-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: grant revoked priv #434
Fix: grant revoked priv #434
Conversation
Codecov Report
@@ Coverage Diff @@
## main #434 +/- ##
==========================================
- Coverage 77.85% 77.82% -0.03%
==========================================
Files 27 27
Lines 2321 2327 +6
Branches 560 562 +2
==========================================
+ Hits 1807 1811 +4
- Misses 355 356 +1
- Partials 159 160 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@rsicart thanks much for the fix! Looking forward to seeing the CI green to review |
Easier to debug this way
Thanks for your reviews @laurent-indermuehle @betanummeric ! Indeed I forgot to put my PR in Draft mode, but your comments helped me a lot. Do not hesitate to continue to suggest or commit if you feel it! |
@Andersson007 @betanummeric @Jorge-Rodriguez @laurent-indermuehle Pipeline is green but, before removing Draft mode, I'd like to know if that seems normal to you (in my opinion that's expected because of the translation of ALL PRIVILEGES to specific privileges done by mysql server >= 8):
Perhaps we shouldn't revoke anything if 'ALL' in |
We could add something like if 'ALL' in grant_privs or 'ALL PRIVILEGES' in grant_privs:
revoke_privs = list({'GRANT', 'PROXY'} & set(revoke_privs)) This should avoid pointless revocations. |
I added what @betanummeric proposed to avoid useless revocations. It's ready for review, thanks in advance! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job! Good usage of Python sets :)
I would prefer multilines "when:" clause in order to be under 80 chars and be more legible. But maybe it's just me.
Also, I think double quote are unnecessary in assert.that. But again, not a big deal.
Apart from the two missing spaces I requested because they failed the sanity test, it looks good to me. I missed the failed unit tests. I don't know why it doesn't pass.
@rsicart please add a changelog fragment:) |
Yes! I remebered that yesterday before sleep... :man-facepalming: |
@rsicart thanks for the contribution! |
The bug is critical, so does anyone want to release the collection? |
I'll release it then, probably today |
SUMMARY
Fix: do not revoke GRANT permission when it's already allowed and present in priv parameter.
Partially fixes an accidental behavior which can lock out users having GRANT privileges. If the user is root, you can get locked out of your database.
Does not fix privileges being updated every time.
I suspect that the bug was introduced in #333.
ISSUE TYPE
COMPONENT NAME
mysql_user
ADDITIONAL INFORMATION
See #77 and those comments for more details and how to reproduce the problem: