Default Role Implementation

mysql-test/r/ps.result

@@ -1202,13 +1202,13 @@ SET @aux= "SELECT COUNT(*)
 prepare my_stmt from @aux;
 execute my_stmt;
 COUNT(*)
-44
+45
 execute my_stmt;
 COUNT(*)
-44
+45
 execute my_stmt;
 COUNT(*)
-44
+45
 deallocate prepare my_stmt;
 drop procedure if exists p1|
 drop table if exists t1|

mysql-test/suite/roles/create_and_drop_role_invalid_user_table.result

@@ -1,5 +1,6 @@
 use mysql;
 alter table user drop column is_role;
+alter table user drop column default_role;
 flush privileges;
 create role test_role;
 ERROR HY000: Column count of mysql.user is wrong. Expected 44, found 43. Created with MariaDB MYSQL_VERSION_ID, now running MYSQL_VERSION_ID. Please use mysql_upgrade to fix this error.
@@ -8,6 +9,16 @@ ERROR HY000: Operation DROP ROLE failed for 'test_role'
 alter table user add column is_role enum('N', 'Y') default 'N' not null
 COLLATE utf8_general_ci
 after password_expired;
+create role test_role;
+create user test_user@localhost;
+grant test_role to test_user@localhost;
+set default role test_role for root@localhost;
+ERROR HY000: Column count of mysql.user is wrong. Expected 45, found 44. Created with MariaDB MYSQL_VERSION_ID, now running MYSQL_VERSION_ID. Please use mysql_upgrade to fix this error.
+drop role test_role;
+drop user test_user@localhost;
+alter table user add column default_role char(80) binary default '' not null
+COLLATE utf8_general_ci
+after is_role;
 update user set is_role='N';
 flush privileges;
 create role test_role;

mysql-test/suite/roles/create_and_drop_role_invalid_user_table.test

@@ -4,6 +4,7 @@ connect (mysql, localhost, root,,);
 use mysql;
 
 alter table user drop column is_role;
+alter table user drop column default_role;
 
 flush privileges;
 
@@ -16,11 +17,22 @@ alter table user add column is_role enum('N', 'Y') default 'N' not null
                                                    COLLATE utf8_general_ci
 after password_expired;
 
-update user set is_role='N';
-
-flush privileges;
+# Test default role column
 create role test_role;
+create user test_user@localhost;
+grant test_role to test_user@localhost;
+--replace_regex /10\d\d\d\d/MYSQL_VERSION_ID/
+--error ER_COL_COUNT_DOESNT_MATCH_PLEASE_UPDATE
+set default role test_role for root@localhost;
 drop role test_role;
+drop user test_user@localhost;
 
+alter table user add column default_role char(80) binary default '' not null
+                                                   COLLATE utf8_general_ci
+after is_role;
 
+update user set is_role='N';
 
+flush privileges;
+create role test_role;
+drop role test_role;

mysql-test/suite/roles/set_default_role_clear.result

@@ -0,0 +1,35 @@
+create user test_user@localhost;
+create role test_role;
+grant select on *.* to test_role;
+grant test_role to test_user@localhost;
+show grants;
+Grants for test_user@localhost
+GRANT test_role TO 'test_user'@'localhost'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+set default role test_role;
+select user, host, default_role from mysql.user;
+ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'user'
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	test_role
+show grants;
+Grants for test_user@localhost
+GRANT test_role TO 'test_user'@'localhost'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT SELECT ON *.* TO 'test_role'
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	test_role
+set default role NONE;
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	
+set default role invalid_role;
+ERROR OP000: Invalid role specification `invalid_role`.
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	
+select user, host, default_role from mysql.user;
+ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'user'
+drop role test_role;
+drop user test_user@localhost;

mysql-test/suite/roles/set_default_role_clear.test

@@ -0,0 +1,52 @@
+source include/not_embedded.inc;
+
+# This test checks clearing a default role from a user.
+
+# Create a user with no privileges
+create user test_user@localhost;
+
+create role test_role;
+
+grant select on *.* to test_role;
+grant test_role to test_user@localhost;
+
+change_user 'test_user';
+show grants;
+set default role test_role;
+
+# Even though a user has the default role set, without reconnecting, we should
+# not already have the roles privileges.
+--error ER_TABLEACCESS_DENIED_ERROR
+select user, host, default_role from mysql.user;
+
+change_user 'root';
+select user, host, default_role from mysql.user where user='test_user';
+
+change_user 'test_user';
+# This should show that the new test_user has the role's grants enabled.
+show grants;
+select user, host, default_role from mysql.user where user='test_user';
+
+set default role NONE;
+
+# We should still have the role set right now.
+select user, host, default_role from mysql.user where user='test_user';
+
+# Make sure we do not somehow get privileges to set an invalid role
+--error ER_INVALID_ROLE
+set default role invalid_role;
+
+change_user 'root';
+select user, host, default_role from mysql.user where user='test_user';
+
+change_user 'test_user';
+# The user does not have a default role set anymore. Make sure we don't still
+# get the privileges.
+--error ER_TABLEACCESS_DENIED_ERROR
+select user, host, default_role from mysql.user;
+
+change_user 'root';
+
+# Cleanup
+drop role test_role;
+drop user test_user@localhost;

mysql-test/suite/roles/set_default_role_for.result

@@ -0,0 +1,65 @@
+create user user_a@localhost;
+create user user_b@localhost;
+create role role_a;
+create role role_b;
+grant role_a to user_a@localhost;
+grant role_b to user_b@localhost;
+grant role_a to user_a@localhost;
+grant select on *.* to role_a;
+grant role_b to user_b@localhost;
+grant insert, update on *.* to role_b;
+set default role role_a for user_b@localhost;
+ERROR 42000: Access denied for user 'user_a'@'localhost' to database 'mysql'
+set default role role_a for user_a@localhost;
+set default role invalid_role for user_a@localhost;
+ERROR OP000: Invalid role specification `invalid_role`.
+set default role role_b for user_a@localhost;
+ERROR OP000: Invalid role specification `role_b`.
+set default role role_b for user_b@localhost;
+show grants;
+Grants for user_a@localhost
+GRANT role_a TO 'user_a'@'localhost'
+GRANT USAGE ON *.* TO 'user_a'@'localhost'
+GRANT SELECT ON *.* TO 'role_a'
+select user, host, default_role from mysql.user where user like 'user_%';
+user	host	default_role
+user_a	localhost	role_a
+user_b	localhost	role_b
+set default role NONE for current_user;
+select user, host, default_role from mysql.user where user like 'user_%';
+user	host	default_role
+user_a	localhost	
+user_b	localhost	role_b
+set default role current_role for current_user;
+select user, host, default_role from mysql.user where user like 'user_%';
+user	host	default_role
+user_a	localhost	role_a
+user_b	localhost	role_b
+set default role role_b for current_user;
+ERROR OP000: Invalid role specification `role_b`.
+show grants;
+Grants for user_b@localhost
+GRANT role_b TO 'user_b'@'localhost'
+GRANT USAGE ON *.* TO 'user_b'@'localhost'
+GRANT INSERT, UPDATE ON *.* TO 'role_b'
+select user, host, default_role from mysql.user where user like 'user_%';
+ERROR 42000: SELECT command denied to user 'user_b'@'localhost' for table 'user'
+insert into mysql.user (user, host) values ('someuser', 'somehost');
+Warnings:
+Warning	1364	Field 'ssl_cipher' doesn't have a default value
+Warning	1364	Field 'x509_issuer' doesn't have a default value
+Warning	1364	Field 'x509_subject' doesn't have a default value
+Warning	1364	Field 'authentication_string' doesn't have a default value
+set default role NONE for user_a@localhost;
+show grants;
+Grants for user_a@localhost
+GRANT role_a TO 'user_a'@'localhost'
+GRANT USAGE ON *.* TO 'user_a'@'localhost'
+GRANT INSERT, UPDATE ON *.* TO 'role_b'
+select user, host, default_role from mysql.user where user like 'user_%';
+ERROR 42000: SELECT command denied to user 'user_a'@'localhost' for table 'user'
+drop role role_a;
+drop role role_b;
+delete from mysql.user where user = 'someuser' && host = 'somehost';
+drop user user_a@localhost;
+drop user user_b@localhost;

mysql-test/suite/roles/set_default_role_for.test

@@ -0,0 +1,84 @@
+source include/not_embedded.inc;
+
+# This test checks setting a default role to a different user;
+
+
+create user user_a@localhost;
+create user user_b@localhost;
+
+create role role_a;
+create role role_b;
+
+grant role_a to user_a@localhost;
+grant role_b to user_b@localhost;
+
+grant role_a to user_a@localhost;
+grant select on *.* to role_a;
+
+grant role_b to user_b@localhost;
+grant insert, update on *.* to role_b;
+
+change_user 'user_a';
+
+# A user should not be a able to set a default role for someone else,
+# if he hasn't got write access to the database.
+--error ER_DBACCESS_DENIED_ERROR
+set default role role_a for user_b@localhost;
+
+# Should have the same effect as set default role role_a.
+set default role role_a for user_a@localhost;
+
+change_user 'root';
+
+# Not even a 'root' user should be able to set an invalid role for a user.
+--error ER_INVALID_ROLE
+set default role invalid_role for user_a@localhost;
+
+--error ER_INVALID_ROLE
+set default role role_b for user_a@localhost;
+
+# Make sure we can set a default role for a different user than the one that
+# is actually running the command.
+set default role role_b for user_b@localhost;
+
+change_user 'user_a';
+
+show grants;
+select user, host, default_role from mysql.user where user like 'user_%';
+
+set default role NONE for current_user;
+select user, host, default_role from mysql.user where user like 'user_%';
+
+set default role current_role for current_user;
+select user, host, default_role from mysql.user where user like 'user_%';
+
+# Make sure we can't set a default role not granted to us, using current_user
+--error ER_INVALID_ROLE
+set default role role_b for current_user;
+
+change_user 'user_b';
+
+show grants;
+--error ER_TABLEACCESS_DENIED_ERROR
+select user, host, default_role from mysql.user where user like 'user_%';
+
+# Make sure the default role setting worked from root.
+insert into mysql.user (user, host) values ('someuser', 'somehost');
+# Since we have update privileges on the mysql.user table, we should
+# be able to set a default role for a different user.
+set default role NONE for user_a@localhost;
+
+change_user 'user_a';
+
+# There is no default role set any more.
+show grants;
+--error ER_TABLEACCESS_DENIED_ERROR
+select user, host, default_role from mysql.user where user like 'user_%';
+
+change_user 'root';
+
+drop role role_a;
+drop role role_b;
+delete from mysql.user where user = 'someuser' && host = 'somehost';
+drop user user_a@localhost;
+drop user user_b@localhost;

mysql-test/suite/roles/set_default_role_invalid.result

@@ -0,0 +1,40 @@
+create user test_user@localhost;
+create role test_role;
+create role not_granted_role;
+grant select on *.* to test_role;
+grant test_role to test_user@localhost;
+show grants;
+Grants for test_user@localhost
+GRANT test_role TO 'test_user'@'localhost'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+select user, host, default_role from mysql.user;
+ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'user'
+set default role invalid_role;
+ERROR OP000: Invalid role specification `invalid_role`.
+set default role not_granted_role;
+ERROR OP000: Invalid role specification `not_granted_role`.
+set default role test_role;
+select user, host, default_role from mysql.user;
+ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'user'
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	test_role
+show grants;
+Grants for test_user@localhost
+GRANT test_role TO 'test_user'@'localhost'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT SELECT ON *.* TO 'test_role'
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	test_role
+set default role invalid_role;
+ERROR OP000: Invalid role specification `invalid_role`.
+select user, host, default_role from mysql.user where user='test_user';
+user	host	default_role
+test_user	localhost	test_role
+revoke test_role from test_user@localhost;
+select user, host, default_role from mysql.user where user='test_user';
+ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'user'
+drop role test_role;
+drop role not_granted_role;
+drop user test_user@localhost;