,367 PLUGIN_LICENSE_GPL,
368368
=== modified file 'plugin/regex_policy/policy.h'
--- plugin/regex_policy/policy.h 2012-03-16 16:47:17 +0000
+++ plugin/regex_policy/policy.h 2012-03-31 16:16:21 +0000
@@ -46,9 +46,9 @@
4646
47static const char *comment_regex = "^[[:space:]]*#.*$";47static const char *comment_regex = "^[[:space:]]*#.*$";
48static const char *empty_regex = "^[[:space:]]*$";48static const char *empty_regex = "^[[:space:]]*$";
49static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|DENY)$";49static const char *table_match_regex = "^([^ ]+) table\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
50static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|DENY)$";50static const char *process_match_regex = "^([^ ]+) process\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
51static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|DENY)$";51static const char *schema_match_regex = "^([^ ]+) schema\\=([^ ]+) (ACCEPT|REJECT|ALLOW|DENY)$";
52/* These correspond to the parenthesis above and must stay in sync */52/* These correspond to the parenthesis above and must stay in sync */
53static const int MATCH_REGEX_USER_POS= 1;53static const int MATCH_REGEX_USER_POS= 1;
54static const int MATCH_REGEX_OBJECT_POS= 2;54static const int MATCH_REGEX_OBJECT_POS= 2;
@@ -75,11 +75,11 @@
75 user_re(u),75 user_re(u),
76 object_re(obj)76 object_re(obj)
77 { 77 {
78 if (act == "ACCEPT")78 if ((act == "ACCEPT")||(act == "ALLOW"))
79 {79 {
80 action = POLICY_ACCEPT;80 action = POLICY_ACCEPT;
81 }81 }
82 else if (act == "DENY")82 else if ((act == "REJECT")||(act == "DENY"))
83 {83 {
84 action = POLICY_DENY;84 action = POLICY_DENY;
85 }85 }
@@ -101,7 +101,7 @@
101 }101 }
102 const char *getAction() const102 const char *getAction() const
103 {103 {
104 return action == POLICY_ACCEPT ? "ACCEPT" : "DENY";104 return action == POLICY_ACCEPT ? "ALLOW" : "DENY";
105 }105 }
106};106};
107107
108108
=== added file 'plugin/regex_policy/tests/r/basic_deprecated.result'
--- plugin/regex_policy/tests/r/basic_deprecated.result 1970-01-01 00:00:00 +0000
+++ plugin/regex_policy/tests/r/basic_deprecated.result 2012-03-31 16:16:21 +0000
@@ -0,0 +1,72 @@
1create schema user1;
2create schema user2;
3SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
4SCHEMA_NAME
5DATA_DICTIONARY
6INFORMATION_SCHEMA
7mysql
8test
9user1
10user2
11use user2;
12create table t1 (kill_id int);
13insert into t1 values(connection_id());
14SELECT * from user1.dont_exist;
15ERROR 42S02: Unknown table 'user1.dont_exist'
16SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
17SCHEMA_NAME
18DATA_DICTIONARY
19INFORMATION_SCHEMA
20user1
21SELECT * from user2.dont_exist;
22ERROR 42000: Access denied for user 'user1' to schema 'user2'
23create schema authorize_fail;
24ERROR 42000: Access denied for user 'user1' to schema 'authorize_fail'
25drop schema user2;
26ERROR 42000: Access denied for user 'user1' to schema 'user2'
27create table t1 (kill_id int);
28insert into t1 values(connection_id());
29SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
30USERNAME DB
31user1 user1
32user1 user1
33select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
34IF(((@id := kill_id) - kill_id), "NO", "YES")
35YES
36kill @id;
37select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
38IF(((@id := kill_id) - kill_id), "NO", "YES")
39YES
40select @id != connection_id();
41@id != connection_id()
421
43update t1 set kill_id = connection_id();
44SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
45USERNAME DB
46user2 user2
47select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
48IF(((@id := kill_id) - kill_id), "NO", "YES")
49YES
50kill @id;
51ERROR HY000: Unknown session id: #
52SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
53USERNAME DB
54root user2
55user1 user1
56user1 user1
57user2 user2
58use user1;
59select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
60IF(((@id := kill_id) - kill_id), "NO", "YES")
61YES
62kill @id;
63select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
64IF(((@id := kill_id) - kill_id), "NO", "YES")
65YES
66select @id != connection_id();
67@id != connection_id()
681
69connect(localhost,authz,,authz_no,MASTER_PORT,);
70ERROR 42000: Access denied for user 'authz' to schema 'authz_no'
71drop schema user1;
72drop schema user2;
073
=== modified file 'plugin/regex_policy/tests/t/basic.policy'
--- plugin/regex_policy/tests/t/basic.policy 2011-03-03 01:55:10 +0000
+++ plugin/regex_policy/tests/t/basic.policy 2012-03-31 16:16:21 +0000
@@ -1,15 +1,15 @@
1# This is a comment line and should be skipped1# This is a comment line and should be skipped
2.+ schema=DATA_DICTIONARY ACCEPT2.+ schema=DATA_DICTIONARY ALLOW
3.+ schema=INFORMATION_SCHEMA ACCEPT3.+ schema=INFORMATION_SCHEMA ALLOW
4.+ schema=data_dictionary ACCEPT4.+ schema=data_dictionary ALLOW
5.+ schema=information_schema ACCEPT5.+ schema=information_schema ALLOW
6root table=.+ ACCEPT6root table=.+ ALLOW
7root schema=.+ ACCEPT7root schema=.+ ALLOW
8root process=.+ ACCEPT8root process=.+ ALLOW
9user1 schema=user1 ACCEPT9user1 schema=user1 ALLOW
10user2 schema=user2 ACCEPT10user2 schema=user2 ALLOW
11user1 process=user1 ACCEPT11user1 process=user1 ALLOW
12user2 process=user2 ACCEPT12user2 process=user2 ALLOW
13# Default to denying everything13# Default to denying everything
14.+ schema=.+ DENY14.+ schema=.+ DENY
15.+ process=.+ DENY15.+ process=.+ DENY
1616
=== added file 'plugin/regex_policy/tests/t/basic_deprecated-master.opt'
--- plugin/regex_policy/tests/t/basic_deprecated-master.opt 1970-01-01 00:00:00 +0000
+++ plugin/regex_policy/tests/t/basic_deprecated-master.opt 2012-03-31 16:16:21 +0000
@@ -0,0 +1,1 @@
1--plugin-add=regex_policy --regex-policy.policy=$TOP_SRCDIR/plugin/regex_policy/tests/t/basic_deprecated.policy --verbose=INSPECT
02
=== added file 'plugin/regex_policy/tests/t/basic_deprecated.policy'
--- plugin/regex_policy/tests/t/basic_deprecated.policy 1970-01-01 00:00:00 +0000
+++ plugin/regex_policy/tests/t/basic_deprecated.policy 2012-03-31 16:16:21 +0000
@@ -0,0 +1,15 @@
1# This is a comment line and should be skipped
2.+ schema=DATA_DICTIONARY ACCEPT
3.+ schema=INFORMATION_SCHEMA ACCEPT
4.+ schema=data_dictionary ACCEPT
5.+ schema=information_schema ACCEPT
6root table=.+ ACCEPT
7root schema=.+ ACCEPT
8root process=.+ ACCEPT
9user1 schema=user1 ACCEPT
10user2 schema=user2 ACCEPT
11user1 process=user1 ACCEPT
12user2 process=user2 ACCEPT
13# Default to denying everything
14.+ schema=.+ REJECT
15.+ process=.+ REJECT
016
=== added file 'plugin/regex_policy/tests/t/basic_deprecated.test'
--- plugin/regex_policy/tests/t/basic_deprecated.test 1970-01-01 00:00:00 +0000
+++ plugin/regex_policy/tests/t/basic_deprecated.test 2012-03-31 16:16:21 +0000
@@ -0,0 +1,130 @@
1# Check for error if no parameter provided
2create schema user1;
3create schema user2;
4SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
5
6# Set up a table to be able to test not being able to kill other people
7use user2;
8create table t1 (kill_id int);
9insert into t1 values(connection_id());
10
11# Test that we get a normal don't exist error for things that don't exist
12--error ER_TABLE_UNKNOWN
13SELECT * from user1.dont_exist;
14
15# Connect as user1 - should only see information_schema, user1 and
16# data_dictionary
17# Also tests that we are able to read data_dictionary, without which fail
18# would happen
19--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
20connect (should_succeed,localhost,user1,,user1,,);
21connection should_succeed;
22SELECT SCHEMA_NAME FROM DATA_DICTIONARY.SCHEMAS ORDER BY SCHEMA_NAME;
23
24# Test that we get blocked on not being allowed to see user2 at all before
25# we get blocked on the table not existing
26--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
27--replace_regex /@'.*?'/@'LOCALHOST'/
28--error ER_DBACCESS_DENIED_ERROR
29SELECT * from user2.dont_exist;
30
31# Test that we can't create a schema that isn't named the same as we are
32--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
33--replace_regex /@'.*?'/@'LOCALHOST'/
34--error ER_DBACCESS_DENIED_ERROR
35create schema authorize_fail;
36
37# Test that we can't drop a schema that isn't named the same as we are
38--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
39--replace_regex /@'.*?'/@'LOCALHOST'/
40--error ER_DBACCESS_DENIED_ERROR
41drop schema user2;
42
43# Set up a table to test that we can kill other versions of us
44create table t1 (kill_id int);
45insert into t1 values(connection_id());
46
47--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
48connect (con1,localhost,user1,,user1,);
49--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
50connect (con2,localhost,user2,,user2,);
51connection con1;
52
53# Check that we don't see other people's connections
54SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
55
56# Check that we can kill a process that is owned by our user
57--disable_reconnect
58select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
59kill @id;
60
61connection should_succeed;
62--sleep 2
63
64--disable_query_log
65--disable_result_log
66# One of the following statements should fail
67--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
68select 1;
69--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
70select 1;
71--enable_query_log
72--enable_result_log
73--enable_reconnect
74
75select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
76select @id != connection_id();
77
78# Set the table to our current id now
79update t1 set kill_id = connection_id();
80
81# Test that we cannot kill a process owned by someone else
82connection con2;
83SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
84select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
85
86--replace_regex /Unknown session id: [0-9]+/Unknown session id: #/
87--error ER_NO_SUCH_THREAD
88kill @id;
89
90# Test that root can see everybody
91connection default;
92SELECT USERNAME, DB FROM DATA_DICTIONARY.PROCESSLIST ORDER BY USERNAME, DB;
93
94# Test that root can kill someone else
95use user1;
96--disable_reconnect
97select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
98kill @id;
99
100connection should_succeed;
101--sleep 2
102
103--disable_query_log
104--disable_result_log
105# One of the following statements should fail
106--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
107select 1;
108--error EE_OK,EE_BADCLOSE,EE_UNKNOWN_CHARSET,EE_CANT_SYMLINK
109select 1;
110--enable_query_log
111--enable_result_log
112--enable_reconnect
113
114select IF(((@id := kill_id) - kill_id), "NO", "YES") from t1;
115select @id != connection_id();
116
117
118# Test failing initial connection
119--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
120--replace_regex /@'.*?'/@'LOCALHOST'/
121--error ER_DBACCESS_DENIED_ERROR
122connect (should_fail,localhost,authz,,authz_no,,);
123
124# Clean up after ourselves
125connection default;
126drop schema user1;
127drop schema user2;
128disconnect con1;
129disconnect con2;
130disconnect should_succeed;

Subscribers

People subscribed via source and target branches

to all changes: