pingcap · ti-chi-bot · Nov 19, 2021 · Nov 15, 2021 · Nov 15, 2021 · Nov 16, 2021
diff --git a/executor/simple.go b/executor/simple.go
@@ -661,6 +661,12 @@ func (e *SimpleExec) executeRevokeRole(ctx context.Context, s *ast.RevokeRoleStm
 		return errors.Trace(err)
 	}
 	sql := new(strings.Builder)
+	// when an active role of current user is revoked,
+	// it should be removed from activeRoles
+	activeRoles, currentUser := e.ctx.GetSessionVars().ActiveRoles, ""
+	if e.ctx.GetSessionVars().User != nil {
+		currentUser = e.ctx.GetSessionVars().User.Username
+	}
 	for _, user := range s.Users {
 		exists, err := userExists(ctx, e.ctx, user.Username, user.Hostname)
 		if err != nil {
@@ -693,11 +699,29 @@ func (e *SimpleExec) executeRevokeRole(ctx context.Context, s *ast.RevokeRoleStm
 				}
 				return ErrCannotUser.GenWithStackByArgs("REVOKE ROLE", role.String())
 			}
+
+			// delete from activeRoles
+			if currentUser == user.Username {
+				for i := 0; i < len(activeRoles); i++ {
+					if activeRoles[i].Username == role.Username && activeRoles[i].Hostname == role.Hostname {
+						activeRoles = append(activeRoles[:i], activeRoles[i+1:]...)
+						break
+					}
+				}
+			}
 		}
 	}
 	if _, err := sqlExecutor.ExecuteInternal(context.TODO(), "commit"); err != nil {
 		return err
 	}
+	checker := privilege.GetPrivilegeManager(e.ctx)
+	if checker == nil {
+		return errors.New("miss privilege checker")
+	}
+	if ok, roleName := checker.ActiveRoles(e.ctx, activeRoles); !ok {
+		u := e.ctx.GetSessionVars().User
+		return ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
+	}
 	return domain.GetDomain(e.ctx).NotifyUpdatePrivilege()
 }
 

diff --git a/executor/simple_test.go b/executor/simple_test.go
@@ -974,3 +974,17 @@ func (s *testSuite3) TestShowGrantsAfterDropRole(c *C) {
 	tk.MustExec("DROP ROLE r29473")
 	tk.MustQuery("SHOW GRANTS").Check(testkit.Rows("GRANT CREATE USER ON *.* TO 'u29473'@'%'"))
 }
+
+func (s *testSuite3) TestDropRoleAfterRevoke(c *C) {
+	// issue 29781
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec("use test;")
+	tk.Se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil)
+
+	tk.MustExec("create role r1, r2, r3;")
+	defer tk.MustExec("drop role r2, r3;")
+	tk.MustExec("grant r1,r2,r3 to current_user();")
+	tk.MustExec("set role all;")
+	tk.MustExec("revoke r1, r3 from root;")
+	tk.MustExec("drop role r1;")
+}