check_audit_mask(mysql_global_audit_mask, event_class_mask) is tested in
mysql_audit_general_log() and then assert in mysql_audit_acquire_plugins()
verifies that the condition still holds.
But this code path is not protected by LOCK_audit_mask, so
mysql_global_audit_mask can change its value between the if() and the
assert. That is, the assert is invalid and will fire if the
audit plugin is unloaded concurrently with mysql_audit_general_log().
Nothing bad will happen in this case though, we'll just do a useless
loop over all remaining installed audit plugins.
That is, the fix is simply to remove the assert.
b7928f7...
by
Anel Husakovic <email address hidden>
Add missing comment and remove unnecessary initialization
- Commit c8948b0d0db4 introduced `get_one_variable()` - updating missing argument.
- Remove caller setting of empty string in `rpl_filter`, since underlying functions will do the same
(commit 9584cbe7fcc4 introduced).
MDEV-29509 execute granted indirectly (via roles) doesn't always work
The issue manifests due to a bug in mysql_routine_grant. This was a side
effect of e46eea8660fb which fixed the problem of not giving appropriate error
message (ER_NONEXISTING_PROC_GRANT) when a routine grant existed due to role
inheritance.
When granting a routine privilege, it is possible to have a GRANT_NAME
entry already created from an inherited role, but with it's init_privs
set to 0.
In this case we must not create a *new* grant entry, but we must edit
this grant entry to set its init_privs.
Note that this case was already covered by MDEV-29458, however due to a
forgotten "flush privileges;" the actual code path never got hit.
Remove the flush privilege command as it was never intended to be there
in the first place.
MDEV-29458: Role grant commands do not propagate all grants
There was an issue in updating in-memory role datastructures when
propagating role grants.
The issue is that changing a particular role's privilege (on any
privilege level, global, database, etc.)
was done such that it overwrote the entire set of bits for that
particular level of privileges.
For example:
grant select on *.* to r1 -> sets the access bits to r1 to select,
regardless of what bits were present for role r1 (inherited from any
other roles).
Before this fix, the rights of role r1 were propagated to any roles r1
was granted to, however the propagated rights did *not* include the
complete rights r1 inherited from its own grants.
For example:
grant r2 to r1;
grant select on *.* to r2;
grant insert on *.* to r1; # This command completely disregards the # select privilege from r2.
In order to correct this, ensure that before rights are propagated
onwards, that the current's role rights have been updated from its
grants.
Additionally, the patch exposed a flaw in the DROP ROLE code.
When deleting a role we removed all its previous grants, but what
remained was the actual links of roles granted to the dropped role.
Having these links present when propagating grants meant that we would
have leftover ACL_xxx entries.
Ensure that the links are removed before propagating grants.
MDEV-29465: Inherited columns privs for roles wrongly set mysql.tables_priv column
There was a bug in the ACL internal data structures GRANT_TABLE and
GRANT_COLUMN. The semantics are: GRANT_TABLE::init_cols and
GRANT_COLUMN::init_privs represent the bits that correspond to the
privilege bits stored in the physical tables. The other struct members
GRANT_TABLE::cols and GRANT_COLUMN::privs represent the actual access
bits, as they may be modified through role grants.
The error in logic was mixing the two fields and thus we ended up
storing the logical access bits in the physical tables, instead of the
physical (init_xxx) bits.
This caused subsequent DBUG_ASSERT failures when dropping the involved
roles.