fix revoke all bug

2024-06-27 10:16:50 +00:00
parent f7f0f3a842
commit b329b86842
2 changed files with 13 additions and 0 deletions
--- a/src/share/ob_compatibility_security_feature_def.h
+++ b/src/share/ob_compatibility_security_feature_def.h
@ -23,4 +23,7 @@ DEF_COMPAT_CONTROL_FEATURE(MYSQL_SET_VAR_PRIV_ENHANCE, "check privilege for set
 DEF_COMPAT_CONTROL_FEATURE(MYSQL_USER_REVOKE_ALL_ENHANCE, "use create_user to check privilege for revoke all from user",
    MOCK_CLUSTER_VERSION_4_2_4_0, CLUSTER_VERSION_4_3_0_0,
    CLUSTER_VERSION_4_3_2_0)
+DEF_COMPAT_CONTROL_FEATURE(MYSQL_USER_REVOKE_ALL_WITH_PL_PRIV_CHECK, "revoke all on db.* need check pl privilege",
+    MOCK_CLUSTER_VERSION_4_2_4_0, CLUSTER_VERSION_4_3_0_0,
+    CLUSTER_VERSION_4_3_2_0)
 #endif
--- a/src/sql/privilege_check/ob_privilege_check.cpp
+++ b/src/sql/privilege_check/ob_privilege_check.cpp
@ -2044,6 +2044,16 @@ int get_revoke_stmt_need_privs(
      need_priv.priv_set_ = stmt->get_priv_set() | OB_PRIV_GRANT;
      need_priv.priv_level_ = stmt->get_grant_level();
      need_priv.obj_type_ = stmt->get_object_type();
+      bool check_revoke_all_with_pl_priv = false;
+      if (OB_FAIL(ObPrivilegeCheck::get_priv_need_check(session_priv,
+                          ObCompatFeatureType::MYSQL_USER_REVOKE_ALL_WITH_PL_PRIV_CHECK, check_revoke_all_with_pl_priv))) {
+        LOG_WARN("failed to get priv need check", K(ret));
+      } else if (check_revoke_all_with_pl_priv) {
+        //do nothing
+      } else {
+        need_priv.priv_set_ &= ~(OB_PRIV_EXECUTE | OB_PRIV_ALTER_ROUTINE | OB_PRIV_CREATE_ROUTINE);
+      }
+
      ADD_NEED_PRIV(need_priv);
      #define DEF_COLUM_NEED_PRIV(priv_prefix, priv_type) \
        ObNeedPriv priv_prefix##_need_priv;  \