208 lines
6.1 KiB
Plaintext
208 lines
6.1 KiB
Plaintext
# WL#12637 Distribute ACL changes in MySQL Cluster.
|
|
--source include/have_ndb.inc
|
|
|
|
# The ACL statements here are similar to distributed_grants.test, but mysql
|
|
# server 2 is shut down at the start of this test. When restarted, it applies
|
|
# the whole snapshot stored in ndb_sql_metadata.
|
|
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.2.1.expect
|
|
connect(mysqld2,127.0.0.1,root,,test,$MASTER_MYPORT1);
|
|
connection mysqld2;
|
|
shutdown;
|
|
source include/wait_until_disconnected.inc;
|
|
enable_reconnect;
|
|
connection default;
|
|
--echo Connected to server1 as root
|
|
|
|
# Disable warnings to suppress a "Node unsubscribed" warning that may appear
|
|
# at some unpredictable time after the shutdown of mysqld2
|
|
--disable_warnings ER_GET_ERRMSG
|
|
|
|
#
|
|
# Create test tables. These are not in database "test" due to the customary
|
|
# "GRANT ALL ON test.* to '%'@'localhost'" in effect there.
|
|
#
|
|
CREATE DATABASE auth_test_db;
|
|
USE auth_test_db;
|
|
CREATE TABLE t1 (i int primary key not null) engine = ndb;
|
|
CREATE TABLE t2 (i int primary key not null) engine = ndb;
|
|
CREATE TABLE t3 (i int primary key not null) engine = ndb;
|
|
INSERT INTO t1 VALUES(1);
|
|
INSERT INTO t2 VALUES(1),(2);
|
|
INSERT INTO t3 VALUES(1),(2),(3);
|
|
|
|
# Create users, start at line 30
|
|
#
|
|
CREATE USER local_u1@a, local_u2@a, local_u3@a, local_u4@a, local_u5@a;
|
|
CREATE ROLE L1, L2, L3;
|
|
CREATE USER ndb_u1@a;
|
|
CREATE USER ndb_u2@a IDENTIFIED BY 'Helsinki';
|
|
CREATE USER ndb_u3@a, ndb_u4@a, ndb_u5@a, ndb_u6@a;
|
|
CREATE USER ndb_u7@a IDENTIFIED BY 'pass7';
|
|
CREATE ROLE R1, R2, R3;
|
|
GRANT NDB_STORED_USER ON *.* to ndb_u1@a;
|
|
GRANT NDB_STORED_USER ON *.* to ndb_u2@a, ndb_u3@a, ndb_u4@a;
|
|
GRANT ALL ON *.* TO ndb_u5@a; # Grant NDB_STORED_USER via ALL
|
|
GRANT NDB_STORED_USER ON *.* to ndb_u6@a, ndb_u7@a;
|
|
GRANT NDB_STORED_USER ON *.* TO R1, R2, R3;
|
|
|
|
# GRANT statements start at line 45
|
|
#
|
|
GRANT SELECT, INSERT, DELETE ON auth_test_db.t2 to R2;
|
|
GRANT R3 to ndb_u3@a;
|
|
GRANT L3 to local_u3@a;
|
|
GRANT R2 TO ndb_u2@a, local_u2@a;
|
|
GRANT SELECT,INSERT,DELETE ON auth_test_db.t2 to R3, L3;
|
|
GRANT SELECT ON auth_test_db.t1 to ndb_u1@a;
|
|
GRANT SELECT ON auth_test_db.t1 to local_u1@a;
|
|
GRANT INSERT ON auth_test_db.t1 to local_u2@a;
|
|
GRANT SELECT,INSERT ON auth_test_db.t1 to ndb_u2@a, ndb_u3@a, local_u3@a;
|
|
GRANT ALL ON auth_test_db.* to ndb_u4@a;
|
|
GRANT UPDATE ON auth_test_db.t2 to ndb_u2@a;
|
|
|
|
#
|
|
# ALTER USER statements start at line 60
|
|
#
|
|
ALTER USER ndb_u5@a IDENTIFIED BY 'pass5'; # NDB ONLY
|
|
ALTER USER local_u5@a IDENTIFIED BY 'pass5'; # LOCAL ONLY
|
|
ALTER USER ndb_u4@a IDENTIFIED BY 'pass4', local_u4@a IDENTIFIED BY 'pass4';
|
|
|
|
|
|
|
|
|
|
#
|
|
# SET DEFAULT ROLE statements start at line 70
|
|
#
|
|
ALTER USER ndb_u3@a DEFAULT ROLE R3;
|
|
ALTER USER local_u3@a DEFAULT ROLE L3;
|
|
SET DEFAULT ROLE R2 TO ndb_u2@a, local_u2@a;
|
|
|
|
|
|
|
|
|
|
#
|
|
# SET PASSWORD statements start at line 80
|
|
#
|
|
SET PASSWORD FOR local_u3@a = 'Trondheim'; # LOCAL ONLY
|
|
SET PASSWORD FOR ndb_u3@a = 'Uppsala'; # NDB ONLY
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
# REVOKE statements start at line 90
|
|
#
|
|
REVOKE INSERT ON auth_test_db.t1 FROM local_u3@a;
|
|
REVOKE INSERT ON t1 FROM ndb_u3@a;
|
|
REVOKE SELECT ON auth_test_db.t1 FROM ndb_u2@a, local_u2@a;
|
|
REVOKE ALL, GRANT OPTION FROM ndb_u1@a, local_u1@a;
|
|
REVOKE NDB_STORED_USER ON *.* FROM ndb_u6@a;
|
|
|
|
#
|
|
# DROP statements start at line 100
|
|
#
|
|
DROP ROLE R1; # NDB ONLY
|
|
DROP ROLE L1; # LOCAL ONLY
|
|
DROP ROLE R2, L2; # NDB+LOCAL
|
|
DROP USER ndb_u1@a, ndb_u7@a;
|
|
|
|
|
|
|
|
#
|
|
# RENAME USER
|
|
#
|
|
RENAME USER ndb_u3@a TO bob@a, ndb_u2@a TO Monty@localhost, bob@a TO ndb_u2@a;
|
|
RENAME USER ndb_u2@a TO David@localhost;
|
|
RENAME USER ndb_u4@a TO ndb_u4@localhost;
|
|
RENAME USER local_u2@a TO local_u2@localhost;
|
|
RENAME USER ndb_u5@a TO ndb_u5@localhost, local_u5@a TO local_u5@localhost;
|
|
|
|
|
|
#
|
|
# GRANT and REVOKE to an NDB_STORED_USER on an InnoDB table (which exists
|
|
# only on the mysqld1, not mysqld2).
|
|
#
|
|
CREATE TABLE ib_table (pk INT PRIMARY KEY, a INT) engine = innodb;
|
|
INSERT INTO ib_table VALUES(0,0),(1,1),(2,2);
|
|
GRANT SELECT ON ib_table TO R3;
|
|
REVOKE SELECT ON ib_table FROM R3;
|
|
|
|
|
|
#
|
|
# GRANT and REVOKE on a table that does not exist on the local server
|
|
#
|
|
--error ER_NO_SUCH_TABLE
|
|
GRANT SELECT ON nonexistent_table TO R3;
|
|
--error ER_NONEXISTING_TABLE_GRANT
|
|
REVOKE SELECT ON nonexistent_table FROM R3;
|
|
|
|
|
|
#
|
|
# ========= Restart server2, then test connecting to it ========
|
|
#
|
|
|
|
connection mysqld2;
|
|
--exec echo "restart" > $MYSQLTEST_VARDIR/tmp/mysqld.2.1.expect
|
|
--source include/wait_until_connected_again.inc
|
|
|
|
|
|
# Monty (formerly ndb_u2) has password 'Helsinki', has NDB_STORED_USER,
|
|
# has INSERT on auth_test_db.t1 (granted at line 53), but SELECT was revoked
|
|
# (line 117). Monty has UPDATE on auth_test_db.t2 (granted at 79), and once
|
|
# had DELETE on t2 by way of R2 (line 48), but no longer has this because
|
|
# R2 was dropped (line 102).
|
|
#
|
|
connect (CU2,127.0.0.1,Monty,Helsinki,auth_test_db,$MASTER_MYPORT1,);
|
|
connection CU2;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
DELETE FROM t2 where i=3;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
SELECT * FROM t1;
|
|
INSERT INTO t1 values (2);
|
|
|
|
|
|
# David (formerly ndb_u3) has password 'Uppsala', has NDB_STORED_USER,
|
|
# has role R3 (line 46) and has SELECT,INSERT,DELETE on t2 by way of R3,
|
|
# and has SELECT on t1 (granted at line 53), but not INSERT (revoked at 91).
|
|
#
|
|
connect (CU3,127.0.0.1,David,Uppsala,auth_test_db,$MASTER_MYPORT1,);
|
|
connection CU3;
|
|
DELETE FROM t2 where i=3;
|
|
SELECT * FROM t1 ORDER BY i;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
INSERT INTO t1 values (45);
|
|
|
|
|
|
# ndb_u4 has password 'pass4' and all table privileges on auth_test_db.*
|
|
connect (CU4,127.0.0.1,ndb_u4,pass4,auth_test_db,$MASTER_MYPORT1,);
|
|
connection CU4;
|
|
DROP TABLE t1;
|
|
|
|
# ndb_u5 has password 'pass5' and all privileges.
|
|
connect (CU5,127.0.0.1,ndb_u5,pass5,auth_test_db,$MASTER_MYPORT1,);
|
|
connection CU5;
|
|
DROP TABLE t2, t3;
|
|
|
|
|
|
|
|
# ======= CLEANUP
|
|
# =======
|
|
--enable_warnings
|
|
connection default;
|
|
|
|
DROP DATABASE auth_test_db;
|
|
|
|
DROP USER local_u1@a, local_u3@a, local_u4@a;
|
|
DROP USER local_u2@localhost, local_u5@localhost;
|
|
DROP ROLE L3;
|
|
|
|
DROP USER Monty@localhost, David@localhost;
|
|
DROP USER ndb_u4@localhost, ndb_u5@localhost;
|
|
DROP USER ndb_u6@a;
|
|
DROP ROLE R3;
|
|
|
|
# Sometimes check_testcase runs before the cleanup has finished on mysqld2.
|
|
# Connect once more to mysqld2. The connection will have to acquire a
|
|
# read lock on the ACL cache, hopefully allowing cleanup to finish there.
|
|
connect(mysqld2b,127.0.0.1,root,,test,$MASTER_MYPORT1);
|