Chuck,
STATUS:
-------
Approved, but please reply to the question below
REQUIREMENTS:
-------------
None
OPTIONAL:
---------
1) Modify slightly wrong comment in test
2) Add test for BACKUP DATABASE * for user with rights.
QUESTION:
---------
Q1) What is EXTRA_ACL?
COMMENTARY:
-----------
Thank you for all the hard work in satisfying the reviewers. I know it's
been a bumpy ride on this bug...
DETAILS:
--------
=== modified file 'sql/sql_acl.h'
--- a/sql/sql_acl.h 2009-06-12 02:01:08 +0000
+++ b/sql/sql_acl.h 2009-06-30 18:31:56 +0000
@@ -52,13 +52,16 @@
4. acl_init() or whatever - to define behaviour for old privilege tables
5. sql_yacc.yy - for GRANT/REVOKE to work
*/
-#define EXTRA_ACL (1L << 29)
-#define NO_ACCESS (1L << 30)
+#define BACKUP_ACL (1L << 29)
+#define RESTORE_ACL (1L << 30)
+#define NO_ACCESS (1L << 31)
Q1) What is EXTRA_ACL?
=== modified file 'mysql-test/suite/backup/r/backup_security.result'
--- a/mysql-test/suite/backup/r/backup_security.result 2009-05-21
06:25:17 +0000
+++ b/ mysql-test/suite/backup/r/backup_security.result 2009-06-30
18:31:56 +0000
@@ -1,1 +1,5 @@
DROP DATABASE IF EXISTS backup_test;
+#
+# Create database and data to test.
+# Create 2 users and grants rights as follows:
+# bup_no_rights - denied everything (poor chap)
1) bup_no_rights is granted SELECT privilege on backup_test_alt
+# Connect as user with rights and attempt backup and restore.
+#
+#
+# with_rights: Attempting backup. Should succeed
+#
BACKUP DATABASE backup_test to 'bup_with_rights.bak';
backup_id
#
-no_rights: Attempting restore. Should succeed
+#
+# with_rights: Attempting restore. Should succeed
+#
RESTORE FROM 'bup_with_rights.bak' OVERWRITE;
backup_id
#
2) A test that "BACKUP DATABASE *" works for this user would be nice.
Chuck Bell wrote:
> #At file:///D:/source/bzr/mysql-6.0-bug-39580/ based on
> revid:charles.bell@stripped
>
> 2832 Chuck Bell 2009-06-30
> BUG#39580 : BACKUP/RESTORE should not use SUPER
>
> The backup system uses a privilege (SUPER) that is much more powerful
> than what is necessary to allow backup and restore.
>
> This patch changes the requirement of SUPER to two new privileges:
>
> BACKUP - required for backup operations
> RESTORE - required for restore operaions
>
> These new privileges are set at the database-level thereby giving the
> ability to grant BACKUP or RESTORE to one or more users for a given
> database.
>
> This patch does not infer any additional rights to the user during
> the operation. The user must still have sufficient rights to read
> all objects for backup and create all objects for restore.
> @ mysql-test/r/events_grant.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/r/grant.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/r/lowercase_table_grant.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/r/ps.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/r/system_mysql_db.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/suite/backup/include/backup_check_privileges.inc
> Include file for checking privilege failures in backup_security test.
> @ mysql-test/suite/backup/r/backup_db_grants.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/suite/backup/r/backup_security.result
> New result file.
> @ mysql-test/suite/backup/t/backup_security.test
> Test reworked to explictly deny all rights for one user and grant only
> the new privileges to the other and checks the security privileges after
> the backup operations.
> @ mysql-test/suite/funcs_1/r/is_column_privileges.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/suite/funcs_1/r/is_schema_privileges.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/suite/funcs_1/r/is_schema_privileges_is_mysql_test.result
> New result file as a consequence of adding columns to the mysql tables.
> @ mysql-test/suite/funcs_1/r/is_user_privileges.result
> New result file as a consequence of adding columns to the mysql tables.
> @ scripts/mysql_system_tables.sql
> Added new columns to user and db tables in mysql database.
> @ scripts/mysql_system_tables_data.sql
> Added new data for the new columns to user and db tables in mysql database.
> @ scripts/mysql_system_tables_fix.sql
> Added code to fix the mysql tables.
> @ sql/backup/backup_info.cc
> Moved checking for backup because we need the list of
> databases to check.
> @ sql/backup/kernel.cc
> Removed checking for SUPER privilege.
> @ sql/backup/restore_info.h
> Moved checking for restore because we need the list of
> databases to check.
> @ sql/share/errmsg.txt
> New error messages.
> @ sql/sql_acl.cc
> Added new column definitions for db table.
> @ sql/sql_acl.h
> Added new privilege declarations and associations for
> BACKUP and RESTORE.
> @ sql/sql_show.cc
> Added explanation of new columns for show.
> @ sql/sql_yacc.yy
> Added parser tags for grant recognition.
>
--
Jørgen Løland
