MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role

an3l · an3l · commit ebc9bbb4865e · 2020-10-24T02:03:42.000+02:00
diff --git a/mysql-test/r/grant5.result b/mysql-test/r/grant5.result
@@ -39,3 +39,35 @@ connection default;
 disconnect u1;
 drop user u1@localhost;
 drop database mysqltest1;
+CREATE ROLE test_role;
+CREATE USER test_user;
+GRANT test_role TO test_user;
+SET DEFAULT ROLE test_role FOR test_user;
+SHOW GRANTS FOR test_user;
+Grants for test_user@%
+GRANT test_role TO 'test_user'@'%'
+GRANT USAGE ON *.* TO 'test_user'@'%'
+SET DEFAULT ROLE test_role FOR 'test_user'@'%'
+SET DEFAULT ROLE NONE for test_user;
+SHOW GRANTS FOR test_user;
+Grants for test_user@%
+GRANT test_role TO 'test_user'@'%'
+GRANT USAGE ON *.* TO 'test_user'@'%'
+SET ROLE test_role;
+SET DEFAULT ROLE test_role;
+SHOW GRANTS;
+Grants for root@localhost
+GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT USAGE ON *.* TO 'test_role'
+SET DEFAULT ROLE test_role FOR 'root'@'localhost'
+SET DEFAULT ROLE NONE;
+SHOW GRANTS;
+Grants for root@localhost
+GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT USAGE ON *.* TO 'test_role'
+DROP USER test_user;
+DROP ROLE test_role;
diff --git a/mysql-test/suite/roles/set_default_role_clear.result b/mysql-test/suite/roles/set_default_role_clear.result
@@ -17,6 +17,7 @@ Grants for test_user@localhost
 GRANT test_role TO 'test_user'@'localhost'
 GRANT USAGE ON *.* TO 'test_user'@'localhost'
 GRANT SELECT ON *.* TO 'test_role'
+SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
 select user, host, default_role from mysql.user where user='test_user';
 user	host	default_role
 test_user	localhost	test_role
diff --git a/mysql-test/suite/roles/set_default_role_for.result b/mysql-test/suite/roles/set_default_role_for.result
@@ -21,6 +21,7 @@ Grants for user_a@localhost
 GRANT role_a TO 'user_a'@'localhost'
 GRANT USAGE ON *.* TO 'user_a'@'localhost'
 GRANT SELECT ON *.* TO 'role_a'
+SET DEFAULT ROLE role_a FOR 'user_a'@'localhost'
 select user, host, default_role from mysql.user where user like 'user_%';
 user	host	default_role
 user_a	localhost	role_a
@@ -42,6 +43,7 @@ Grants for user_b@localhost
 GRANT role_b TO 'user_b'@'localhost'
 GRANT USAGE ON *.* TO 'user_b'@'localhost'
 GRANT INSERT, UPDATE ON *.* TO 'role_b'
+SET DEFAULT ROLE role_b FOR 'user_b'@'localhost'
 select user, host, default_role from mysql.user where user like 'user_%';
 ERROR 42000: SELECT command denied to user 'user_b'@'localhost' for table 'user'
 insert ignore into mysql.user (user, host) values ('someuser', 'somehost');
diff --git a/mysql-test/suite/roles/set_default_role_invalid.result b/mysql-test/suite/roles/set_default_role_invalid.result
@@ -24,6 +24,7 @@ Grants for test_user@localhost
 GRANT test_role TO 'test_user'@'localhost'
 GRANT USAGE ON *.* TO 'test_user'@'localhost'
 GRANT SELECT ON *.* TO 'test_role'
+SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
 select user, host, default_role from mysql.user where user='test_user';
 user	host	default_role
 test_user	localhost	test_role
@@ -71,6 +72,7 @@ GRANT r1 TO 'b'@'%'
 GRANT r2 TO 'b'@'%'
 GRANT USAGE ON *.* TO 'b'@'%'
 GRANT SELECT ON `mysql`.* TO 'b'@'%'
+SET DEFAULT ROLE r2 FOR 'b'@'%'
 SET DEFAULT ROLE r1 FOR a;
 ERROR 42000: Access denied for user 'b'@'%' to database 'mysql'
 SELECT CURRENT_ROLE;
@@ -96,6 +98,7 @@ GRANT r1 TO 'b'@'%'
 GRANT r2 TO 'b'@'%'
 GRANT USAGE ON *.* TO 'b'@'%'
 GRANT SELECT, UPDATE ON `mysql`.* TO 'b'@'%'
+SET DEFAULT ROLE r2 FOR 'b'@'%'
 SET DEFAULT ROLE r1 FOR a;
 ERROR OP000: User `a@%` has not been granted role `r1`
 SET DEFAULT ROLE invalid_role;
diff --git a/mysql-test/suite/roles/set_default_role_new_connection.result b/mysql-test/suite/roles/set_default_role_new_connection.result
@@ -23,6 +23,7 @@ Grants for test_user@localhost
 GRANT test_role TO 'test_user'@'localhost'
 GRANT USAGE ON *.* TO 'test_user'@'localhost'
 GRANT SELECT ON *.* TO 'test_role'
+SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
 select user, host, default_role from mysql.user where user = 'test_user';
 user	host	default_role
 test_user	localhost	test_role
@@ -51,6 +52,7 @@ Grants for test_user@localhost
 GRANT test_role TO 'test_user'@'localhost'
 GRANT USAGE ON *.* TO 'test_user'@'localhost'
 GRANT SELECT ON *.* TO 'test_role'
+SET DEFAULT ROLE test_role FOR 'test_user'@'localhost'
 select user, host, default_role from mysql.user where user = 'test_user';
 user	host	default_role
 test_user	localhost	test_role
diff --git a/mysql-test/t/grant5.test b/mysql-test/t/grant5.test
@@ -52,6 +52,24 @@ disconnect u1;
 drop user u1@localhost;
 drop database mysqltest1;
 
+#
+# MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role
+#
+CREATE ROLE test_role;
+CREATE USER test_user;
+GRANT test_role TO test_user;
+SET DEFAULT ROLE test_role FOR test_user;
+SHOW GRANTS FOR test_user;
+SET DEFAULT ROLE NONE for test_user;
+SHOW GRANTS FOR test_user;
+SET ROLE test_role;
+SET DEFAULT ROLE test_role;
+SHOW GRANTS;
+SET DEFAULT ROLE NONE;
+SHOW GRANTS;
+DROP USER test_user;
+DROP ROLE test_role;
+
 #
 # End of 10.1 tests
 #
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -353,8 +353,9 @@ static void update_hostname(acl_host_and_ip *host, const char *hostname);
 static ulong get_sort(uint count,...);
 static bool show_proxy_grants (THD *, const char *, const char *,
                                char *, size_t);
-static bool show_role_grants(THD *, const char *, const char *,
+static bool show_role_grants(THD *, const char *,
                              ACL_USER_BASE *, char *, size_t);
+static bool show_default_role(THD *, ACL_USER *, char *, size_t);
 static bool show_global_privileges(THD *, ACL_USER_BASE *,
                                    bool, char *, size_t);
 static bool show_database_privileges(THD *, const char *, const char *,
@@ -8531,7 +8532,7 @@ static bool print_grants_for_role(THD *thd, ACL_ROLE * role)
 {
   char buff[1024];
 
-  if (show_role_grants(thd, role->user.str, "", role, buff, sizeof(buff)))
+  if (show_role_grants(thd, "", role, buff, sizeof(buff)))
     return TRUE;
 
   if (show_global_privileges(thd, role, TRUE, buff, sizeof(buff)))
@@ -8746,7 +8747,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
     }
 
     /* Show granted roles to acl_user */
-    if (show_role_grants(thd, username, hostname, acl_user, buff, sizeof(buff)))
+    if (show_role_grants(thd, hostname, acl_user, buff, sizeof(buff)))
       goto end;
 
     /* Add first global access grants */
@@ -8795,6 +8796,14 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
     }
   }
 
+  if (username)
+  {
+		/* Show default role to acl_user */
+		if (show_default_role(thd, acl_user, buff, sizeof(buff)))
+		  goto end;
+  }
+
+
   error= 0;
 end:
   mysql_mutex_unlock(&acl_cache->lock);
@@ -8821,15 +8830,44 @@ static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_STRING *u,
     my_hash_search(&acl_roles_mappings, (uchar*)pair_key.ptr(), key_length);
 }
 
-static bool show_role_grants(THD *thd, const char *username,
-                             const char *hostname, ACL_USER_BASE *acl_entry,
+static bool show_default_role(THD *thd, ACL_USER *acl_entry,
+                              char *buff, size_t buffsize)
+{
+  Protocol *protocol= thd->protocol;
+  LEX_STRING def_rolename= acl_entry->default_rolename;
+
+  if (def_rolename.length)
+  {
+    String def_str(buff, buffsize, system_charset_info);
+    def_str.length(0);
+    def_str.append(STRING_WITH_LEN("SET DEFAULT ROLE "));
+    def_str.append(&def_rolename);
+    def_str.append(" FOR '");
+    def_str.append(&acl_entry->user);
+    DBUG_ASSERT(!(acl_entry->flags & IS_ROLE));
+    def_str.append(STRING_WITH_LEN("'@'"));
+    def_str.append(acl_entry->host.hostname, acl_entry->hostname_length,
+                   system_charset_info);
+    def_str.append('\'');
+    protocol->prepare_for_resend();
+    protocol->store(def_str.ptr(),def_str.length(),def_str.charset());
+    if (protocol->write())
+    {
+      return TRUE;
+    }
+  }
+  return FALSE;
+}
+
+static bool show_role_grants(THD *thd, const char *hostname,
+                             ACL_USER_BASE *acl_entry,
                              char *buff, size_t buffsize)
 {
   uint counter;
   Protocol *protocol= thd->protocol;
   LEX_STRING host= {const_cast<char*>(hostname), strlen(hostname)};
 
-  String grant(buff,sizeof(buff),system_charset_info);
+  String grant(buff, buffsize, system_charset_info);
   for (counter= 0; counter < acl_entry->role_grants.elements; counter++)
   {
     grant.length(0);
@@ -8873,7 +8911,7 @@ static bool show_global_privileges(THD *thd, ACL_USER_BASE *acl_entry,
   ulong want_access;
   Protocol *protocol= thd->protocol;
 
-  String global(buff,sizeof(buff),system_charset_info);
+  String global(buff, buffsize, system_charset_info);
   global.length(0);
   global.append(STRING_WITH_LEN("GRANT "));
 
@@ -8952,7 +8990,7 @@ static bool show_database_privileges(THD *thd, const char *username,
         want_access=acl_db->initial_access;
       if (want_access)
       {
-        String db(buff,sizeof(buff),system_charset_info);
+        String db(buff, buffsize, system_charset_info);
         db.length(0);
         db.append(STRING_WITH_LEN("GRANT "));
 
