Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5227

Resolve the ambiguity between user and role names as mentioned in MDEV-4397

        Details

        • Type: Task
        • Status: Open
        • Priority: Minor
        • Resolution: Unresolved
        • Fix Version/s: 10.0
        • Component/s: None
        • Labels:
          None

          Description

          MDEV-4397 (Roles) says that there is expected ambiguity between role names and user names, and also mentions a possible solution for that ("we can specify that a role name cannot match the first part of any user name."). It hasn't been done, please consider implementing it or something similar; the way it works now is indeed a bit confusing and somewhat disturbing, e.g.

          create user manager;
grant all on db1.* to manager; # grant goes to the user manager@'%'
create role manager;
grant all on db2.* to manager; # grant goes to the role manager

          etc.

            Gliffy Diagrams

              Attachments

                Issue Links

                relates to

                Task - A task that needs to be done. MDEV-5164 Testing Roles

                • Major - Major loss of function.
                • Stalled

                Task - A task that needs to be done. MDEV-4397 Roles

                • Major - Major loss of function.
                • Closed

                  Activity

                  Hide
                  Permalink
                  elenst Elena Stepanova added a comment - - edited

                  Here is Peter's opinion on the subject, mentioned in his blog (http://ocelot.ca/blog/blog/2014/01/12/roles-review/):

                  Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say

                  CREATE USER u_1;
                  CREATE ROLE u_1;
                  GRANT INSERT ON . TO u_1;
                  SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1';

                  I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!

                  Show
                  elenst Elena Stepanova added a comment - - edited Here is Peter's opinion on the subject, mentioned in his blog ( http://ocelot.ca/blog/blog/2014/01/12/roles-review/): Here's the third bug: if a user and a role have the same name, GRANT only works on the role. If I say CREATE USER u_1; CREATE ROLE u_1; GRANT INSERT ON . TO u_1; SELECT host,user,insert_priv,is_role FROM mysql.user WHERE mysql.user.user='u_1'; I'd expect that INSERT would be granted to both the user and the role. It's not, it's granted only to the role. Moral: users and roles should not have the same names!

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      elenst Elena Stepanova
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      2 Start watching this issue

                      Dates

                      • Created:
                        Updated: