Bug#24447771: ACL_INIT() RETURNS TRUE ON 5.7 DATA DIRECTORY

harinvadodaria · dahlerlend · commit e4b07ce10ee0 · 2016-08-18T14:46:18.000+02:00
Description: If MySQL server is started with 5.7 data
             directory, we fail in acl_init() because
             role_edges and default_roles tables are
             missing. Fixed this issue by moving roles
             initialization to a separate function and
             print a warning on server log in case
             required tables are missing.
diff --git a/mysql-test/r/roles-upgrade.result b/mysql-test/r/roles-upgrade.result
@@ -0,0 +1,122 @@
+Run mysql_upgrade once
+mysql.column_stats                                 OK
+mysql.columns_priv                                 OK
+mysql.component                                    OK
+mysql.db                                           OK
+mysql.default_roles                                OK
+mysql.engine_cost                                  OK
+mysql.func                                         OK
+mysql.general_log                                  OK
+mysql.gtid_executed                                OK
+mysql.help_category                                OK
+mysql.help_keyword                                 OK
+mysql.help_relation                                OK
+mysql.help_topic                                   OK
+mysql.innodb_index_stats                           OK
+mysql.innodb_table_stats                           OK
+mysql.plugin                                       OK
+mysql.procs_priv                                   OK
+mysql.proxies_priv                                 OK
+mysql.role_edges                                   OK
+mysql.server_cost                                  OK
+mysql.servers                                      OK
+mysql.slave_master_info                            OK
+mysql.slave_relay_log_info                         OK
+mysql.slave_worker_info                            OK
+mysql.slow_log                                     OK
+mysql.tables_priv                                  OK
+mysql.time_zone                                    OK
+mysql.time_zone_leap_second                        OK
+mysql.time_zone_name                               OK
+mysql.time_zone_transition                         OK
+mysql.time_zone_transition_type                    OK
+mysql.user                                         OK
+mtr.global_suppressions                            OK
+mtr.test_suppressions                              OK
+sys.sys_config                                     OK
+#
+# Bug#24447771 ACL_INIT() RETURNS TRUE ON 5.7 DATA DIRECTORY
+#
+CALL mtr.add_suppression("Could not load mysql.role_edges and mysql.default_roles tables. ACL DDLs will not work unless mysql_upgrade is executed.");
+DROP TABLE mysql.role_edges;
+DROP TABLE mysql.default_roles;
+#Restart the server
+# restart
+# let's check for the presense of the warning
+# ACL DDLs should not work
+CREATE USER u1;
+ERROR 42S02: Table 'mysql.role_edges' doesn't exist
+CREATE ROLE r1;
+ERROR 42S02: Table 'mysql.role_edges' doesn't exist
+GRANT SELECT ON *.* TO u1;
+ERROR 42S02: Table 'mysql.role_edges' doesn't exist
+# Run mysql_upgrade
+mysql.column_stats                                 OK
+mysql.columns_priv                                 OK
+mysql.component                                    OK
+mysql.db                                           OK
+mysql.default_roles                                OK
+mysql.engine_cost                                  OK
+mysql.func                                         OK
+mysql.general_log                                  OK
+mysql.gtid_executed                                OK
+mysql.help_category                                OK
+mysql.help_keyword                                 OK
+mysql.help_relation                                OK
+mysql.help_topic                                   OK
+mysql.innodb_index_stats                           OK
+mysql.innodb_table_stats                           OK
+mysql.plugin                                       OK
+mysql.procs_priv                                   OK
+mysql.proxies_priv                                 OK
+mysql.role_edges                                   OK
+mysql.server_cost                                  OK
+mysql.servers                                      OK
+mysql.slave_master_info                            OK
+mysql.slave_relay_log_info                         OK
+mysql.slave_worker_info                            OK
+mysql.slow_log                                     OK
+mysql.tables_priv                                  OK
+mysql.time_zone                                    OK
+mysql.time_zone_leap_second                        OK
+mysql.time_zone_name                               OK
+mysql.time_zone_transition                         OK
+mysql.time_zone_transition_type                    OK
+mysql.user                                         OK
+mtr.global_suppressions                            OK
+mtr.test_suppressions                              OK
+sys.sys_config                                     OK
+SHOW CREATE TABLE mysql.role_edges;
+Table	Create Table
+role_edges	CREATE TABLE `role_edges` (
+  `FROM_HOST` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `FROM_USER` char(32) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `TO_HOST` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `TO_USER` char(32) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `WITH_ADMIN_OPTION` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
+  PRIMARY KEY (`FROM_HOST`,`FROM_USER`,`TO_HOST`,`TO_USER`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin STATS_PERSISTENT=0 COMMENT='Role hierarchy and role grants'
+SHOW CREATE TABLE mysql.default_roles;
+Table	Create Table
+default_roles	CREATE TABLE `default_roles` (
+  `HOST` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `USER` char(32) COLLATE utf8_bin NOT NULL DEFAULT '',
+  `DEFAULT_ROLE_HOST` char(60) COLLATE utf8_bin NOT NULL DEFAULT '%',
+  `DEFAULT_ROLE_USER` char(32) COLLATE utf8_bin NOT NULL DEFAULT '',
+  PRIMARY KEY (`HOST`,`USER`,`DEFAULT_ROLE_HOST`,`DEFAULT_ROLE_USER`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin STATS_PERSISTENT=0 COMMENT='Default roles'
+CREATE USER u1;
+CREATE ROLE r1;
+GRANT SELECT ON *.* TO r1;
+GRANT r1 to u1;
+CREATE TABLE test.t1(c1 int);
+INSERT INTO test.t1 VALUES(1);
+SET ROLE r1;
+SELECT * from t1;
+c1
+1
+DROP TABLE test.t1;
+DROP ROLE r1;
+DROP USER u1;
+
+End of tests
diff --git a/mysql-test/t/roles-upgrade.test b/mysql-test/t/roles-upgrade.test
@@ -0,0 +1,74 @@
+-- source include/no_valgrind_without_big.inc
+-- source include/mysql_upgrade_preparation.inc
+
+#
+# Basic test that we can run mysql_upgrde and that it finds the
+# expected binaries it uses.
+#
+--echo Run mysql_upgrade once
+--exec $MYSQL_UPGRADE --skip-verbose --force 2>&1
+
+# It should have created a file in the MySQL Servers datadir
+let $MYSQLD_DATADIR= `select @@datadir`;
+file_exists $MYSQLD_DATADIR/mysql_upgrade_info;
+
+--echo #
+--echo # Bug#24447771 ACL_INIT() RETURNS TRUE ON 5.7 DATA DIRECTORY
+--echo #
+
+CALL mtr.add_suppression("Could not load mysql.role_edges and mysql.default_roles tables. ACL DDLs will not work unless mysql_upgrade is executed.");
+
+DROP TABLE mysql.role_edges;
+DROP TABLE mysql.default_roles;
+
+--echo #Restart the server
+--source include/restart_mysqld.inc
+
+--echo # let's check for the presense of the warning
+let server_log= $MYSQLTEST_VARDIR/log/mysqld.1.err;
+# $server_log has to be processed by include/search_pattern_in_file.inc which
+# contains Perl code requiring that the environment variable SEARCH_FILE points
+# to this file.
+let SEARCH_FILE= $server_log;
+
+--let SEARCH_PATTERN= Could not load mysql.role_edges and mysql.default_roles tables. ACL DDLs will not work unless mysql_upgrade is executed.
+--source include/search_pattern_in_file.inc
+
+--echo # ACL DDLs should not work
+--error ER_NO_SUCH_TABLE
+CREATE USER u1;
+
+--error ER_NO_SUCH_TABLE
+CREATE ROLE r1;
+
+--error ER_NO_SUCH_TABLE
+GRANT SELECT ON *.* TO u1;
+
+--echo # Run mysql_upgrade
+--exec $MYSQL_UPGRADE --skip-verbose --force 2>&1
+
+SHOW CREATE TABLE mysql.role_edges;
+SHOW CREATE TABLE mysql.default_roles;
+
+CREATE USER u1;
+CREATE ROLE r1;
+GRANT SELECT ON *.* TO r1;
+GRANT r1 to u1;
+CREATE TABLE test.t1(c1 int);
+INSERT INTO test.t1 VALUES(1);
+
+connect(conn_u1, localhost, u1,,);
+SET ROLE r1;
+SELECT * from t1;
+
+connection default;
+disconnect conn_u1;
+DROP TABLE test.t1;
+DROP ROLE r1;
+DROP USER u1;
+
+--source include/mysql_upgrade_cleanup.inc
+
+--echo
+--echo End of tests
+
diff --git a/sql/auth/sql_auth_cache.cc b/sql/auth/sql_auth_cache.cc
@@ -1468,6 +1468,53 @@ validate_user_plugin_records()
 }
 
 
+/**
+  Initialize roles structures from tables.
+
+  This function is called by acl_init and may fail to
+  initialize role structures if role_edges and/or
+  default_roles are not present.
+
+  @param thd [in] Handle to THD
+*/
+
+static
+void roles_init(THD *thd)
+{
+  TABLE_LIST tables[2];
+  tables[0].init_one_table(C_STRING_WITH_LEN("mysql"),
+                           C_STRING_WITH_LEN("role_edges"),
+                           "role_edges", TL_READ, MDL_SHARED_READ_ONLY);
+
+  tables[1].init_one_table(C_STRING_WITH_LEN("mysql"),
+                           C_STRING_WITH_LEN("default_roles"),
+                           "default_roles", TL_READ, MDL_SHARED_READ_ONLY);
+
+  tables[0].next_local=
+    tables[0].next_global= tables + 1;
+  tables[1].next_local=
+    tables[1].next_global= 0;
+  tables[0].open_type=
+  tables[1].open_type= OT_BASE_ONLY;
+
+  bool result= open_and_lock_tables(thd, tables, MYSQL_LOCK_IGNORE_TIMEOUT);
+  if (!result)
+  {
+    check_acl_tables(tables, false);
+    commit_and_close_mysql_tables(thd);
+    result= roles_init_from_tables(thd);
+  }
+
+  if (result)
+  {
+   sql_print_warning("Could not load mysql.role_edges and "
+                     "mysql.default_roles tables. ACL DDLs "
+                     "will not work unless mysql_upgrade is "
+                     "executed.");
+  }
+}
+
+
 /*
   Initialize structures responsible for user/db-level privilege checking and
   load privilege information for them from tables in the 'mysql' database.
@@ -1540,7 +1587,7 @@ my_bool acl_init(bool dont_read_acl_tables)
     by zeros at startup.
   */
   return_val|= acl_reload(thd);
-  return_val|= roles_init_from_tables(thd);
+  roles_init(thd);
   thd->release_resources();
   delete thd;
 
@@ -2160,7 +2207,7 @@ void acl_free(bool end)
 
 bool check_engine_type_for_acl_table(THD *thd)
 {
-  TABLE_LIST tables[8];
+  TABLE_LIST tables[6];
 
   /*
     Open the following ACL tables to check their consistency.
@@ -2193,14 +2240,6 @@ bool check_engine_type_for_acl_table(THD *thd)
                            C_STRING_WITH_LEN("procs_priv"),
                            "procs_priv", TL_READ, MDL_SHARED_READ_ONLY);
 
-  tables[ACL_TABLES::TABLE_ROLE_EDGES].init_one_table(C_STRING_WITH_LEN("mysql"),
-                           C_STRING_WITH_LEN("role_edges"),
-                           "role_edges", TL_READ, MDL_SHARED_READ_ONLY);
-
-  tables[ACL_TABLES::TABLE_DEFAULT_ROLES].init_one_table(C_STRING_WITH_LEN("mysql"),
-                           C_STRING_WITH_LEN("default_roles"),
-                           "default_roles", TL_READ, MDL_SHARED_READ_ONLY);
-
   tables[ACL_TABLES::TABLE_USER].next_local=
     tables[ACL_TABLES::TABLE_USER].next_global= tables + 1;
   tables[ACL_TABLES::TABLE_DB].next_local=
@@ -2212,20 +2251,14 @@ bool check_engine_type_for_acl_table(THD *thd)
   tables[ACL_TABLES::TABLE_PROCS_PRIV].next_local=
     tables[ACL_TABLES::TABLE_PROCS_PRIV].next_global= tables + 5;
   tables[ACL_TABLES::TABLE_PROXIES_PRIV].next_local=
-    tables[ACL_TABLES::TABLE_PROXIES_PRIV].next_global= tables + 6;
-  tables[ACL_TABLES::TABLE_ROLE_EDGES].next_local=
-    tables[ACL_TABLES::TABLE_ROLE_EDGES].next_global= tables + 7;
-  tables[ACL_TABLES::TABLE_DEFAULT_ROLES].next_local=
-    tables[ACL_TABLES::TABLE_DEFAULT_ROLES].next_global= 0;
+    tables[ACL_TABLES::TABLE_PROXIES_PRIV].next_global= 0;
 
   tables[ACL_TABLES::TABLE_USER].open_type=
     tables[ACL_TABLES::TABLE_DB].open_type=
     tables[ACL_TABLES::TABLE_TABLES_PRIV].open_type=
     tables[ACL_TABLES::TABLE_COLUMNS_PRIV].open_type=
     tables[ACL_TABLES::TABLE_PROCS_PRIV].open_type=
-    tables[ACL_TABLES::TABLE_PROXIES_PRIV].open_type=
-    tables[ACL_TABLES::TABLE_ROLE_EDGES].open_type=
-    tables[ACL_TABLES::TABLE_DEFAULT_ROLES].open_type= OT_BASE_ONLY;
+    tables[ACL_TABLES::TABLE_PROXIES_PRIV].open_type= OT_BASE_ONLY;
 
   bool result= open_and_lock_tables(thd, tables, MYSQL_LOCK_IGNORE_TIMEOUT);
   if (!result)
