Percona Server moved to https://jira.percona.com/projects/PS

Merge lp:~gl-az/percona-server/BT23597_utility-user-access_5.6 into lp:percona-server/5.6

  1. BT23597_utility-user-access_5.6
  2. Merge into 5.6
Proposed by George Ormond Lorch III
Status: Merged
Approved by: Alexey Kopytov
Approved revision: no longer in the source branch.
Merged at revision: 418
Proposed branch: lp:~gl-az/percona-server/BT23597_utility-user-access_5.6
Merge into: lp:percona-server/5.6
Diff against target: 262 lines (+86/-21)
8 files modified
Percona-Server/mysql-test/r/mysqld--help-notwin.result (+5/-0)
Percona-Server/mysql-test/r/mysqld--help-win.result (+5/-0)
Percona-Server/mysql-test/r/percona_utility_user.result (+12/-7)
Percona-Server/mysql-test/t/percona_utility_user-master.opt (+1/-1)
Percona-Server/mysql-test/t/percona_utility_user.test (+24/-10)
Percona-Server/sql/mysqld.cc (+9/-0)
Percona-Server/sql/mysqld.h (+1/-0)
Percona-Server/sql/sql_acl.cc (+29/-3)
To merge this branch: bzr merge lp:~gl-az/percona-server/BT23597_utility-user-access_5.6
Reviewer Review Type Date Requested Status
Alexey Kopytov (community) Approve
Laurynas Biveinis (community) Approve
Sergei Glushchenko (community) g2 Approve
Review via email: mp+181176@code.launchpad.net

Description of the change

Merge utility-user-access from 5.5

To post a comment you must log in.
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

23597
jenkins http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/225/

Revision history for this message
Sergei Glushchenko (sergei.glushchenko) wrote :

See comments on 5.5 version of MP

review: Needs Fixing (g2)
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

Same comments as 5.5 MP

http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/228/

Revision history for this message
Sergei Glushchenko (sergei.glushchenko) wrote :

Looks good George, but please create separate blueprint for 5.6 and link this branch to it. Approve.

review: Approve (g2)
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

Ahh yeah, totally forgot about the duplicate blueprint thing...again.
Will do in just a minute here.

On 8/21/2013 12:46 PM, Sergei Glushchenko wrote:
> Review: Approve g2
>
> Looks good George, but please create separate blueprint for 5.6 and link this branch to it. Approve.

--
George O. Lorch III
Software Engineer, Percona
+1-888-401-3401 x542 US/Arizona (GMT -7)
skype: george.ormond.lorch.iii

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Same comments as for 5.5 MP.

review: Needs Fixing
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

See comments, fixes and manual test results in 5.5
http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/230/

Revision history for this message
George Ormond Lorch III (gl-az) wrote :

Merged again from 5.5
http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/231/

Revision history for this message
George Ormond Lorch III (gl-az) wrote :

Oops, lets try this again with the right branch in jenkins
http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/232/

Revision history for this message
Alexey Kopytov (akopytov) wrote :

Same comments as in 5.5.

review: Needs Fixing
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

fixes re-ported from 5.5
http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/236/

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Same concern as with the 5.5 MP.

review: Needs Fixing
Revision history for this message
George Ormond Lorch III (gl-az) wrote :

re-port from 5.5 and jenkins http://jenkins.percona.com/view/PS%205.6/job/percona-server-5.6-param/237/

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

s/priviliges/privileges/g in the testcase comments. This fix does not need a Jenkins re-run or another MP.

Leaving as Needs Review for Alexey.

review: Approve
Revision history for this message
Alexey Kopytov (akopytov) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'Percona-Server/mysql-test/r/mysqld--help-notwin.result'
--- Percona-Server/mysql-test/r/mysqld--help-notwin.result 2013-08-06 15:16:34 +0000
+++ Percona-Server/mysql-test/r/mysqld--help-notwin.result 2013-08-27 20:56:36 +0000
@@ -1044,6 +1044,10 @@
1044 list of users and recognized as the utility user.1044 list of users and recognized as the utility user.
1045 --utility-user-password=name 1045 --utility-user-password=name
1046 Specifies the password required for the utility user.1046 Specifies the password required for the utility user.
1047 --utility-user-privileges=name
1048 Specifies the privileges that the utility user will have
1049 in a comma delimited list. See the manual for a complete
1050 list of privileges.
1047 --utility-user-schema-access=name 1051 --utility-user-schema-access=name
1048 Specifies the schemas that the utility user has access to1052 Specifies the schemas that the utility user has access to
1049 in a comma delimited list.1053 in a comma delimited list.
@@ -1366,6 +1370,7 @@
1366userstat FALSE1370userstat FALSE
1367utility-user (No default value)1371utility-user (No default value)
1368utility-user-password (No default value)1372utility-user-password (No default value)
1373utility-user-privileges
1369utility-user-schema-access (No default value)1374utility-user-schema-access (No default value)
1370validate-user-plugins TRUE1375validate-user-plugins TRUE
1371verbose TRUE1376verbose TRUE
13721377
=== modified file 'Percona-Server/mysql-test/r/mysqld--help-win.result'
--- Percona-Server/mysql-test/r/mysqld--help-win.result 2013-08-06 15:16:34 +0000
+++ Percona-Server/mysql-test/r/mysqld--help-win.result 2013-08-27 20:56:36 +0000
@@ -1008,6 +1008,10 @@
1008 list of users and recognized as the utility user.1008 list of users and recognized as the utility user.
1009 --utility-user-password=name 1009 --utility-user-password=name
1010 Specifies the password required for the utility user.1010 Specifies the password required for the utility user.
1011 --utility-user-privileges=name
1012 Specifies the privileges that the utility user will have
1013 in a comma delimited list. See the manual for a complete
1014 list of privileges.
1011 --utility-user-schema-access=name 1015 --utility-user-schema-access=name
1012 Specifies the schemas that the utility user has access to1016 Specifies the schemas that the utility user has access to
1013 in a comma delimited list.1017 in a comma delimited list.
@@ -1311,6 +1315,7 @@
1311updatable-views-with-limit YES1315updatable-views-with-limit YES
1312utility-user (No default value)1316utility-user (No default value)
1313utility-user-password (No default value)1317utility-user-password (No default value)
1318utility-user-privileges
1314utility-user-schema-access (No default value)1319utility-user-schema-access (No default value)
1315validate-user-plugins TRUE1320validate-user-plugins TRUE
1316verbose TRUE1321verbose TRUE
13171322
=== modified file 'Percona-Server/mysql-test/r/percona_utility_user.result'
--- Percona-Server/mysql-test/r/percona_utility_user.result 2013-05-06 15:43:51 +0000
+++ Percona-Server/mysql-test/r/percona_utility_user.result 2013-08-27 20:56:36 +0000
@@ -35,8 +35,6 @@
35ERROR HY000: Operation DROP USER failed for 'frank'@'localhost'35ERROR HY000: Operation DROP USER failed for 'frank'@'localhost'
36DROP USER 'frank'@'%';36DROP USER 'frank'@'%';
37ERROR HY000: Operation DROP USER failed for 'frank'@'%'37ERROR HY000: Operation DROP USER failed for 'frank'@'%'
38CREATE DATABASE mysqltest;
39CREATE TABLE mysqltest.t1 (a INT, b INT);
40CREATE USER 'mysqltest_1'@'localhost';38CREATE USER 'mysqltest_1'@'localhost';
41SELECT user FROM mysql.user WHERE user LIKE 'frank';39SELECT user FROM mysql.user WHERE user LIKE 'frank';
42user40user
@@ -49,19 +47,27 @@
49SHOW DATABASES;47SHOW DATABASES;
50Database48Database
51information_schema49information_schema
50mtr
52mysql51mysql
53performance_schema52performance_schema
53test
54CREATE USER 'frankjr'@'localhost' IDENTIFIED BY 'password';54CREATE USER 'frankjr'@'localhost' IDENTIFIED BY 'password';
55GRANT ALL ON mysql.* TO 'frankjr'@'localhost';55GRANT ALL ON mysql.* TO 'frankjr'@'localhost';
56REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'frankjr'@'localhost';56REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'frankjr'@'localhost';
57SET PASSWORD FOR 'frankjr'@'localhost' = PASSWORD('');57SET PASSWORD FOR 'frankjr'@'localhost' = PASSWORD('');
58DROP USER 'frankjr'@'localhost';58DROP USER 'frankjr'@'localhost';
59CREATE DATABASE mysqltest;
60CREATE TABLE mysqltest.t1 (a INT, b INT);
59SHOW TABLES IN mysqltest;61SHOW TABLES IN mysqltest;
60ERROR 42000: Access denied for user 'frank'@'%' to database 'mysqltest'62Tables_in_mysqltest
61CREATE DATABASE foobar;63t1
62ERROR 42000: Access denied for user 'frank'@'%' to database 'foobar'64INSERT INTO mysqltest.t1(a, b) VALUES (1, 1);
65ERROR 42000: INSERT command denied to user 'frank'@'localhost' for table 't1'
66SELECT * FROM mysqltest.t1;
67ERROR 42000: SELECT command denied to user 'frank'@'localhost' for table 't1'
68ALTER TABLE mysqltest.t1 DROP COLUMN b;
69ERROR 42000: ALTER command denied to user 'frank'@'localhost' for table 't1'
63DROP DATABASE mysqltest;70DROP DATABASE mysqltest;
64ERROR 42000: Access denied for user 'frank'@'%' to database 'mysqltest'
65SET PASSWORD FOR 'mysqltest_1'@'localhost' = PASSWORD('newpass');71SET PASSWORD FOR 'mysqltest_1'@'localhost' = PASSWORD('newpass');
66SET @testtemp= @@global.innodb_fast_shutdown;72SET @testtemp= @@global.innodb_fast_shutdown;
67SET @@global.innodb_fast_shutdown= 2;73SET @@global.innodb_fast_shutdown= 2;
@@ -74,7 +80,6 @@
740800
75SET @@global.innodb_fast_shutdown= @testtemp;81SET @@global.innodb_fast_shutdown= @testtemp;
76DROP USER 'mysqltest_1'@'localhost';82DROP USER 'mysqltest_1'@'localhost';
77DROP DATABASE mysqltest;
78CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'frank';83CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'frank';
79SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';84SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
80plugin authentication_string85plugin authentication_string
8186
=== modified file 'Percona-Server/mysql-test/t/percona_utility_user-master.opt'
--- Percona-Server/mysql-test/t/percona_utility_user-master.opt 2013-05-06 15:43:51 +0000
+++ Percona-Server/mysql-test/t/percona_utility_user-master.opt 2013-08-27 20:56:36 +0000
@@ -1,1 +1,1 @@
1--utility_user=frank@% --utility_user_password=password --utility_user_schema_access=mysql,performance_schema $PLUGIN_AUTH_OPT $PLUGIN_AUTH_LOAD1--utility_user=frank@% --utility_user_password=password --utility_user_schema_access=mysql,performance_schema --utility-user-privileges="CREATE,DROP,SHOW DATABASES" $PLUGIN_AUTH_OPT $PLUGIN_AUTH_LOAD
22
=== modified file 'Percona-Server/mysql-test/t/percona_utility_user.test'
--- Percona-Server/mysql-test/t/percona_utility_user.test 2013-05-06 15:43:51 +0000
+++ Percona-Server/mysql-test/t/percona_utility_user.test 2013-08-27 20:56:36 +0000
@@ -66,8 +66,6 @@
66--error ER_CANNOT_USER 66--error ER_CANNOT_USER
67DROP USER 'frank'@'%';67DROP USER 'frank'@'%';
6868
69CREATE DATABASE mysqltest;
70CREATE TABLE mysqltest.t1 (a INT, b INT);
71CREATE USER 'mysqltest_1'@'localhost';69CREATE USER 'mysqltest_1'@'localhost';
7270
73connect (frank,localhost,frank,password,mysql);71connect (frank,localhost,frank,password,mysql);
@@ -91,13 +89,28 @@
9189
92DROP USER 'frankjr'@'localhost';90DROP USER 'frankjr'@'localhost';
9391
94--error ER_DBACCESS_DENIED_ERROR92# Allowed because --utility-user-priviliges has CREATE
93CREATE DATABASE mysqltest;
94
95# Allowed because --utility-user-priviliges has CREATE
96CREATE TABLE mysqltest.t1 (a INT, b INT);
97
98# Allowed because --utility-user-priviliges has SHOW DATABASES
95SHOW TABLES IN mysqltest;99SHOW TABLES IN mysqltest;
96100
97--error ER_DBACCESS_DENIED_ERROR101# NOT allowed because --utility-user-priviliges does not have INSERT
98CREATE DATABASE foobar;102--error ER_TABLEACCESS_DENIED_ERROR
99103INSERT INTO mysqltest.t1(a, b) VALUES (1, 1);
100--error ER_DBACCESS_DENIED_ERROR104
105# NOT allowed because --utility-user-priviliges does not have SELECT
106--error ER_TABLEACCESS_DENIED_ERROR
107SELECT * FROM mysqltest.t1;
108
109# NOT allowed because --utility-user-priviliges does not have ALTER
110--error ER_TABLEACCESS_DENIED_ERROR
111ALTER TABLE mysqltest.t1 DROP COLUMN b;
112
113# Allowed because --utility-user-priviliges has DROP
101DROP DATABASE mysqltest;114DROP DATABASE mysqltest;
102115
103SET PASSWORD FOR 'mysqltest_1'@'localhost' = PASSWORD('newpass');116SET PASSWORD FOR 'mysqltest_1'@'localhost' = PASSWORD('newpass');
@@ -110,11 +123,12 @@
110SET @@global.innodb_fast_shutdown= @testtemp;123SET @@global.innodb_fast_shutdown= @testtemp;
111124
112connection default;125connection default;
126disconnect frank;
113127
128#
129# cleanup from above tests
130#
114DROP USER 'mysqltest_1'@'localhost';131DROP USER 'mysqltest_1'@'localhost';
115DROP DATABASE mysqltest;
116
117disconnect frank;
118132
119#133#
120# Try to impersonate a proxied utility_user134# Try to impersonate a proxied utility_user
121135
=== modified file 'Percona-Server/sql/mysqld.cc'
--- Percona-Server/sql/mysqld.cc 2013-08-14 03:57:21 +0000
+++ Percona-Server/sql/mysqld.cc 2013-08-27 20:56:36 +0000
@@ -715,6 +715,10 @@
715char* utility_user_password= NULL;715char* utility_user_password= NULL;
716char* utility_user_schema_access= NULL;716char* utility_user_schema_access= NULL;
717717
718/* Plucking this from sql/sql_acl.cc for an array of privilege names */
719extern TYPELIB utility_user_privileges_typelib;
720ulonglong utility_user_privileges= 0;
721
718/* Thread specific variables */722/* Thread specific variables */
719723
720pthread_key(MEM_ROOT**,THR_MALLOC);724pthread_key(MEM_ROOT**,THR_MALLOC);
@@ -7389,6 +7393,11 @@
7389 "utility user.",7393 "utility user.",
7390 &utility_user_password, 0, 0, GET_STR, REQUIRED_ARG,7394 &utility_user_password, 0, 0, GET_STR, REQUIRED_ARG,
7391 0, 0, 0, 0, 0, 0},7395 0, 0, 0, 0, 0, 0},
7396 {"utility_user_privileges", 0, "Specifies the privileges that the utility "
7397 "user will have in a comma delimited list. See the manual for a complete "
7398 "list of privileges.",
7399 &utility_user_privileges, 0, &utility_user_privileges_typelib,
7400 GET_SET, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
7392 {"utility_user_schema_access", 0, "Specifies the schemas that the utility "7401 {"utility_user_schema_access", 0, "Specifies the schemas that the utility "
7393 "user has access to in a comma delimited list.",7402 "user has access to in a comma delimited list.",
7394 &utility_user_schema_access, 0, 0, GET_STR, REQUIRED_ARG,7403 &utility_user_schema_access, 0, 0, GET_STR, REQUIRED_ARG,
73957404
=== modified file 'Percona-Server/sql/mysqld.h'
--- Percona-Server/sql/mysqld.h 2013-08-06 15:16:34 +0000
+++ Percona-Server/sql/mysqld.h 2013-08-27 20:56:36 +0000
@@ -312,6 +312,7 @@
312extern char* utility_user;312extern char* utility_user;
313extern char* utility_user_password;313extern char* utility_user_password;
314extern char* utility_user_schema_access;314extern char* utility_user_schema_access;
315extern ulonglong utility_user_privileges;
315316
316/*317/*
317 THR_MALLOC is a key which will be used to set/get MEM_ROOT** for a thread,318 THR_MALLOC is a key which will be used to set/get MEM_ROOT** for a thread,
318319
=== modified file 'Percona-Server/sql/sql_acl.cc'
--- Percona-Server/sql/sql_acl.cc 2013-08-14 03:57:21 +0000
+++ Percona-Server/sql/sql_acl.cc 2013-08-27 20:56:36 +0000
@@ -1749,7 +1749,25 @@
1749 goto cleanup;1749 goto cleanup;
1750 }1750 }
17511751
1752 acl_utility_user.access= 0;1752 DBUG_ASSERT(utility_user_privileges <= UINT_MAX32);
1753 acl_utility_user.access= utility_user_privileges & UINT_MAX32;
1754 if (acl_utility_user.access)
1755 {
1756 char privilege_desc[512];
1757 get_privilege_desc(privilege_desc, array_elements(privilege_desc), acl_utility_user.access);
1758 sql_print_information("Utility user '%s'@'%s' in use with access rights "
1759 "'%s'.",
1760 acl_utility_user.user,
1761 acl_utility_user.host.get_host(),
1762 privilege_desc);
1763 }
1764 else
1765 {
1766 sql_print_information("Utility user '%s'@'%s' in use with basic "
1767 "access rights.",
1768 acl_utility_user.user,
1769 acl_utility_user.host.get_host());
1770 }
17531771
1754 acl_utility_user.ssl_type= SSL_TYPE_NONE;1772 acl_utility_user.ssl_type= SSL_TYPE_NONE;
17551773
@@ -6517,13 +6535,21 @@
6517 "ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES",6535 "ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES",
6518 "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT",6536 "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT",
6519 "CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE",6537 "CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE",
6520 "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE"6538 "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE", 0
6539};
6540
6541TYPELIB utility_user_privileges_typelib=
6542{
6543 array_elements(command_array) - 1,
6544 "utility_user_privileges_typelib",
6545 command_array,
6546 NULL
6521};6547};
65226548
6523uint command_lengths[]=6549uint command_lengths[]=
6524{6550{
6525 6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9,6551 6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9,
6526 14, 13, 11, 5, 7, 176552 14, 13, 11, 5, 7, 17, 0
6527};6553};
65286554
6529#ifndef NO_EMBEDDED_ACCESS_CHECKS6555#ifndef NO_EMBEDDED_ACCESS_CHECKS

Subscribers

People subscribed via source and target branches