MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:He Zhenxing Date:March 9 2009 8:29am
Subject:bzr commit into mysql-6.0-bugteam branch (zhenxing.he:3112) Bug#34227
View as plain text  
#At file:///media/sdb2/hezx/work/mysql/bzrwork/b34227/6.0-bugteam/

 3112 He Zhenxing	2009-03-09
      BUG#34227 Replication permission error message is misleading
      
      Originally, function check_global_access allowed access if any 
      of the rights were held by the user, but when more then one 
      rights was check, there was no 'any of' or 'one of' before the
      list of rights in the error message to reflect this.
      
      Add a new argument 'all' to check_global_access function, which
      determins whether all or any of the rights are sufficient to 
      grant the access. And add 'any of' before the list of rights of
      the error message if 'all' is FALSE.
      
      If only one right is checked, or multiple rights are checked
      and all are required, then set 'all' to TRUE; If multiple
      rights are checked and any of them is sufficient, set 'all' to
      FALSE.
modified:
  sql/backup/kernel.cc
  sql/debug_sync.cc
  sql/mysql_priv.h
  sql/set_var.cc
  sql/sql_binlog.cc
  sql/sql_parse.cc
  sql/sql_trigger.cc
  storage/innobase/handler/ha_innodb.cc

=== modified file 'sql/backup/kernel.cc'
--- a/sql/backup/kernel.cc	2009-02-16 21:18:45 +0000
+++ b/sql/backup/kernel.cc	2009-03-09 08:29:34 +0000
@@ -494,7 +494,7 @@ int Backup_restore_ctx::prepare(::String
     In case of error, we write only to backup logs, because check_global_access()
     pushes the same error on the error stack.
   */
-  ret= check_global_access(m_thd, SUPER_ACL);
+  ret= check_global_access(m_thd, SUPER_ACL, TRUE);
   if (ret)
     return fatal_error(log_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, "SUPER"));
 

=== modified file 'sql/debug_sync.cc'
--- a/sql/debug_sync.cc	2009-02-13 12:40:13 +0000
+++ b/sql/debug_sync.cc	2009-03-09 08:29:34 +0000
@@ -1452,7 +1452,7 @@ bool sys_var_debug_sync::check(THD *thd,
     global mutexes (e.g. LOCK_open). Waiting there forever would
     stall the whole server.
   */
-  DBUG_RETURN(check_global_access(thd, SUPER_ACL));
+  DBUG_RETURN(check_global_access(thd, SUPER_ACL, TRUE));
 }
 
 

=== modified file 'sql/mysql_priv.h'
--- a/sql/mysql_priv.h	2009-02-24 11:56:59 +0000
+++ b/sql/mysql_priv.h	2009-03-09 08:29:34 +0000
@@ -1151,7 +1151,7 @@ inline bool check_table_access(THD *thd,
 
 #endif /* MYSQL_SERVER */
 #if defined MYSQL_SERVER || defined INNODB_COMPATIBILITY_HOOKS
-bool check_global_access(THD *thd, ulong want_access);
+bool check_global_access(THD *thd, ulong want_access, bool all);
 #endif /* MYSQL_SERVER || INNODB_COMPATIBILITY_HOOKS */
 #ifdef MYSQL_SERVER
 

=== modified file 'sql/set_var.cc'
--- a/sql/set_var.cc	2009-03-05 18:49:37 +0000
+++ b/sql/set_var.cc	2009-03-09 08:29:34 +0000
@@ -3965,7 +3965,7 @@ int set_var::check(THD *thd)
     my_error(err, MYF(0), var->name);
     return -1;
   }
-  if ((type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL)))
+  if ((type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL, TRUE)))
     return 1;
   /* value is a NULL pointer if we are using SET ... = DEFAULT */
   if (!value)
@@ -4010,7 +4010,7 @@ int set_var::light_check(THD *thd)
     my_error(err, MYF(0), var->name);
     return -1;
   }
-  if (type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL))
+  if (type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL, TRUE))
     return 1;
 
   if (value && ((!value->fixed && value->fix_fields(thd, &value)) ||
@@ -4588,7 +4588,7 @@ end_with_read_lock:
 /* even session variable here requires SUPER, because of -#o,file */
 bool sys_var_thd_dbug::check(THD *thd, set_var *var)
 {
-  return check_global_access(thd, SUPER_ACL);
+  return check_global_access(thd, SUPER_ACL, TRUE);
 }
 
 bool sys_var_thd_dbug::update(THD *thd, set_var *var)

=== modified file 'sql/sql_binlog.cc'
--- a/sql/sql_binlog.cc	2009-01-26 16:03:39 +0000
+++ b/sql/sql_binlog.cc	2009-03-09 08:29:34 +0000
@@ -39,7 +39,7 @@ void mysql_client_binlog_statement(THD* 
                             thd->lex->comment.length : 2048),
                      thd->lex->comment.str));
 
-  if (check_global_access(thd, SUPER_ACL))
+  if (check_global_access(thd, SUPER_ACL, TRUE))
     DBUG_VOID_RETURN;
 
   size_t coded_len= thd->lex->comment.length + 1;

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2009-03-05 10:26:27 +0000
+++ b/sql/sql_parse.cc	2009-03-09 08:29:34 +0000
@@ -1198,7 +1198,7 @@ bool dispatch_command(enum enum_server_c
 
       status_var_increment(thd->status_var.com_other);
       thd->enable_slow_log= opt_log_slow_admin_statements;
-      if (check_global_access(thd, REPL_SLAVE_ACL))
+      if (check_global_access(thd, REPL_SLAVE_ACL, TRUE))
 	break;
 
       /* TODO: The following has to be changed to an 8 byte integer */
@@ -1225,7 +1225,7 @@ bool dispatch_command(enum enum_server_c
     ulong options= (ulong) (uchar) packet[0];
     if (trans_commit_implicit(thd))
       break;
-    if (check_global_access(thd,RELOAD_ACL))
+    if (check_global_access(thd,RELOAD_ACL, TRUE))
       break;
     general_log_print(thd, command, NullS);
     if (reload_acl_and_cache(thd, options, (TABLE_LIST*) 0, &not_used))
@@ -1239,7 +1239,7 @@ bool dispatch_command(enum enum_server_c
   case COM_SHUTDOWN:
   {
     status_var_increment(thd->status_var.com_other);
-    if (check_global_access(thd,SHUTDOWN_ACL))
+    if (check_global_access(thd,SHUTDOWN_ACL, TRUE))
       break; /* purecov: inspected */
     /*
       If the client is < 4.1.3, it is going to send us no argument; then
@@ -1326,7 +1326,7 @@ bool dispatch_command(enum enum_server_c
   case COM_PROCESS_INFO:
     status_var_increment(thd->status_var.com_stat[SQLCOM_SHOW_PROCESSLIST]);
     if (!thd->security_ctx->priv_user[0] &&
-        check_global_access(thd, PROCESS_ACL))
+        check_global_access(thd, PROCESS_ACL, TRUE))
       break;
     general_log_print(thd, command, NullS);
     mysqld_list_processes(thd,
@@ -1362,7 +1362,7 @@ bool dispatch_command(enum enum_server_c
   }
   case COM_DEBUG:
     status_var_increment(thd->status_var.com_other);
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       break;					/* purecov: inspected */
     mysql_print_status();
     general_log_print(thd, command, NullS);
@@ -1743,7 +1743,7 @@ bool sp_process_definer(THD *thd)
     if ((strcmp(lex->definer->user.str, thd->security_ctx->priv_user) ||
          my_strcasecmp(system_charset_info, lex->definer->host.str,
                        thd->security_ctx->priv_host)) &&
-        check_global_access(thd, SUPER_ACL))
+        check_global_access(thd, SUPER_ACL, TRUE))
     {
       my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "SUPER");
       DBUG_RETURN(TRUE);
@@ -2097,7 +2097,7 @@ mysql_execute_command(THD *thd)
 #ifndef EMBEDDED_LIBRARY
   case SQLCOM_PURGE:
   {
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       goto error;
     /* PURGE MASTER LOGS TO 'file' */
     res = purge_master_logs(thd, lex->to_log);
@@ -2107,7 +2107,7 @@ mysql_execute_command(THD *thd)
   {
     Item *it;
 
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       goto error;
     /* PURGE MASTER LOGS BEFORE 'data' */
     it= (Item *)lex->value_list.head();
@@ -2135,7 +2135,7 @@ mysql_execute_command(THD *thd)
     int num= 0;
     res= 0;
 
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       goto error;
 
     /*
@@ -2246,7 +2246,7 @@ mysql_execute_command(THD *thd)
   break;
   case SQLCOM_SHOW_NEW_MASTER:
   {
-    if (check_global_access(thd, REPL_SLAVE_ACL))
+    if (check_global_access(thd, REPL_SLAVE_ACL, TRUE))
       goto error;
     /* This query don't work now. See comment in repl_failsafe.cc */
 #ifndef WORKING_NEW_MASTER
@@ -2261,14 +2261,14 @@ mysql_execute_command(THD *thd)
 #ifdef HAVE_REPLICATION
   case SQLCOM_SHOW_SLAVE_HOSTS:
   {
-    if (check_global_access(thd, REPL_SLAVE_ACL))
+    if (check_global_access(thd, REPL_SLAVE_ACL, TRUE))
       goto error;
     res = show_slave_hosts(thd);
     break;
   }
   case SQLCOM_SHOW_BINLOG_EVENTS:
   {
-    if (check_global_access(thd, REPL_SLAVE_ACL))
+    if (check_global_access(thd, REPL_SLAVE_ACL, TRUE))
       goto error;
     res = mysql_show_binlog_events(thd);
     break;
@@ -2373,7 +2373,7 @@ mysql_execute_command(THD *thd)
 #ifdef HAVE_REPLICATION
   case SQLCOM_CHANGE_MASTER:
   {
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       goto error;
     pthread_mutex_lock(&LOCK_active_mi);
     res = change_master(thd,active_mi);
@@ -2383,7 +2383,7 @@ mysql_execute_command(THD *thd)
   case SQLCOM_SHOW_SLAVE_STAT:
   {
     /* Accept one of two privileges */
-    if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+    if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL, FALSE))
       goto error;
     pthread_mutex_lock(&LOCK_active_mi);
     if (active_mi != NULL)
@@ -2402,7 +2402,7 @@ mysql_execute_command(THD *thd)
   case SQLCOM_SHOW_MASTER_STAT:
   {
     /* Accept one of two privileges */
-    if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+    if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL, FALSE))
       goto error;
     res = show_binlog_info(thd);
     break;
@@ -2411,14 +2411,14 @@ mysql_execute_command(THD *thd)
 #endif /* HAVE_REPLICATION */
   case SQLCOM_SHOW_ENGINE_STATUS:
     {
-      if (check_global_access(thd, PROCESS_ACL))
+      if (check_global_access(thd, PROCESS_ACL, TRUE))
         goto error;
       res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_STATUS);
       break;
     }
   case SQLCOM_SHOW_ENGINE_MUTEX:
     {
-      if (check_global_access(thd, PROCESS_ACL))
+      if (check_global_access(thd, PROCESS_ACL, TRUE))
         goto error;
       res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_MUTEX);
       break;
@@ -2843,7 +2843,7 @@ ddl_blocker_err:
     goto error;
 #else
     {
-      if (check_global_access(thd, SUPER_ACL))
+      if (check_global_access(thd, SUPER_ACL, TRUE))
 	goto error;
       res = show_binlogs(thd);
       break;
@@ -3341,7 +3341,7 @@ ddl_blocker_err:
   break;
   case SQLCOM_SHOW_PROCESSLIST:
     if (!thd->security_ctx->priv_user[0] &&
-        check_global_access(thd,PROCESS_ACL))
+        check_global_access(thd,PROCESS_ACL, TRUE))
       break;
     mysqld_list_processes(thd,
 			  (thd->security_ctx->master_access & PROCESS_ACL ?
@@ -3792,7 +3792,7 @@ ddl_blocker_err:
   case SQLCOM_CREATE_USER:
   {
     if (check_access(thd, INSERT_ACL, "mysql", 0, 1, 1, 0) &&
-        check_global_access(thd,CREATE_USER_ACL))
+        check_global_access(thd,CREATE_USER_ACL, TRUE))
       break;
     /* Conditionally writes to binlog */
     if (!(res= mysql_create_user(thd, lex->users_list)))
@@ -3802,7 +3802,7 @@ ddl_blocker_err:
   case SQLCOM_DROP_USER:
   {
     if (check_access(thd, DELETE_ACL, "mysql", 0, 1, 1, 0) &&
-        check_global_access(thd,CREATE_USER_ACL))
+        check_global_access(thd,CREATE_USER_ACL, TRUE))
       break;
     /* Conditionally writes to binlog */
     if (!(res= mysql_drop_user(thd, lex->users_list)))
@@ -3812,7 +3812,7 @@ ddl_blocker_err:
   case SQLCOM_RENAME_USER:
   {
     if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1, 0) &&
-        check_global_access(thd,CREATE_USER_ACL))
+        check_global_access(thd,CREATE_USER_ACL, TRUE))
       break;
     /* Conditionally writes to binlog */
     if (!(res= mysql_rename_user(thd, lex->users_list)))
@@ -3822,7 +3822,7 @@ ddl_blocker_err:
   case SQLCOM_REVOKE_ALL:
   {
     if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1, 0) &&
-        check_global_access(thd,CREATE_USER_ACL))
+        check_global_access(thd,CREATE_USER_ACL, TRUE))
       break;
     /* Conditionally writes to binlog */
     if (!(res = mysql_revoke_all(thd, lex->users_list)))
@@ -3940,7 +3940,7 @@ ddl_blocker_err:
   case SQLCOM_FLUSH:
   {
     bool write_to_binlog;
-    if (check_global_access(thd,RELOAD_ACL))
+    if (check_global_access(thd,RELOAD_ACL, TRUE))
       goto error;
 
     /*
@@ -4564,7 +4564,7 @@ create_sp_error:
     res= mysql_xa_recover(thd);
     break;
   case SQLCOM_ALTER_TABLESPACE:
-    if (check_global_access(thd, CREATE_TABLESPACE_ACL))
+    if (check_global_access(thd, CREATE_TABLESPACE_ACL, TRUE))
       break;
     if (!(res= mysql_alter_tablespace(thd, lex->alter_tablespace_info)))
       my_ok(thd);
@@ -4593,7 +4593,7 @@ create_sp_error:
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_CREATE_SERVER"));
 
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       break;
 
     if ((error= create_server(thd, &lex->server_options)))
@@ -4612,7 +4612,7 @@ create_sp_error:
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_ALTER_SERVER"));
 
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       break;
 
     if ((error= alter_server(thd, &lex->server_options)))
@@ -4631,7 +4631,7 @@ create_sp_error:
     LEX *lex= thd->lex;
     DBUG_PRINT("info", ("case SQLCOM_DROP_SERVER"));
 
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
       break;
 
     if ((err_code= drop_server(thd, &lex->server_options)))
@@ -5055,7 +5055,7 @@ static bool check_show_access(THD *thd, 
   switch (get_schema_table_idx(table->schema_table)) {
   case SCH_SCHEMATA:
     return (specialflag & SPECIAL_SKIP_SHOW_DB) &&
-      check_global_access(thd, SHOW_DB_ACL);
+      check_global_access(thd, SHOW_DB_ACL, TRUE);
 
   case SCH_TABLE_NAMES:
   case SCH_TABLES:
@@ -5328,13 +5328,14 @@ bool check_some_access(THD *thd, ulong w
   check for global access and give descriptive error message if it fails.
 
   @param thd			Thread handler
-  @param want_access		Use should have any of these global rights
-
-  @warning
-    One gets access right if one has ANY of the rights in want_access.
-    This is useful as one in most cases only need one global right,
-    but in some case we want to check if the user has SUPER or
-    REPL_CLIENT_ACL rights.
+  @param want_access		The global rights user should have
+  @param all                    If TRUE, all of the rights specified by
+                                @a want_access are required, if FALSE, then
+                                any of the rights is sufficient
+
+  @note When there is only one right to check, do not set @a all to
+    FALSE to avoid the unecessary 'any of ' in the error message if
+    check failed.
 
   @retval
     0	ok
@@ -5342,13 +5343,26 @@ bool check_some_access(THD *thd, ulong w
     1	Access denied.  In this case an error is sent to the client
 */
 
-bool check_global_access(THD *thd, ulong want_access)
+bool check_global_access(THD *thd, ulong want_access, bool all)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
   char command[128];
-  if ((thd->security_ctx->master_access & want_access))
-    return 0;
-  get_privilege_desc(command, sizeof(command), want_access);
+  char *pdesc=command;
+  if (!all)
+  {
+    /* any of the rights is sufficient */
+    strmov(pdesc, "any of ");
+    pdesc+= 7;                                  // skip the "any of "
+    if ((thd->security_ctx->master_access & want_access))
+      return 0;
+  }
+  else
+  {
+    /* all rights are required */
+    if (!(~thd->security_ctx->master_access & want_access))
+      return 0;
+  }
+  get_privilege_desc(pdesc, sizeof(pdesc), want_access);
   my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), command);
   return 1;
 #else

=== modified file 'sql/sql_trigger.cc'
--- a/sql/sql_trigger.cc	2009-01-16 11:53:32 +0000
+++ b/sql/sql_trigger.cc	2009-03-09 08:29:34 +0000
@@ -621,7 +621,7 @@ bool Table_triggers_list::create_trigger
                      lex->definer->host.str,
                      thd->security_ctx->priv_host)))
   {
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, SUPER_ACL, TRUE))
     {
       my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "SUPER");
       return TRUE;

=== modified file 'storage/innobase/handler/ha_innodb.cc'
--- a/storage/innobase/handler/ha_innodb.cc	2009-03-03 06:05:05 +0000
+++ b/storage/innobase/handler/ha_innodb.cc	2009-03-09 08:29:34 +0000
@@ -4963,7 +4963,7 @@ innodb_check_for_record_too_big_error(
 See http://bugs.mysql.com/32710 for expl. why we choose PROCESS. */
 #define IS_MAGIC_TABLE_AND_USER_DENIED_ACCESS(table_name, thd) \
 	(row_is_magic_monitor_table(table_name) \
-	 && check_global_access(thd, PROCESS_ACL))
+	 && check_global_access(thd, PROCESS_ACL, TRUE))
 
 /*********************************************************************
 Creates a table definition to an InnoDB database. */

Thread
bzr commit into mysql-6.0-bugteam branch (zhenxing.he:3112) Bug#34227He Zhenxing9 Mar
  • Re: bzr commit into mysql-6.0-bugteam branch (zhenxing.he:3112)Bug#34227Sergei Golubchik14 Mar