Skip to content

Commit

Permalink
privilege: execute admin command must have Super_priv. (#7486)
Browse files Browse the repository at this point in the history
  • Loading branch information
winkyao authored Aug 24, 2018
1 parent d9f7ffe commit 01c6bd8
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
3 changes: 3 additions & 0 deletions plan/planbuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -498,6 +498,9 @@ func (b *planBuilder) buildAdmin(as *ast.AdminStmt) (Plan, error) {
default:
return nil, ErrUnsupportedType.Gen("Unsupported ast.AdminStmt(%T) for buildAdmin", as)
}

// Admin command can only be executed by administrator.
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "")
return ret, nil
}

Expand Down
19 changes: 19 additions & 0 deletions privilege/privileges/privileges_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package privileges_test

import (
"fmt"
"strings"
"testing"

. "github.com/pingcap/check"
Expand Down Expand Up @@ -301,6 +302,24 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
mustExec(c, se, `select * from information_schema.key_column_usage`)
}

func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
se := newSession(c, s.store, s.dbName)
c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`)
mustExec(c, se, `FLUSH PRIVILEGES;`)
mustExec(c, se, `CREATE TABLE t(a int)`)

c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)
_, err := se.Execute(context.Background(), "ADMIN SHOW DDL JOBS")
c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
_, err = se.Execute(context.Background(), "ADMIN CHECK TABLE t")
c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)

c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
_, err = se.Execute(context.Background(), "ADMIN SHOW DDL JOBS")
c.Assert(err, IsNil)
}

func mustExec(c *C, se session.Session, sql string) {
_, err := se.Execute(context.Background(), sql)
c.Assert(err, IsNil)
Expand Down

0 comments on commit 01c6bd8

Please sign in to comment.