# WL#12637 Distribute ACL changes in MySQL Cluster --source include/have_ndb.inc connection default; --echo Connected to server1 as root # # Create test tables. These are not in database "test" due to the customary # "GRANT ALL ON test.* to '%'@'localhost'" in effect there. # CREATE DATABASE auth_test_db; USE auth_test_db; CREATE TABLE t1 (i int primary key not null) engine = ndb; CREATE TABLE t2 (i int primary key not null) engine = ndb; CREATE TABLE t3 (i int primary key not null) engine = ndb; INSERT INTO t1 VALUES(1); INSERT INTO t2 VALUES(1),(2); INSERT INTO t3 VALUES(1),(2),(3); # # Create local users # CREATE USER local_u1@a, local_u2@a, local_u3@a, local_u4@a, local_u5@a; CREATE ROLE L1, L2, L3; # Subsequent comments refer to specific grants by line number # # Create distributed users, start at line 30 # CREATE USER ndb_u1@a; CREATE USER ndb_u2@a IDENTIFIED BY 'Helsinki'; CREATE USER ndb_u3@a, ndb_u4@a, ndb_u5@a, ndb_u6@a; CREATE USER ndb_u7@a IDENTIFIED BY 'pass7'; CREATE ROLE R1, R2, R3; GRANT NDB_STORED_USER ON *.* to ndb_u1@a; GRANT NDB_STORED_USER ON *.* to ndb_u2@a, ndb_u3@a, ndb_u4@a; GRANT ALL ON *.* TO ndb_u5@a; # Grant NDB_STORED_USER via ALL GRANT NDB_STORED_USER ON *.* to ndb_u6@a, ndb_u7@a; GRANT NDB_STORED_USER ON *.* TO R1, R2, R3; # # GRANT statements start at line 45 # GRANT SELECT, INSERT, DELETE ON auth_test_db.t2 to R2; GRANT R3 to ndb_u3@a; GRANT L3 to local_u3@a; GRANT R2 TO ndb_u2@a, local_u2@a; GRANT SELECT,INSERT,DELETE ON auth_test_db.t2 to R3, L3; GRANT SELECT ON auth_test_db.t1 to ndb_u1@a; GRANT SELECT ON auth_test_db.t1 to local_u1@a; GRANT INSERT ON auth_test_db.t1 to local_u2@a; GRANT SELECT,INSERT ON auth_test_db.t1 to ndb_u2@a, ndb_u3@a, local_u3@a; GRANT ALL ON auth_test_db.* to ndb_u4@a; GRANT UPDATE ON auth_test_db.t2 to ndb_u2@a; # # ALTER USER statements start at line 60 # ALTER USER ndb_u5@a IDENTIFIED BY 'pass5'; # NDB ONLY ALTER USER local_u5@a IDENTIFIED BY 'pass5'; # LOCAL ONLY ALTER USER ndb_u4@a IDENTIFIED BY 'pass4', local_u4@a IDENTIFIED BY 'pass4'; # # SET DEFAULT ROLE statements start at line 70 # ALTER USER ndb_u3@a DEFAULT ROLE R3; ALTER USER local_u3@a DEFAULT ROLE L3; SET DEFAULT ROLE R2 TO ndb_u2@a, local_u2@a; # # SET PASSWORD statements start at line 80 # SET PASSWORD FOR local_u3@a = 'Trondheim'; # LOCAL ONLY SET PASSWORD FOR ndb_u3@a = 'Uppsala'; # NDB ONLY # # REVOKE statements start at line 90 # REVOKE INSERT ON auth_test_db.t1 FROM local_u3@a; REVOKE INSERT ON t1 FROM ndb_u3@a; REVOKE SELECT ON auth_test_db.t1 FROM ndb_u2@a, local_u2@a; REVOKE ALL, GRANT OPTION FROM ndb_u1@a, local_u1@a; REVOKE NDB_STORED_USER ON *.* FROM ndb_u6@a; # # DROP statements start at line 100 # DROP ROLE R1; # NDB ONLY DROP ROLE L1; # LOCAL ONLY DROP ROLE R2, L2; # NDB+LOCAL DROP USER ndb_u1@a, ndb_u7@a; # # RENAME USER # RENAME USER ndb_u3@a TO bob@a, ndb_u2@a TO Monty@localhost, bob@a TO ndb_u2@a; RENAME USER ndb_u2@a TO David@localhost; RENAME USER ndb_u4@a TO ndb_u4@localhost; RENAME USER local_u2@a TO local_u2@localhost; RENAME USER ndb_u5@a TO ndb_u5@localhost, local_u5@a TO local_u5@localhost; # # GRANT and REVOKE to an NDB_STORED_USER on an InnoDB table (which exists # only on the mysqld1, not mysqld2). # CREATE TABLE ib_table (pk INT PRIMARY KEY, a INT) engine = innodb; INSERT INTO ib_table VALUES(0,0),(1,1),(2,2); GRANT SELECT ON ib_table TO R3; REVOKE SELECT ON ib_table FROM R3; # # GRANT and REVOKE on a table that does not exist on the local server # --error ER_NO_SUCH_TABLE GRANT SELECT ON nonexistent_table TO R3; --error ER_NONEXISTING_TABLE_GRANT REVOKE SELECT ON nonexistent_table FROM R3; # # ========= Test connections from the other server in the cluster ======== # # Monty (formerly ndb_u2) has password 'Helsinki', has NDB_STORED_USER, # has INSERT on auth_test_db.t1 (granted at line 53), but SELECT was revoked # (line 117). Monty has UPDATE on auth_test_db.t2 (granted at 79), and once # had DELETE on t2 by way of R2 (line 48), but no longer has this because # R2 was dropped (line 102). # connect (CU2,127.0.0.1,Monty,Helsinki,auth_test_db,$MASTER_MYPORT1,); connection CU2; --error ER_TABLEACCESS_DENIED_ERROR DELETE FROM t2 where i=3; --error ER_TABLEACCESS_DENIED_ERROR SELECT * FROM t1; INSERT INTO t1 values (2); # David (formerly ndb_u3) has password 'Uppsala', has NDB_STORED_USER, # has role R3 (line 46) and has SELECT,INSERT,DELETE on t2 by way of R3, # and has SELECT on t1 (granted at line 53), but not INSERT (revoked at 91). # connect (CU3,127.0.0.1,David,Uppsala,auth_test_db,$MASTER_MYPORT1,); connection CU3; DELETE FROM t2 where i=3; SELECT * FROM t1 ORDER BY i; --error ER_TABLEACCESS_DENIED_ERROR INSERT INTO t1 values (45); # ndb_u4 has password 'pass4' and all table privileges on auth_test_db.* connect (CU4,127.0.0.1,ndb_u4,pass4,auth_test_db,$MASTER_MYPORT1,); connection CU4; DROP TABLE t1; # ndb_u5 has password 'pass5' and all privileges. connect (CU5,127.0.0.1,ndb_u5,pass5,auth_test_db,$MASTER_MYPORT1,); connection CU5; DROP TABLE t2, t3; # Users that have had NDB_STORED_USER revoked must be dropped on each server, # and ndb_u5 has the privilege to do this (via GRANT ALL at line 37) DROP USER ndb_u1@a, ndb_u6@a; # ======= CLEANUP # ======= connection default; DROP DATABASE auth_test_db; DROP USER local_u1@a, local_u3@a, local_u4@a; DROP USER local_u2@localhost, local_u5@localhost; DROP ROLE L3; DROP USER Monty@localhost, David@localhost; DROP USER ndb_u4@localhost, ndb_u5@localhost; DROP USER ndb_u6@a; DROP ROLE R3;