From 01c6bd820c752d6ee739020fd425caff94b96368 Mon Sep 17 00:00:00 2001 From: winkyao Date: Fri, 24 Aug 2018 21:54:31 +0800 Subject: [PATCH] privilege: execute admin command must have Super_priv. (#7486) --- plan/planbuilder.go | 3 +++ privilege/privileges/privileges_test.go | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/plan/planbuilder.go b/plan/planbuilder.go index bdacf33edea5f..1508cb535a5b4 100644 --- a/plan/planbuilder.go +++ b/plan/planbuilder.go @@ -498,6 +498,9 @@ func (b *planBuilder) buildAdmin(as *ast.AdminStmt) (Plan, error) { default: return nil, ErrUnsupportedType.Gen("Unsupported ast.AdminStmt(%T) for buildAdmin", as) } + + // Admin command can only be executed by administrator. + b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "") return ret, nil } diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index 8f0389f97dfed..359114f48570a 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -15,6 +15,7 @@ package privileges_test import ( "fmt" + "strings" "testing" . "github.com/pingcap/check" @@ -301,6 +302,24 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) { mustExec(c, se, `select * from information_schema.key_column_usage`) } +func (s *testPrivilegeSuite) TestAdminCommand(c *C) { + se := newSession(c, s.store, s.dbName) + c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) + mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`) + mustExec(c, se, `FLUSH PRIVILEGES;`) + mustExec(c, se, `CREATE TABLE t(a int)`) + + c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue) + _, err := se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") + c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) + _, err = se.Execute(context.Background(), "ADMIN CHECK TABLE t") + c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue) + + c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) + _, err = se.Execute(context.Background(), "ADMIN SHOW DDL JOBS") + c.Assert(err, IsNil) +} + func mustExec(c *C, se session.Session, sql string) { _, err := se.Execute(context.Background(), sql) c.Assert(err, IsNil)