Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege,executor: update DBIsVisible() function for RBAC #10261

Merged
merged 3 commits into from
May 8, 2019
Merged

privilege,executor: update DBIsVisible() function for RBAC #10261

merged 3 commits into from
May 8, 2019

Conversation

tiancaiamao
Copy link
Contributor

What problem does this PR solve? 

	CREATE DATABASE app_db
	CREATE ROLE 'app_developer'
	GRANT ALL ON app_db.* TO 'app_developer
	CREATE USER 'dev'@'localhost
	GRANT 'app_developer' TO 'dev'@'localhost'
	SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'

login as 'dev'@'localhost'

Before:

  mysql> use app_db
  ERROR 1044 (42000): Access denied for user 'dev'@'localhost' to database 'app_db'

After:

  mysql> use app_db;
  Database changed

What is changed and how it works?

USE DB check privileges using the DBIsVisible() function, that function should take role into consideration

Check List

Tests

  • Unit test

@tiancaiamao
privilege,executor: update DBIsVisible() function for RBAC
f1363e4 
`USE DB` check privileges using the DBIsVisible function, that function should
take role into consideration

	CREATE DATABASE app_db
	CREATE ROLE 'app_developer'
	GRANT ALL ON app_db.* TO 'app_developer
	CREATE USER 'dev'@'localhost
	GRANT 'app_developer' TO 'dev'@'localhost'
	SET DEFAULT ROLE 'app_developer' TO 'dev'@'localhost'

login as 'dev'@'localhost'
Before:
  mysql> use app_db
  ERROR 1044 (42000): Access denied for user 'dev'@'localhost' to database 'app_db'

After:
  mysql> use app_db;
  Database changed
@tiancaiamao
Copy link
Contributor Author

PTAL @imtbkcat @c4pt0r

@codecov
Copy link

codecov bot commented Apr 26, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@e56a14b). Click here to learn what that means.
The diff coverage is 66.6666%.

@@             Coverage Diff             @@
##             master     #10261   +/-   ##
===========================================
  Coverage          ?   77.3838%           
===========================================
  Files             ?        412           
  Lines             ?      85713           
  Branches          ?          0           
===========================================
  Hits              ?      66328           
  Misses            ?      14352           
  Partials          ?       5033

@tiancaiamao
Copy link
Contributor Author

PTAL @jackysp @lysu

jackysp
jackysp reviewed Apr 29, 2019
View reviewed changes
Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jackysp jackysp requested review from imtbkcat and lysu April 29, 2019 02:40
@jackysp
Copy link
Member

jackysp commented Apr 29, 2019

/run-all-tests

imtbkcat
imtbkcat reviewed Apr 29, 2019
View reviewed changes
privilege/privileges/privileges.go
if SkipWithGrant {
return true
}
mysqlPriv := p.Handle.Get()
return mysqlPriv.DBIsVisible(p.user, p.host, db)
if mysqlPriv.DBIsVisible(p.user, p.host, db) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If r_1 has privilege, r_2 doesn't have, and has relationship like r_1 -> r_2 -> user, user should have privilege to visit db.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean user has role r_2
r_2 has role r_1 ?

I think activeRoles contains both r_1 and r_2 ? @imtbkcat

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ctx.ActiveRoles just contain r_1, you could use MySQLPrivileges.FindAllRole to get r_1 and r_2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.
PTAL @imtbkcat

@jackysp jackysp added status/all tests passed status/LGT1 Indicates that a PR has LGTM 1. labels Apr 30, 2019
@imtbkcat
Copy link

imtbkcat commented May 8, 2019

/run-all-tests

imtbkcat
imtbkcat approved these changes May 8, 2019
View reviewed changes
Copy link

@imtbkcat imtbkcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tiancaiamao tiancaiamao added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels May 8, 2019
@imtbkcat imtbkcat merged commit 1690912 into pingcap:master May 8, 2019
@tiancaiamao tiancaiamao deleted the db-visible-role branch May 8, 2019 07:24
@tiancaiamao tiancaiamao mentioned this pull request May 21, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackysp jackysp jackysp left review comments

@imtbkcat imtbkcat imtbkcat approved these changes

@lysu lysu Awaiting requested review from lysu

Assignees
No one assigned
Labels
component/privilege status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tiancaiamao @jackysp @imtbkcat