List:Commits« Previous MessageNext Message »
From:Jørgen Løland Date:July 1 2009 11:59am
Subject:Re: bzr commit into mysql-6.0-backup branch (charles.bell:2832)
Bug#39580
View as plain text  
Chuck,

STATUS:
-------
Approved, but please reply to the question below

REQUIREMENTS:
-------------
None

OPTIONAL:
---------
1) Modify slightly wrong comment in test
2) Add test for BACKUP DATABASE * for user with rights.

QUESTION:
---------
Q1) What is EXTRA_ACL?

COMMENTARY:
-----------
Thank you for all the hard work in satisfying the reviewers. I know it's 
been a bumpy ride on this bug...


DETAILS:
--------
=== modified file 'sql/sql_acl.h'
--- a/sql/sql_acl.h	2009-06-12 02:01:08 +0000
+++ b/sql/sql_acl.h	2009-06-30 18:31:56 +0000
@@ -52,13 +52,16 @@
    4. acl_init() or whatever - to define behaviour for old privilege tables
    5. sql_yacc.yy - for GRANT/REVOKE to work
  */
-#define EXTRA_ACL	(1L << 29)
-#define NO_ACCESS	(1L << 30)
+#define BACKUP_ACL   (1L << 29)
+#define RESTORE_ACL   (1L << 30)
+#define NO_ACCESS	(1L << 31)

Q1) What is EXTRA_ACL?


=== modified file 'mysql-test/suite/backup/r/backup_security.result'
--- a/mysql-test/suite/backup/r/backup_security.result	2009-05-21 
06:25:17 +0000
+++ b/ mysql-test/suite/backup/r/backup_security.result	2009-06-30 
18:31:56 +0000
@@ -1,1 +1,5 @@
  DROP DATABASE IF EXISTS backup_test;
+#
+# Create database and data to test.
+# Create 2 users and grants rights as follows:
+#   bup_no_rights   - denied everything (poor chap)

1) bup_no_rights is granted SELECT privilege on backup_test_alt

+# Connect as user with rights and attempt backup and restore.
+#
+#
+# with_rights: Attempting backup. Should succeed
+#
  BACKUP DATABASE backup_test to 'bup_with_rights.bak';
  backup_id
  #
-no_rights: Attempting restore. Should succeed
+#
+# with_rights: Attempting restore. Should succeed
+#
  RESTORE FROM 'bup_with_rights.bak' OVERWRITE;
  backup_id
  #

2) A test that "BACKUP DATABASE *" works for this user would be nice.



Chuck Bell wrote:
> #At file:///D:/source/bzr/mysql-6.0-bug-39580/ based on
> revid:charles.bell@stripped
> 
>  2832 Chuck Bell	2009-06-30
>       BUG#39580 : BACKUP/RESTORE should not use SUPER
>       
>       The backup system uses a privilege (SUPER) that is much more powerful
>       than what is necessary to allow backup and restore. 
>       
>       This patch changes the requirement of SUPER to two new privileges:
>       
>       BACKUP - required for backup operations
>       RESTORE - required for restore operaions
>       
>       These new privileges are set at the database-level thereby giving the
>       ability to grant BACKUP or RESTORE to one or more users for a given
>       database.
>       
>       This patch does not infer any additional rights to the user during
>       the operation. The user must still have sufficient rights to read
>       all objects for backup and create all objects for restore.
>      @ mysql-test/r/events_grant.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/r/grant.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/r/lowercase_table_grant.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/r/ps.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/r/system_mysql_db.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/suite/backup/include/backup_check_privileges.inc
>         Include file for checking privilege failures in backup_security test.
>      @ mysql-test/suite/backup/r/backup_db_grants.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/suite/backup/r/backup_security.result
>         New result file.
>      @ mysql-test/suite/backup/t/backup_security.test
>         Test reworked to explictly deny all rights for one user and grant only
>         the new privileges to the other and checks the security privileges after
>         the backup operations.
>      @ mysql-test/suite/funcs_1/r/is_column_privileges.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/suite/funcs_1/r/is_schema_privileges.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/suite/funcs_1/r/is_schema_privileges_is_mysql_test.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ mysql-test/suite/funcs_1/r/is_user_privileges.result
>         New result file as a consequence of adding columns to the mysql tables.
>      @ scripts/mysql_system_tables.sql
>         Added new columns to user and db tables in mysql database.
>      @ scripts/mysql_system_tables_data.sql
>         Added new data for the new columns to user and db tables in mysql database.
>      @ scripts/mysql_system_tables_fix.sql
>         Added code to fix the mysql tables.
>      @ sql/backup/backup_info.cc
>         Moved checking for backup because we need the list of
>         databases to check.
>      @ sql/backup/kernel.cc
>         Removed checking for SUPER privilege.
>      @ sql/backup/restore_info.h
>         Moved checking for restore because we need the list of
>         databases to check.
>      @ sql/share/errmsg.txt
>         New error messages.
>      @ sql/sql_acl.cc
>         Added new column definitions for db table.
>      @ sql/sql_acl.h
>         Added new privilege declarations and associations for
>         BACKUP and RESTORE.
>      @ sql/sql_show.cc
>         Added explanation of new columns for show.
>      @ sql/sql_yacc.yy
>         Added parser tags for grant recognition.
> 


-- 
Jørgen Løland
Thread
bzr commit into mysql-6.0-backup branch (charles.bell:2832) Bug#39580Chuck Bell30 Jun
  • Re: bzr commit into mysql-6.0-backup branch (charles.bell:2832)Bug#39580Jørgen Løland1 Jul
    • Re: bzr commit into mysql-6.0-backup branch (charles.bell:2832)Bug#39580Chuck Bell1 Jul
  • Re: bzr commit into mysql-6.0-backup branch (charles.bell:2832)Bug#39580Rafal Somla1 Jul
    • Re: bzr commit into mysql-6.0-backup branch (charles.bell:2832)Bug#39580Chuck Bell1 Jul