← Back to team overview

maria-developers team mailing list archive

Re: PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

 

Hi, Alexander!

On Jul 26, Alexander Barkov wrote:
> > +      if (!table || !table->mdl_ticket || table->mdl_ticket->get_type() == MDL_EXCLUSIVE)
> > +        return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);
> > +      if (table->grant.privilege & FILE_ACL)
> > +        return false;
> > +      return true;
> >
> > It passes your test case. In fact, your first fix passes it too :)
> 
> Yeah, I guess my condition that switches between checking
> grant.privilege and doing check_access() was effectively the same.
> But your version looks simpler.
> 
> > This one also passes the additional test I've added - where a user can
> > access the table, but view's definer cannot:
> >
> >    --connection default
> >    CREATE DEFINER=user@localhost SQL SECURITY DEFINER VIEW v1_baddefiner AS SELECT * FROM t1;
> >    --error ER_ACCESS_DENIED_ERROR
> >    SELECT * FROM v1_baddefiner;
> 
> This is a nice idea. Thanks.

Your first patch was

      if (table && table->grant.privilege & FILE_ACL)
        return false;
      return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);

that is, it tried both table->grant.privilege and check_access(). We
agreed that it's wrong, but I wanted a test case for it.

> I just tried this:
> 
> # Run this as root:
> DROP TABLE IF EXISTS t1;
> DROP PROCEDURE IF EXISTS p1;
> CREATE PROCEDURE p1() SQL SECURITY DEFINER
>    CREATE TABLE t1 (a INT) ENGINE=CONNECT TABLE_TYPE=fix FILE_NAME='t1.fix';
> 
> # Run this as a user with no FILE_ACL
> CALL p1();
> 
> and it also worked as expected, CALL p1() succeeded.
> 
> The patch is Ok. Thanks for help with this.
> Can you please push this?

Sure. Thanks!
But I'll add your SP test case too.

Regards,
Sergei


References