Commit 55171821 authored by unknown's avatar unknown
Browse files

Bug#10246 - Parser: bad syntax for GRANT EXECUTE 

  Rename some functions
  more fine-grained sp privileges
  make grant/revoke sp grammar less ambigious


mysql-test/r/sp-security.result:
  change test for new syntax
mysql-test/r/system_mysql_db.result:
  change test for new syntax
mysql-test/t/sp-security.test:
  change test for new syntax
scripts/mysql_create_system_tables.sh:
  now store routine_type for procs_priv
scripts/mysql_fix_privilege_tables.sql:
  now store routine_type for procs_priv
sql/item_func.cc:
  rename of function
sql/mysql_priv.h:
  rename of function
sql/sp_head.cc:
  extra arg for check_some_routine_access
sql/sql_acl.cc:
  rename of function. now handle func/proc acls seperately
sql/sql_acl.h:
  rename of function
sql/sql_parse.cc:
  rename of function
  grants for procs handled distinctly from funcs
sql/sql_show.cc:
  check_some_routine_access extra arg
sql/sql_base.cc:
  fix for build
sql/sql_yacc.yy:
  fix for build
parent 9b07cafe

mysql-test/r/sp-security.result

+24 −24
Original line number Diff line number Diff line
@@ -23,10 +23,10 @@ root@localhost 1 
select db();

db()

db1_secret

grant execute on db1_secret.stamp to user1@'%';

grant execute on db1_secret.db to user1@'%';

grant execute on db1_secret.stamp to ''@'%';

grant execute on db1_secret.db to ''@'%';

grant execute on procedure db1_secret.stamp to user1@'%';

grant execute on function db1_secret.db to user1@'%';

grant execute on procedure db1_secret.stamp to ''@'%';

grant execute on function db1_secret.db to ''@'%';

call db1_secret.stamp(2);

select db1_secret.db();

db1_secret.db()
@@ -105,8 +105,8 @@ select * from t2; 
s1

0

2

grant usage on db2.q to user2@localhost with grant option;

grant execute on db2.q to user1@localhost;

grant usage on procedure db2.q to user2@localhost with grant option;

grant execute on procedure db2.q to user1@localhost;

use db2;

call q();

select * from t2;
@@ -117,9 +117,9 @@ s1 
alter procedure p modifies sql data;

drop procedure p;

alter procedure q modifies sql data;

ERROR 42000: alter procedure command denied to user 'user1'@'localhost' for routine 'db2.q'

ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db2.q'

drop procedure q;

ERROR 42000: alter procedure command denied to user 'user1'@'localhost' for routine 'db2.q'

ERROR 42000: alter routine command denied to user 'user1'@'localhost' for routine 'db2.q'

use db2;

alter procedure q modifies sql data;

drop procedure q;
@@ -141,52 +141,52 @@ create database sptest; 
create table t1 ( u varchar(64), i int );

create procedure sptest.p1(i int) insert into test.t1 values (user(), i);

grant insert on t1 to usera@localhost;

grant execute on sptest.p1 to usera@localhost;

grant execute on procedure sptest.p1 to usera@localhost;

show grants for usera@localhost;

Grants for usera@localhost

GRANT USAGE ON *.* TO 'usera'@'localhost'

GRANT INSERT ON `test`.`t1` TO 'usera'@'localhost'

GRANT EXECUTE ON `sptest`.`p1` TO 'usera'@'localhost'

grant execute on sptest.p1 to userc@localhost with grant option;

GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'usera'@'localhost'

grant execute on procedure sptest.p1 to userc@localhost with grant option;

show grants for userc@localhost;

Grants for userc@localhost

GRANT USAGE ON *.* TO 'userc'@'localhost'

GRANT EXECUTE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION

GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION

call sptest.p1(1);

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

ERROR 42000: grant command denied to user 'usera'@'localhost' for routine 'sptest.p1'

drop procedure sptest.p1;

ERROR 42000: alter procedure command denied to user 'usera'@'localhost' for routine 'sptest.p1'

ERROR 42000: alter routine command denied to user 'usera'@'localhost' for routine 'sptest.p1'

call sptest.p1(2);

ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'

drop procedure sptest.p1;

ERROR 42000: alter procedure command denied to user 'userb'@'localhost' for routine 'sptest.p1'

ERROR 42000: alter routine command denied to user 'userb'@'localhost' for routine 'sptest.p1'

call sptest.p1(3);

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

drop procedure sptest.p1;

ERROR 42000: alter procedure command denied to user 'userc'@'localhost' for routine 'sptest.p1'

ERROR 42000: alter routine command denied to user 'userc'@'localhost' for routine 'sptest.p1'

call sptest.p1(4);

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

ERROR 42000: grant command denied to user 'userb'@'localhost' for routine 'sptest.p1'

drop procedure sptest.p1;

ERROR 42000: alter procedure command denied to user 'userb'@'localhost' for routine 'sptest.p1'

ERROR 42000: alter routine command denied to user 'userb'@'localhost' for routine 'sptest.p1'

select * from t1;

u	i

usera@localhost	1

userc@localhost	3

userb@localhost	4

grant all privileges on sptest.p1 to userc@localhost;

grant all privileges on procedure sptest.p1 to userc@localhost;

show grants for userc@localhost;

Grants for userc@localhost

GRANT USAGE ON *.* TO 'userc'@'localhost'

GRANT EXECUTE, ALTER ROUTINE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION

GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION

show grants for userb@localhost;

Grants for userb@localhost

GRANT USAGE ON *.* TO 'userb'@'localhost'

GRANT EXECUTE ON `sptest`.`p1` TO 'userb'@'localhost'

revoke all privileges on sptest.p1 from userb@localhost;

GRANT EXECUTE ON PROCEDURE `sptest`.`p1` TO 'userb'@'localhost'

revoke all privileges on procedure sptest.p1 from userb@localhost;

show grants for userb@localhost;

Grants for userb@localhost

GRANT USAGE ON *.* TO 'userb'@'localhost'

mysql-test/r/system_mysql_db.result

+3 −2
Original line number Diff line number Diff line
@@ -152,10 +152,11 @@ procs_priv CREATE TABLE `procs_priv` ( 
  `Db` char(64) collate utf8_bin NOT NULL default '',

  `User` char(16) collate utf8_bin NOT NULL default '',

  `Routine_name` char(64) collate utf8_bin NOT NULL default '',

  `Routine_type` enum('FUNCTION','PROCEDURE') collate utf8_bin NOT NULL default 'FUNCTION',

  `Grantor` char(77) collate utf8_bin NOT NULL default '',

  `Timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,

  `Proc_priv` set('Execute','Alter Routine','Grant') character set utf8 NOT NULL default '',

  PRIMARY KEY  (`Host`,`Db`,`User`,`Routine_name`),

  `Timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,

  PRIMARY KEY  (`Host`,`Db`,`User`,`Routine_name`,`Routine_type`),

  KEY `Grantor` (`Grantor`)

) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Procedure privileges'

show create table proc;

mysql-test/t/sp-security.test

+14 −14
Original line number Diff line number Diff line
@@ -43,10 +43,10 @@ call stamp(1); 
select * from t1;

select db();



grant execute on db1_secret.stamp to user1@'%';

grant execute on db1_secret.db to user1@'%';

grant execute on db1_secret.stamp to ''@'%';

grant execute on db1_secret.db to ''@'%';

grant execute on procedure db1_secret.stamp to user1@'%';

grant execute on function db1_secret.db to user1@'%';

grant execute on procedure db1_secret.stamp to ''@'%';

grant execute on function db1_secret.db to ''@'%';



connect (con2user1,localhost,user1,,);

connect (con3anon,localhost,anon,,);
@@ -183,10 +183,10 @@ call q(); 
select * from t2;



connection con1root;

grant usage on db2.q to user2@localhost with grant option;

grant usage on procedure db2.q to user2@localhost with grant option;



connection con4user2;

grant execute on db2.q to user1@localhost;

grant execute on procedure db2.q to user1@localhost;



connection con2user1;

use db2;
@@ -245,9 +245,9 @@ create database sptest; 
create table t1 ( u varchar(64), i int );

create procedure sptest.p1(i int) insert into test.t1 values (user(), i);

grant insert on t1 to usera@localhost;

grant execute on sptest.p1 to usera@localhost;

grant execute on procedure sptest.p1 to usera@localhost;

show grants for usera@localhost;

grant execute on sptest.p1 to userc@localhost with grant option;

grant execute on procedure sptest.p1 to userc@localhost with grant option;

show grants for userc@localhost;



connect (con2usera,localhost,usera,,);
@@ -257,7 +257,7 @@ connect (con4userc,localhost,userc,,); 
connection con2usera;

call sptest.p1(1);

--error 1370

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

--error 1370

drop procedure sptest.p1;
@@ -265,32 +265,32 @@ connection con3userb; 
--error 1370

call sptest.p1(2);

--error 1370

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

--error 1370

drop procedure sptest.p1;



connection con4userc;

call sptest.p1(3);

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

--error 1370

drop procedure sptest.p1;



connection con3userb;

call sptest.p1(4);

--error 1370

grant execute on sptest.p1 to userb@localhost;

grant execute on procedure sptest.p1 to userb@localhost;

--error 1370

drop procedure sptest.p1;



connection con1root;

select * from t1;



grant all privileges on sptest.p1 to userc@localhost;

grant all privileges on procedure sptest.p1 to userc@localhost;

show grants for userc@localhost;

show grants for userb@localhost;



connection con4userc;

revoke all privileges on sptest.p1 from userb@localhost;

revoke all privileges on procedure sptest.p1 from userb@localhost;



connection con1root;

show grants for userb@localhost;

scripts/mysql_create_system_tables.sh

+3 −2
Original line number Diff line number Diff line
@@ -255,10 +255,11 @@ then 
  c_pp="$c_pp   Db char(64) binary DEFAULT '' NOT NULL,"

  c_pp="$c_pp   User char(16) binary DEFAULT '' NOT NULL,"

  c_pp="$c_pp   Routine_name char(64) binary DEFAULT '' NOT NULL,"

  c_pp="$c_pp   Routine_type enum('FUNCTION','PROCEDURE') NOT NULL,"

  c_pp="$c_pp   Grantor char(77) DEFAULT '' NOT NULL,"

  c_pp="$c_pp   Timestamp timestamp(14),"

  c_pp="$c_pp   Proc_priv set('Execute','Alter Routine','Grant') COLLATE utf8_general_ci DEFAULT '' NOT NULL,"

  c_pp="$c_pp   PRIMARY KEY (Host,Db,User,Routine_name),"

  c_pp="$c_pp   Timestamp timestamp(14),"

  c_pp="$c_pp   PRIMARY KEY (Host,Db,User,Routine_name,Routine_type),"

  c_pp="$c_pp   KEY Grantor (Grantor)"

  c_pp="$c_pp ) engine=MyISAM"

  c_pp="$c_pp CHARACTER SET utf8 COLLATE utf8_bin"

scripts/mysql_fix_privilege_tables.sql

+7 −2
Original line number Diff line number Diff line
@@ -67,6 +67,10 @@ ALTER TABLE tables_priv 
ALTER TABLE procs_priv ENGINE=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;

ALTER TABLE procs_priv

  modify Proc_priv set('Execute','Alter Routine','Grant') COLLATE utf8_general_ci DEFAULT '' NOT NULL;

ALTER TABLE procs_priv

  add Routine_type enum('FUNCTION','PROCEDURE') COLLATE utf8_general_ci NOT NULL AFTER Routine_name;

ALTER TABLE procs_priv

  modify Timestamp timestamp(14) AFTER Proc_priv;



CREATE TABLE IF NOT EXISTS columns_priv (

  Host char(60) DEFAULT '' NOT NULL,
@@ -316,10 +320,11 @@ Host char(60) binary DEFAULT '' NOT NULL, 
Db char(64) binary DEFAULT '' NOT NULL,

User char(16) binary DEFAULT '' NOT NULL,

Routine_name char(64) binary DEFAULT '' NOT NULL,

Routine_type enum('FUNCTION','PROCEDURE') NOT NULL,

Grantor char(77) DEFAULT '' NOT NULL,

Timestamp timestamp(14),

Proc_priv set('Execute','Alter Routine','Grant') COLLATE utf8_general_ci DEFAULT '' NOT NULL,

PRIMARY KEY (Host,Db,User,Routine_name),

Timestamp timestamp(14),

PRIMARY KEY (Host,Db,User,Routine_name,Routine_type),

KEY Grantor (Grantor)

) CHARACTER SET utf8 COLLATE utf8_bin comment='Procedure privileges';