Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5227

Resolve the ambiguity between user and role names as mentioned in MDEV-4397

    Details

    • Type: Task
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Fix Version/s: 10.0
    • Component/s: None
    • Labels:
      None

      Description

      MDEV-4397 (Roles) says that there is expected ambiguity between role names and user names, and also mentions a possible solution for that ("we can specify that a role name cannot match the first part of any user name."). It hasn't been done, please consider implementing it or something similar; the way it works now is indeed a bit confusing and somewhat disturbing, e.g.

      create user manager;
      grant all on db1.* to manager; # grant goes to the user manager@'%'
      create role manager;
      grant all on db2.* to manager; # grant goes to the role manager
      

      etc.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              elenst Elena Stepanova added a comment - - edited

              Here is Peter's opinion on the subject, mentioned in his blog (http://ocelot.ca/blog/blog/2014/01/12/roles-review/):

              Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say

              CREATE USER u_1;
              CREATE ROLE u_1;
              GRANT INSERT ON . TO u_1;
              SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1';

              I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!

              Show
              elenst Elena Stepanova added a comment - - edited Here is Peter's opinion on the subject, mentioned in his blog ( http://ocelot.ca/blog/blog/2014/01/12/roles-review/): Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say CREATE USER u_1; CREATE ROLE u_1; GRANT INSERT ON . TO u_1; SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1'; I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  elenst Elena Stepanova
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: