-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege: fix privilege check of CREATE ROLE
and DROP ROLE
#13940
Conversation
LGTM |
if s.IsDropRole && !checker.RequestVerification(activeRoles, "", "", "", mysql.DropRolePriv) { | ||
return core.ErrSpecificAccessDenied.GenWithStackByArgs("DROP ROLE") | ||
if s.IsDropRole { | ||
if !checker.RequestVerification(activeRoles, "", "", "", mysql.DropRolePriv) && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is &&
, that means if a user has the CreateUser
privilege or DropRole
privilege, he can execute the drop role operation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, if a user has the CreateUser privilege or DropRole privilege, the can execute the drop role operation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/merge |
/run-all-tests |
Codecov Report
@@ Coverage Diff @@
## master #13940 +/- ##
===========================================
Coverage 80.2117% 80.2117%
===========================================
Files 482 482
Lines 120885 120885
===========================================
Hits 96964 96964
Misses 16192 16192
Partials 7729 7729 |
@imtbkcat merge failed. |
/run-unit-test |
1 similar comment
/run-unit-test |
/merge |
/run-all-tests |
cherry pick to release-3.0 failed |
What problem does this PR solve?
In MySQL, user with
CREATE USER
privilege can executeCREATE ROLE xxx
orDROP ROLE xxx
. But TiDB has bug on this check.What is changed and how it works?
Add check for
CREATE USER
privilege. If users haveCREATE USER
privilege, they canCREATE ROLE
andDROP ROLE
Check List
Tests
Code changes
Side effects
Related changes
Release note
CREATE ROLE