maria-developers team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Anel,

On Apr 25, Anel Husakovic wrote:
> revision-id: 585cd1f52e7 (mariadb-10.5.14-10-g585cd1f52e7)
> parent(s): 52b32c60c26
> author: Anel Husakovic
> committer: Anel Husakovic
> timestamp: 2022-02-14 13:59:24 +0100
> message:
> 
> MDEV-26875: Wrong user in SET DEFAULT ROLE error
> 
> - Caused by 7c02e8717de5, where 957cb7b7ba35 introduced the bug.
> 
> Reviewed by:
> 
> diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
> index c4e66cf5d73..e83bc5635dc 100644
> --- a/sql/sql_acl.cc
> +++ b/sql/sql_acl.cc
> @@ -3277,10 +3277,14 @@ static int check_user_can_set_role(THD *thd, const char *user,
>                                                  check_role_is_granted_callback,
>                                                  NULL) == -1))
>        {
> -        /* Role is not granted but current user can see the role */
> -        my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s",
> -                        MYF(0), thd->security_ctx->priv_user,
> -                        thd->security_ctx->priv_host, rolename);
> +        /* If the SET ROLE is applied on the anonymous user, host is null */
> +        if (!host)
> +          my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s",
> +                          MYF(0), thd->security_ctx->priv_user, thd->security_ctx->priv_host, rolename);

I don't understand it.
1) what does it mean? why for anonymous user you print priv_user@priv_host ?
2) do you have any tests for that? There are none in the commit

> +        else
> +          /* Role is not granted but current user can see the role */
> +          my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s",
> +                          MYF(0), user, host, rolename);
>        }
>        else
>        {

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx