Skip to content

Commit

Permalink
session: set sql security of tidb_mdl_view to 'invoker' (pingcap#53265
Browse files Browse the repository at this point in the history 
)

close pingcap#53292
  • Loading branch information
@tangenta @RidRisR
tangenta authored and RidRisR committed May 23, 2024
1 parent 378e37d commit 3891d99
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
18 changes: 18 additions & 0 deletions pkg/infoschema/test/clustertablestest/cluster_tables_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -908,6 +908,24 @@ func TestMDLView(t *testing.T) {
}
}

func TestMDLViewPrivilege(t *testing.T) {
store := testkit.CreateMockStore(t)
tk := testkit.NewTestKit(t, store)
require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "%"}, nil, nil, nil))
tk.MustQuery("select * from mysql.tidb_mdl_view;").Check(testkit.Rows())
tk.MustExec("create user 'test'@'%' identified by '';")
require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "test", Hostname: "%"}, nil, nil, nil))
_, err := tk.Exec("select * from mysql.tidb_mdl_view;")
require.ErrorContains(t, err, "view lack rights")

// grant all privileges to test user.
require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "%"}, nil, nil, nil))
tk.MustExec("grant all privileges on *.* to 'test'@'%';")
tk.MustExec("flush privileges;")
require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "test", Hostname: "%"}, nil, nil, nil))
tk.MustQuery("select * from mysql.tidb_mdl_view;").Check(testkit.Rows())
}

func TestQuickBinding(t *testing.T) {
s := new(clusterTablesSuite)
s.store, s.dom = testkit.CreateMockStoreAndDomain(t)
Expand Down
2 changes: 1 addition & 1 deletion pkg/session/bootstrap.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ const (
lock_name VARCHAR(64) NOT NULL PRIMARY KEY
);`
// CreateMDLView is a view about metadata locks.
CreateMDLView = `CREATE OR REPLACE VIEW mysql.tidb_mdl_view as (
CreateMDLView = `CREATE OR REPLACE SQL SECURITY INVOKER VIEW mysql.tidb_mdl_view as (
SELECT tidb_mdl_info.job_id,
JSON_UNQUOTE(JSON_EXTRACT(cast(cast(job_meta as char) as json), "$.schema_name")) as db_name,
JSON_UNQUOTE(JSON_EXTRACT(cast(cast(job_meta as char) as json), "$.table_name")) as table_name,
Expand Down

0 comments on commit 3891d99

Please sign in to comment.