-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege: limit the privileges in memory schemas #35260
Conversation
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
@@ -136,31 +135,15 @@ func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, d | |||
} | |||
} | |||
|
|||
switch dbLowerName { | |||
case util.InformationSchemaName.L: | |||
if util.IsMemDB(dbLowerName) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR also disallows creating views on performance_schema
and metrics_schema
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MySQL cannot create views in performance_schema.
mysql> create view performance_schema.v as select * from test.t;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'performance_schema'
/merge |
This pull request has been accepted and is ready to merge. Commit hash: 8541168
|
Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/dae3ffd7b783c3bfc4d6758de7c72e2125d87eae |
/run-mysql-test |
/unhold |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-4.0 in PR #35329 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.0 in PR #35330 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.1 in PR #35331 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.2 in PR #35332 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.3 in PR #35333 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-5.4 in PR #35334 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-6.0 in PR #35335 |
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
cherry pick to release-6.1 in PR #35336 |
TiDB MergeCI notify✅ Well Done! New fixed [1] after this pr merged.
|
What problem does this PR solve?
Issue Number: close #35205
Problem Summary:
In the previous implementation,
metrics_schema.t
isn't one of the metrics tables, so the privilege checker is skipped. However, because the memory databases are not persist in storage, DDL hangs because of "database not exists" error.What is changed and how it works?
This PR disallows users run
CREATE/ALTER/DROP/INSERT/UPDATE/DELETE
statements on any tables in memory databases.Check List
Tests
Side effects
After this PR, the following operations on memory tables are not supported anymore:
information_schema
:REFERENCES
,EXECUTE
,SHOW VIEW
,LOCK TABLES
.performance_schema
:CREATE
,LOCK TABLES
.metrics_schema
:CREATE
,CREATE VIEW
.REFERENCES
,EXECUTE
,SHOW VIEW
,LOCK TABLES
.Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.