pingcap · eurekaka · Dec 28, 2018 · Nov 28, 2018 · Nov 28, 2018 · Dec 2, 2018
diff --git a/planner/core/errors.go b/planner/core/errors.go
@@ -49,6 +49,7 @@ const (
 	codeNonUniqTable                 = mysql.ErrNonuniqTable
 	codeWrongNumberOfColumnsInSelect = mysql.ErrWrongNumberOfColumnsInSelect
 	codeWrongValueCountOnRow         = mysql.ErrWrongValueCountOnRow
+	codeErrTableaccessDenied         = mysql.ErrTableaccessDenied
 )
 
 // error definitions.
@@ -83,6 +84,7 @@ var (
 	ErrMixOfGroupFuncAndFields      = terror.ClassOptimizer.New(codeMixOfGroupFuncAndFields, "In aggregated query without GROUP BY, expression #%d of SELECT list contains nonaggregated column '%s'; this is incompatible with sql_mode=only_full_group_by")
 	ErrNonUniqTable                 = terror.ClassOptimizer.New(codeNonUniqTable, mysql.MySQLErrName[mysql.ErrNonuniqTable])
 	ErrWrongValueCountOnRow         = terror.ClassOptimizer.New(mysql.ErrWrongValueCountOnRow, mysql.MySQLErrName[mysql.ErrWrongValueCountOnRow])
+	ErrTableaccessDenied            = terror.ClassOptimizer.New(mysql.ErrTableaccessDenied, mysql.MySQLErrName[mysql.ErrTableaccessDenied])
 )
 
 func init() {
@@ -110,6 +112,7 @@ func init() {
 		codeNonUniqTable:                 mysql.ErrNonuniqTable,
 		codeWrongNumberOfColumnsInSelect: mysql.ErrWrongNumberOfColumnsInSelect,
 		codeWrongValueCountOnRow:         mysql.ErrWrongValueCountOnRow,
+		codeErrTableaccessDenied:         mysql.ErrTableaccessDenied,
 	}
 	terror.ErrClassToMySQLCodes[terror.ClassOptimizer] = mysqlErrCodeMap
 }
diff --git a/planner/core/planbuilder.go b/planner/core/planbuilder.go
@@ -28,6 +28,7 @@ import (
 	"github.com/pingcap/tidb/expression"
 	"github.com/pingcap/tidb/infoschema"
 	"github.com/pingcap/tidb/planner/property"
+	"github.com/pingcap/tidb/privilege"
 	"github.com/pingcap/tidb/sessionctx"
 	"github.com/pingcap/tidb/table"
 	"github.com/pingcap/tidb/types"
@@ -692,8 +693,17 @@ func getPhysicalIDs(tblInfo *model.TableInfo, partitionNames []model.CIStr) ([]i
 }
 
 func (b *PlanBuilder) buildAnalyzeTable(as *ast.AnalyzeTableStmt) (Plan, error) {
+	checker := privilege.GetPrivilegeManager(b.ctx)
 	p := &Analyze{MaxNumBuckets: as.MaxNumBuckets}
 	for _, tbl := range as.TableNames {
+		// MySQL will analyze each table and stop on the first to error without privs
+		user := b.ctx.GetSessionVars().User
+		if checker != nil && user != nil &&
+			!(checker.RequestVerification(tbl.Schema.O, tbl.Name.O, "", mysql.SelectPriv) &&
+				checker.RequestVerification(tbl.Schema.O, tbl.Name.O, "", mysql.InsertPriv)) {
+			return nil, ErrTableaccessDenied.GenWithStackByArgs("SELECT, INSERT",
+				user.AuthUsername, user.AuthHostname, tbl.Name)
+		}
 		idxInfo, colInfo, pkInfo := getColsInfo(tbl)
 		physicalIDs, err := getPhysicalIDs(tbl.TableInfo, as.PartitionNames)
 		if err != nil {

diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go
@@ -348,6 +348,43 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
 
 }
 
+func (s *testPrivilegeSuite) TestAnalyzeTable(c *C) {
+
+	se := newSession(c, s.store, s.dbName)
+	// high privileged user
+	mustExec(c, se, "CREATE USER 'asuper'")
+	mustExec(c, se, "CREATE USER 'anobody'")
+	mustExec(c, se, "GRANT ALL ON *.* TO 'asuper'")
+	mustExec(c, se, "FLUSH PRIVILEGES")
+	mustExec(c, se, "CREATE DATABASE atest")
+	mustExec(c, se, "use atest")
+	mustExec(c, se, "CREATE TABLE t1 (a int)")
+
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue)
+	mustExec(c, se, "analyze table mysql.user")
+	// low privileged user
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue)
+	_, err := se.Execute(context.Background(), "analyze table t1")
+	c.Assert(err, NotNil) // fails
+
+	// try again after SELECT privilege granted
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue)
+	mustExec(c, se, "GRANT SELECT ON atest.* TO 'anobody'")
+	mustExec(c, se, "FLUSH PRIVILEGES")
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue)
+	_, err = se.Execute(context.Background(), "analyze table t1")
+	c.Assert(err, NotNil) // stll fails (only select)
+
+	// Add INSERT privilege and it should work.
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "asuper", Hostname: "localhost", AuthUsername: "asuper", AuthHostname: "%"}, nil, nil), IsTrue)
+	mustExec(c, se, "GRANT INSERT ON atest.* TO 'anobody'")
+	mustExec(c, se, "FLUSH PRIVILEGES")
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "anobody", Hostname: "localhost", AuthUsername: "anobody", AuthHostname: "%"}, nil, nil), IsTrue)
+	_, err = se.Execute(context.Background(), "analyze table t1")
+	c.Assert(err, IsNil)
+
+}
+
 func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
 
 	// This test tests no privilege check for INFORMATION_SCHEMA database.