Basic privilege granting and checking #763
Conversation
Hydrocharged
force-pushed
the
daylon/users-4
branch
from
8f34377
to
0dc0d5d
Compare
Hydrocharged
force-pushed
the
daylon/users-5
branch
2 times, most recently
from
e59999b
to
1bd7f36
Compare
| @@ -50,6 +49,7 @@ var OnceBeforeDefault = []Rule{ | |||
| {"validate_read_only_database", validateReadOnlyDatabase}, | |||
| {"validate_read_only_transaction", validateReadOnlyTransaction}, | |||
| {"validate_database_set", validateDatabaseSet}, | |||
| {"check_privileges", checkPrivileges}, // Ensure that checking privileges happens after db & table resolution | |||
There was a problem hiding this comment.
Do unprivileged users have "show tables" access? If not, you might need to do checks on raw names, not sure.
In a lot of auth systems it's considered a security leak to let an unprivileged user probe the namespaces, so resolving tables before checking auth might not be correct.
There was a problem hiding this comment.
Looks like I need to do possibly checks in multiple places. Did a bit more research and testing in MySQL and this is basically how it seems to work:
First we check for a valid user authentication, whether that be password, certificate, etc. Next, gather which databases the user has access to. Everyone has access to information_schema (note about this later), so that's added to the list. If the user has any global static privileges (those in the user table), then they can see all databases and all tables. If not, check which databases they have database-level privileges on (those in the db table, not yet implemented). Any privileges there give you full view of the tables in that database. Last, check the tables_priv table (also not yet implemented), with any privileges there showing their associated table.
So if you have global static privileges, you'll get a "database/table does not exist" error on an invalid database/table. If you only have access to specific databases, then any database (valid or invalid) that you don't have access to will give you an "access denied" error. Same goes for the table level. Also, if you have privileges on a database or table that doesn't exist (GRANT doesn't check for database or table existence, so DBAs can set up users before the rest of the repo), you'll get that "does not exist" error on only those databases/tables.
About information_schema, as everyone has access to it, it actually restricts its output based on the privileges of the connected user. So even though you can fully query it, you don't have access to all of the information it contains. Pretty neat, but also a lot more work.
Also also, I think partial revokes remove entries from that big list of databases and tables, but I didn't test those as they're not coming any time soon.
Hydrocharged
force-pushed
the
daylon/users-5
branch
from
1bd7f36
to
8dbdd57
Compare
This adds an extremely basic implementation of privilege checking, along with the ability to grant a subset of privileges. In addition, connections carry along their authentication information, and direct queries on the engine (through use of the
*sql.Context) also carry auth information for later privilege checking.