Bug #43168 | Not possible to backup a view if definer does not exist. | ||
---|---|---|---|
Submitted: | 25 Feb 2009 7:57 | Modified: | 5 Oct 2010 7:36 |
Reporter: | Rafal Somla | Email Updates: | |
Status: | Unsupported | Impact on me: | |
Category: | MySQL Server: Backup | Severity: | S3 (Non-critical) |
Version: | OS: | Any | |
Assigned to: | Rafal Somla | CPU Architecture: | Any |
Tags: | disabled |
[25 Feb 2009 7:57]
Rafal Somla
[16 Apr 2009 13:49]
Rafal Somla
REFINED PROBLEM DESCRIPTION =========================== 1. When a view is added to backup catalogue, its base tables are determined (Backup_info::add_view_deps()) using si_objects obs::get_view_base_views(). 2. The latter function opens the view with open_tables() (si_objects.cc:1520). Function open_tables() signals error if view's definer does not exist. Thus obs::get_view_base_views() fails and BACKUP operation fails. 3. Even if obs::get_view_base_views() would succeed, later a create statement for the view would be obtained by executing SHOW CREATE VIEW statement. 4. For a view with missing definer, SHOW CREATE VIEW reports warning. This is interpreted as an error by obs::get_view_create_statement() and again leads to BACKUP failure. 5. The problem in point 4 could be solved by ignoring warnings from SHOW CREATE VIEW in obs::get_view_create_statement(). 6. Problem in point 2 can be solved by setting table->prelocking_placeholder flag to TRUE before calling open_tables(). This relaxes some checks made by open_tables() and at the same time still enables for listing the base tables. 7. With prelocking_placeholder set to TRUE, open_tables() does not check if underlying tables exist and BACKUP will ignore this fact as well. This is not good because when fixing bug#34902 it was decided that a view with missing base tables should stop BACKUP process. 8. Possible fix for 7 would be to have explicit checks for existence of view's base tables. I.e., open_tables() will succeed, obs::get_view_base_tables/views() would return valid iterator and then we should iterate over base tables/views and signal error if one of them is missing.
[20 Apr 2009 14:39]
Rafal Somla
Additional problem is that it should not be possible to backup a view which is invalid because an underlying view/table was altered (BUG#34867). Disabling checks as suggested in points 5 and 8 above would allow for backup of such broken views and then RESTORE would fail.
[21 Apr 2009 8:58]
Rafal Somla
I don't see an easy fix for this bug. Here are problems I run into when trying to find a solution. 1. BACKUP fails for a view with non-existing definer because si_objects code fails to open such a view, because open_table() function performs access right checks which fail if user does not exist. 2. It is possible to disable checks in open_table() but then other important problems are not detected. For example the fact that base objects of a view are missing (BUG#34902) or that view is invalid because base view has been altered (BUG#34867). But these conditions must be detected by BACKUP command. 3. If open_table() detects an invalid view, it does not inform about the exact problem detected. Instead, a general ER_VIEW_INVALID error is reported. This seems to be by design - even if more detailed cause of the problem is known, it is explicitly hidden (see TABLE_LIST::hide_view_error()) probably for security reasons. Thus it is not possible to distinguish situation when definer is missing form other errors which should not be ignored. 4. Even if open_table() would not hide exact reason of a failed open attempt, there are no explicit checks in the code for the existence of the definer. In this case an error ER_TABLEACCESS_DENIED_ERROR is detected when access rights are checked (in mysql_derived_prepare). The same error could happen in the situation when the definer exists, but does not have enough privileges. Distinguishing these two situations would require adding extra logic to open_table() with difficult to predict consequences for the functioning of the server.
[21 Apr 2009 9:28]
Rafal Somla
Triage, I propose to remove SR60BACKUP tag from this bug and schedule it for later release. Rationale --------- Since I don't see an easy/immediate fix for this bug, I think it should be fixed as a part of a bigger task to implement "bast-effort" backup restore, which is scheduled for 6.1 or later release. Without fixing this bug in beta, the behaviour of BACKUP will be consistent with other similar situations, when an attempt to backup an invalid view is made. Detailed rationale ------------------ This issue is a part of the bigger problem of handling broken dependencies during BACKUP/RESTORE. That is, what should happen if user tries to BACKUP an object with broken dependencies such as: - a view with some base table/view missing (BUG#34902) - an view which is invalid because its base view has been altered (BUG#34867) Also, what should happen if user tries to restore backup image in an environment where some dependencies are not satisfied. The desired solution of this problem is to have "best-effort" backup/restore operations (e.g. WL#4638). That is, even in presence of problems, the operations continue and try to complete as much work as possible. However, "best-effort" is not implemented now and is not planned for beta release of backup (see http://forge.mysql.com/wiki/OnlineBackup). The beta release code stops on the first encountered error. At the same time we try to follow these principles: - BACKUP/RESTORE statements should never crash the server (obviously), but report error instead (this had to be fixed e.g. in BUG#34902 and BUG#34867) - BACKUP should not create image which can not be successfully restored. With respect to the issue reported in this bug, the above principles are satisfied. If view with missing definer exists, BACKUP will report an error and refuse to create a backup image. This is the same as the situation when a view with missing base table or a view with altered base view is backed-up.
[30 Jun 2009 17:58]
Alexander Nozdrin
A piece of the backup_objects_dependency.test is disabled due to this bug.
[10 Nov 2009 18:27]
Omer Barnir
triage: re-triaging and reducing to I4 as it is expected that ot many will have 'broken objects in production systems.
[5 Oct 2010 7:36]
Ingo Strüwing
The feature will not be implemented.