Fix priv bugs

2024-02-09 07:52:50 +00:00 · 2024-02-09 07:52:50 +00:00 · f786b4c646
commit f786b4c646
parent 0551b579db
3 changed files with 20 additions and 1 deletions
--- a/src/observer/virtual_table/ob_show_grants.cpp
+++ b/src/observer/virtual_table/ob_show_grants.cpp
@ -767,7 +767,7 @@ int ObShowGrants::has_show_grants_priv(uint64_t show_user_id) const
    //FIXME@xiyu: schema_cache: master aad alloc, which is no need as we use arena for priv
    ObArenaAllocator alloc;
    ObStmtNeedPrivs stmt_need_privs(alloc);
-    ObNeedPriv need_priv("mysql", "", OB_PRIV_DB_LEVEL, OB_PRIV_SELECT, false);
+    ObNeedPriv need_priv("mysql", "user", OB_PRIV_TABLE_LEVEL, OB_PRIV_SELECT, false);
    if (OB_FAIL(stmt_need_privs.need_privs_.init(1))) {
      SERVER_LOG(WARN, "fail to init need_privs", K(ret));
    } else if (OB_FAIL(stmt_need_privs.need_privs_.push_back(need_priv))) {
--- a/src/sql/privilege_check/ob_privilege_check.cpp
+++ b/src/sql/privilege_check/ob_privilege_check.cpp
@ -1491,6 +1491,8 @@ int get_revoke_stmt_need_privs(
                                         stmt->get_database_name(),
                                         stmt->get_table_name()))) {
      LOG_WARN("Can not grant information_schema database", K(ret));
+    } else if (lib::is_mysql_mode() && stmt->get_revoke_all()) {
+      //check privs at resolver
    } else {
      need_priv.db_ = stmt->get_database_name();
      need_priv.table_ = stmt->get_table_name();
--- a/src/sql/resolver/dcl/ob_revoke_resolver.cpp
+++ b/src/sql/resolver/dcl/ob_revoke_resolver.cpp
@ -321,6 +321,23 @@ int ObRevokeResolver::resolve_mysql(const ParseNode &parse_tree)
          users_node = node->children_[0];
          revoke_stmt->set_revoke_all(true);
          revoke_stmt->set_grant_level(OB_PRIV_USER_LEVEL);
+          if (OB_SUCC(ret)) {
+            ObSessionPrivInfo session_priv;
+            ObArenaAllocator alloc;
+            ObStmtNeedPrivs stmt_need_privs(alloc);
+            ObNeedPriv need_priv("mysql", "", OB_PRIV_DB_LEVEL, OB_PRIV_UPDATE, false);
+            OZ (stmt_need_privs.need_privs_.init(1));
+            OZ (stmt_need_privs.need_privs_.push_back(need_priv));
+            //check CREATE USER or UPDATE privilege on mysql
+            params_.session_info_->get_session_priv_info(session_priv);
+            if (OB_SUCC(ret) && OB_FAIL(schema_checker_->check_priv(session_priv, stmt_need_privs))) {
+              stmt_need_privs.need_privs_.at(0) =
+                  ObNeedPriv("", "", OB_PRIV_USER_LEVEL, OB_PRIV_CREATE_USER, false);
+              if (OB_FAIL(schema_checker_->check_priv(session_priv, stmt_need_privs))) {
+                LOG_WARN("no priv", K(ret));
+              }
+            }
+          }
        }
        //resolve privileges
        if (OB_SUCC(ret) && (NULL != privs_node)) {