diff --git a/domain/domain.go b/domain/domain.go index 9482961a98..c122e17ffb 100644 --- a/domain/domain.go +++ b/domain/domain.go @@ -43,6 +43,7 @@ import ( "github.com/pingcap/tidb/sessionctx/variable" "github.com/pingcap/tidb/statistics" "github.com/pingcap/tidb/util" + "github.com/pingcap/tidb/util/sqlexec" log "github.com/sirupsen/logrus" "google.golang.org/grpc" "google.golang.org/grpc/keepalive" @@ -957,6 +958,11 @@ func (do *Domain) NotifyUpdatePrivilege(ctx sessionctx.Context) { log.Warn("notify update privilege failed:", err) } } + // update locally + _, _, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, `FLUSH PRIVILEGES`) + if err != nil { + log.Errorf("Unable to update privileges: %s", err) + } } func recoverInDomain(funcName string, quit bool) { diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go index af3edfbb3d..a827e04124 100644 --- a/privilege/privileges/privileges_test.go +++ b/privilege/privileges/privileges_test.go @@ -104,7 +104,6 @@ func (s *testPrivilegeSuite) TearDownTest(c *C) { func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) { rootSe := newSession(c, s.store, s.dbName) mustExec(c, rootSe, `CREATE USER 'testcheck'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) se := newSession(c, s.store, s.dbName) c.Assert(se.Auth(&auth.UserIdentity{Username: "testcheck", Hostname: "localhost"}, nil, nil), IsTrue) @@ -112,19 +111,16 @@ func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) { c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsFalse) mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'testcheck'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) c.Assert(pc.RequestVerification("test", "", "", mysql.SelectPriv), IsTrue) c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsFalse) mustExec(c, rootSe, `GRANT Update ON test.* TO 'testcheck'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsTrue) } func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) { rootSe := newSession(c, s.store, s.dbName) mustExec(c, rootSe, `CREATE USER 'test1'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) se := newSession(c, s.store, s.dbName) c.Assert(se.Auth(&auth.UserIdentity{Username: "test1", Hostname: "localhost"}, nil, nil), IsTrue) @@ -132,17 +128,14 @@ func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) { c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsFalse) mustExec(c, rootSe, `GRANT SELECT ON *.* TO 'test1'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) c.Assert(pc.RequestVerification("test", "test", "", mysql.SelectPriv), IsTrue) c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsFalse) mustExec(c, rootSe, `GRANT Update ON test.* TO 'test1'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) c.Assert(pc.RequestVerification("test", "test", "", mysql.UpdatePriv), IsTrue) c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsFalse) mustExec(c, rootSe, `GRANT Index ON test.test TO 'test1'@'localhost';`) - mustExec(c, rootSe, `FLUSH PRIVILEGES;`) c.Assert(pc.RequestVerification("test", "test", "", mysql.IndexPriv), IsTrue) } @@ -151,7 +144,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { ctx, _ := se.(sessionctx.Context) mustExec(c, se, `CREATE USER 'show'@'localhost' identified by '123';`) mustExec(c, se, `GRANT Index ON *.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) pc := privilege.GetPrivilegeManager(se) gs, err := pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) @@ -160,7 +152,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { c.Assert(gs[0], Equals, `GRANT Index ON *.* TO 'show'@'localhost'`) mustExec(c, se, `GRANT Select ON *.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 1) @@ -168,7 +159,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { // The order of privs is the same with AllGlobalPrivs mustExec(c, se, `GRANT Update ON *.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 1) @@ -176,7 +166,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { // All privileges mustExec(c, se, `GRANT ALL ON *.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 1) @@ -184,7 +173,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { // Add db scope privileges mustExec(c, se, `GRANT Select ON test.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 2) @@ -193,7 +181,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue) mustExec(c, se, `GRANT Index ON test1.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 3) @@ -203,7 +190,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { c.Assert(testutil.CompareUnorderedStringSlice(gs, expected), IsTrue) mustExec(c, se, `GRANT ALL ON test1.* TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 3) @@ -214,7 +200,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { // Add table scope privileges mustExec(c, se, `GRANT Update ON test.test TO 'show'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 4) @@ -229,7 +214,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { mustExec(c, se, `REVOKE Select on test.* FROM 'show'@'localhost'`) mustExec(c, se, `REVOKE ALL ON test1.* FROM 'show'@'localhost'`) mustExec(c, se, `REVOKE UPDATE on test.test FROM 'show'@'localhost'`) - mustExec(c, se, `FLUSH PRIVILEGES;`) gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) c.Assert(err, IsNil) c.Assert(gs, HasLen, 1) @@ -239,7 +223,6 @@ func (s *testPrivilegeSuite) TestShowGrants(c *C) { // Which we need privileges to do so! ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"} mustExec(c, se, `DROP USER 'show'@'localhost'`) - mustExec(c, se, `FLUSH PRIVILEGES;`) // This should now return an error gs, err = pc.ShowGrants(se, &auth.UserIdentity{Username: "show", Hostname: "localhost"}) @@ -257,7 +240,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) { c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `CREATE USER 'drop'@'localhost';`) mustExec(c, se, `GRANT Select ON test.todrop TO 'drop'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) // ctx.GetSessionVars().User = "drop@localhost" c.Assert(se.Auth(&auth.UserIdentity{Username: "drop", Hostname: "localhost"}, nil, nil), IsTrue) @@ -268,7 +250,6 @@ func (s *testPrivilegeSuite) TestDropTablePriv(c *C) { se = newSession(c, s.store, s.dbName) ctx.GetSessionVars().User = &auth.UserIdentity{Username: "root", Hostname: "localhost"} mustExec(c, se, `GRANT Drop ON test.todrop TO 'drop'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) se = newSession(c, s.store, s.dbName) ctx.GetSessionVars().User = &auth.UserIdentity{Username: "drop", Hostname: "localhost"} @@ -283,16 +264,15 @@ func (s *testPrivilegeSuite) TestSetPasswdStmt(c *C) { mustExec(c, se, "CREATE USER 'superuser'") mustExec(c, se, "CREATE USER 'nobodyuser'") mustExec(c, se, "GRANT ALL ON *.* TO 'superuser'") - mustExec(c, se, "FLUSH PRIVILEGES") c.Assert(se.Auth(&auth.UserIdentity{Username: "superuser", Hostname: "localhost", AuthUsername: "superuser", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "SET PASSWORD for 'nobodyuser' = 'newpassword'") + mustExec(c, se, "SET PASSWORD for 'nobodyuser' = ''") // low privileged user trying to set password for other user (fails) c.Assert(se.Auth(&auth.UserIdentity{Username: "nobodyuser", Hostname: "localhost", AuthUsername: "nobodyuser", AuthHostname: "%"}, nil, nil), IsTrue) _, err := se.Execute(context.Background(), "SET PASSWORD for 'superuser' = 'newpassword'") c.Assert(err, NotNil) - } func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) { @@ -302,7 +282,7 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) { mustExec(c, se, `CREATE USER 'u2'@'localhost' identified by 'abc';`) mustExec(c, se, `CREATE USER 'u3@example.com'@'localhost';`) mustExec(c, se, `CREATE USER u4@localhost;`) - mustExec(c, se, `FLUSH PRIVILEGES;`) + c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue) c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse) salt := []byte{85, 92, 45, 22, 58, 79, 107, 6, 122, 125, 58, 80, 12, 90, 103, 32, 90, 10, 74, 82} @@ -316,7 +296,6 @@ func (s *testPrivilegeSuite) TestCheckAuthenticate(c *C) { mustExec(c, se1, "drop user 'u2'@'localhost'") mustExec(c, se1, "drop user 'u3@example.com'@'localhost'") mustExec(c, se1, "drop user u4@localhost") - mustExec(c, se1, `FLUSH PRIVILEGES;`) c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsFalse) c.Assert(se.Auth(&auth.UserIdentity{Username: "u2", Hostname: "localhost"}, nil, nil), IsFalse) @@ -331,7 +310,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) { mustExec(c, se, "CREATE USER 'usesuper'") mustExec(c, se, "CREATE USER 'usenobody'") mustExec(c, se, "GRANT ALL ON *.* TO 'usesuper'") - mustExec(c, se, "FLUSH PRIVILEGES") c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "use mysql") // low privileged user @@ -342,7 +320,6 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) { // try again after privilege granted c.Assert(se.Auth(&auth.UserIdentity{Username: "usesuper", Hostname: "localhost", AuthUsername: "usesuper", AuthHostname: "%"}, nil, nil), IsTrue) mustExec(c, se, "GRANT SELECT ON mysql.* TO 'usenobody'") - mustExec(c, se, "FLUSH PRIVILEGES") c.Assert(se.Auth(&auth.UserIdentity{Username: "usenobody", Hostname: "localhost", AuthUsername: "usenobody", AuthHostname: "%"}, nil, nil), IsTrue) _, err = se.Execute(context.Background(), "use mysql") c.Assert(err, IsNil) @@ -391,7 +368,6 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) { // This test tests no privilege check for INFORMATION_SCHEMA database. se := newSession(c, s.store, s.dbName) mustExec(c, se, `CREATE USER 'u1'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) c.Assert(se.Auth(&auth.UserIdentity{Username: "u1", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `select * from information_schema.tables`) mustExec(c, se, `select * from information_schema.key_column_usage`) @@ -401,7 +377,6 @@ func (s *testPrivilegeSuite) TestAdminCommand(c *C) { se := newSession(c, s.store, s.dbName) c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue) mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`) - mustExec(c, se, `FLUSH PRIVILEGES;`) mustExec(c, se, `CREATE TABLE t(a int)`) c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)