Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard grants are not cleaned up correctly #38363

Closed
dveeden opened this issue Oct 10, 2022 · 8 comments · Fixed by #38370
Closed

Wildcard grants are not cleaned up correctly #38363

dveeden opened this issue Oct 10, 2022 · 8 comments · Fixed by #38370
Labels
affects-4.0 This bug affects 4.0.x versions. affects-5.0 This bug affects 5.0.x versions. affects-5.1 This bug affects 5.1.x versions. affects-5.2 This bug affects 5.2.x versions. affects-5.3 This bug affects 5.3.x versions. affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-6.0 affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.2 affects-6.3 component/privilege severity/major type/bug The issue is confirmed as a bug.

Comments

@dveeden
Copy link
Contributor

dveeden commented Oct 10, 2022

Bug Report

  • Create user u1 and grant select access to t%.*.
  • Result: One record in mysql.db with Select_priv set to Y.
  • Revoke select grant on t%.*.
  • Result: Record in mysql.db with all permission fields set to N.
  • Grant select access to tes%.* (anything that's not the exact same prefix)
  • Result: Two records in mysql.db, one with Select_priv set to Y the other with all set to N.
  • Using SHOW GRANTS FOR... to inspect the grants
  • Re-creating the user based on the SHOW GRANTS FOR... output.
  • Now there is only one record in mysql.db with the Select_priv field set to Y.

The result is that:

  • The left-over record in mysql.db with all fields set to N blocks access to tables.
  • This is not visible in the SHOW GRANTS FOR... output.
  • This changes access after re-creating a user based on SHOW GRANTS FOR... output.
sql> select * from mysql.db where user='u1' and host='%'\G
Empty set (0.0037 sec)

sql> CREATE USER 'u1'@'%' IDENTIFIED BY 'u1';
Query OK, 0 rows affected (0.0528 sec)

sql> select * from mysql.db where user='u1' and host='%'\G
Empty set (0.0040 sec)

sql> GRANT SELECT ON `t%`.* TO 'u1'@'%';
Query OK, 0 rows affected (0.0330 sec)

sql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   DB: t%
                 User: u1
          Select_priv: Y
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.0061 sec)

sql> REVOKE SELECT ON `t%`.* FROM 'u1'@'%';
Query OK, 0 rows affected (0.0362 sec)

sql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   DB: t%
                 User: u1
          Select_priv: N
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.0059 sec)

sql> GRANT SELECT ON `tes%`.* TO 'u1'@'%';
Query OK, 0 rows affected (0.0364 sec)

sql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   DB: t%
                 User: u1
          Select_priv: N
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
*************************** 2. row ***************************
                 Host: %
                   DB: tes%
                 User: u1
          Select_priv: Y
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
2 rows in set (0.0050 sec)

sql> show grants for 'u1'@'%';
+------------------------------------+
| Grants for u1@%                    |
+------------------------------------+
| GRANT USAGE ON *.* TO 'u1'@'%'     |
| GRANT SELECT ON tes%.* TO 'u1'@'%' |
+------------------------------------+
2 rows in set (0.0009 sec)

sql> drop user 'u1'@'%';
Query OK, 0 rows affected (0.0514 sec)

sql> CREATE USER 'u1'@'%' IDENTIFIED BY 'u1';
Query OK, 0 rows affected (0.0367 sec)

sql> GRANT SELECT ON `tes%`.* TO 'u1'@'%';
Query OK, 0 rows affected (0.0283 sec)

sql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   DB: tes%
                 User: u1
          Select_priv: Y
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.0053 sec)

This happens with v6.1.1 and v6.3.0
@dveeden dveeden added the type/bug The issue is confirmed as a bug. label Oct 10, 2022
@ti-chi-bot
Copy link
Member

@dveeden: The label(s) severity/severe cannot be applied, because the repository doesn't have them.

In response to this:

/severity severe

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@dveeden
Copy link
Contributor Author

dveeden commented Oct 10, 2022

/severity major
/component privilege

@ti-chi-bot ti-chi-bot added severity/major component/privilege may-affects-4.0 This bug maybe affects 4.0.x versions. may-affects-5.0 This bug maybe affects 5.0.x versions. may-affects-5.1 This bug maybe affects 5.1.x versions. may-affects-5.2 This bug maybe affects 5.2.x versions. may-affects-5.3 This bug maybe affects 5.3.x versions. may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.0 may-affects-6.1 may-affects-6.2 may-affects-6.3 labels Oct 10, 2022
@dveeden
Copy link
Contributor Author

dveeden commented Oct 10, 2022

/label affects-6.1
/label affects-6.3
/remove-label may-affects-6.1
/remove-label may-affects-6.3

@ti-chi-bot ti-chi-bot added affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.3 and removed may-affects-6.1 may-affects-6.3 labels Oct 10, 2022
@ti-chi-bot
Copy link
Member

@dveeden: The label(s) severity/severe cannot be applied, because the repository doesn't have them.

In response to this:

/severity severe

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@dveeden
Copy link
Contributor Author

dveeden commented Oct 10, 2022

To compare this with MySQL 8.0.30:

mysql> select * from mysql.db where user='u1' and host='%'\G
Empty set (0.00 sec)

mysql> CREATE USER 'u1'@'%' IDENTIFIED BY 'u1';
Query OK, 0 rows affected (0.01 sec)

mysql> select * from mysql.db where user='u1' and host='%'\G
Empty set (0.00 sec)

mysql> GRANT SELECT ON `t%`.* TO 'u1'@'%';
Query OK, 0 rows affected (0.02 sec)

mysql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   Db: t%
                 User: u1
          Select_priv: Y
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.00 sec)

mysql> REVOKE SELECT ON `t%`.* FROM 'u1'@'%';
Query OK, 0 rows affected (0.01 sec)

mysql> select * from mysql.db where user='u1' and host='%'\G
Empty set (0.00 sec)

mysql> GRANT SELECT ON `tes%`.* TO 'u1'@'%';
Query OK, 0 rows affected (0.01 sec)

mysql> select * from mysql.db where user='u1' and host='%'\G
*************************** 1. row ***************************
                 Host: %
                   Db: tes%
                 User: u1
          Select_priv: Y
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.00 sec)

mysql> show grants for 'u1'@'%';
+--------------------------------------+
| Grants for u1@%                      |
+--------------------------------------+
| GRANT USAGE ON *.* TO `u1`@`%`       |
| GRANT SELECT ON `tes%`.* TO `u1`@`%` |
+--------------------------------------+
2 rows in set (0.00 sec)

@dveeden dveeden mentioned this issue Oct 10, 2022
Merged
12 tasks
@ti-chi-bot ti-chi-bot added affects-4.0 This bug affects 4.0.x versions. affects-5.0 This bug affects 5.0.x versions. affects-5.1 This bug affects 5.1.x versions. and removed may-affects-4.0 This bug maybe affects 4.0.x versions. may-affects-5.0 This bug maybe affects 5.0.x versions. may-affects-5.1 This bug maybe affects 5.1.x versions. labels Oct 10, 2022
@ti-chi-bot
Copy link
Member

@dveeden: These labels are not set on the issue: may-affects-4.0, may-affects-5.0, may-affects-5.1.

In response to this:

/label affects-4.0
/label affects-5.0
/label affects-5.1
/label affects 5.2
/label affects 5.3
/label affects 5.4
/label affects 6.0
/label affects 6.2
/remove-label may-affects-4.0
/remove-label may-affects-5.0
/remove-label may-affects-5.1
/remove-label may-affects 5.2
/remove-label may-affects 5.3
/remove-label may-affects 5.4
/remove-label may-affects 6.0
/remove-label may-affects 6.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@dveeden
Copy link
Contributor Author

dveeden commented Oct 10, 2022

/label affects-5.2

@ti-chi-bot ti-chi-bot added affects-5.2 This bug affects 5.2.x versions. and removed may-affects-5.2 This bug maybe affects 5.2.x versions. labels Oct 10, 2022
@dveeden
Copy link
Contributor Author

dveeden commented Oct 10, 2022

/label affects-5.3
/label affects-5.4
/label affects-6.0
/label affects-6.2

@ti-chi-bot ti-chi-bot added affects-5.3 This bug affects 5.3.x versions. affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-6.0 affects-6.2 and removed may-affects-5.3 This bug maybe affects 5.3.x versions. may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.0 may-affects-6.2 labels Oct 10, 2022
ti-chi-bot pushed a commit that referenced this issue Oct 11, 2022
@dveeden
executor: cleanup entries from mysql.db on revoke (#38370)
8c9f5cf 
close #38363
This was referenced Oct 11, 2022
Closed
Merged
Open
Merged
ti-chi-bot added a commit that referenced this issue Oct 12, 2022
@ti-chi-bot
executor: cleanup entries from mysql.db on revoke (#38370) (#38402)
7228bb3 
close #38363
ti-chi-bot added a commit that referenced this issue Oct 12, 2022
@ti-chi-bot
executor: cleanup entries from mysql.db on revoke (#38370) (#38400)
d805860 
close #38363
@dveeden dveeden mentioned this issue Oct 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.0 This bug affects 4.0.x versions. affects-5.0 This bug affects 5.0.x versions. affects-5.1 This bug affects 5.1.x versions. affects-5.2 This bug affects 5.2.x versions. affects-5.3 This bug affects 5.3.x versions. affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-6.0 affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.2 affects-6.3 component/privilege severity/major type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

executor: cleanup entries from mysql.db on revoke dveeden/tidb
2 participants
@dveeden @ti-chi-bot