Bug #110997 | Any "SET ROLE" operation results in loss of permission | ||
---|---|---|---|
Submitted: | 11 May 2023 14:51 | Modified: | 7 Aug 2023 23:04 |
Reporter: | Steven Walter | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 8.0 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[11 May 2023 14:51]
Steven Walter
[11 May 2023 15:01]
MySQL Verification Team
Hi Mr. Walter, Thank you for your bug report. Our Manual has this sentence in the section on the roles: " Privileges that the user has been granted directly (rather than through roles) remain unaffected by changes to the active roles. " Are you reporting that this does not hold true in 8.0.33 ?? We are waiting on your feedback.
[11 May 2023 15:05]
Steven Walter
Yes, that is what I'm observing. I believe you should be able to reproduce the same behavior with the steps I documented above.
[11 May 2023 17:18]
MySQL Verification Team
Hi, We reproduced the behaviour. This is now a verified bug.
[12 May 2023 12:57]
MySQL Verification Team
HI, This was double checked and this report is now a fully verified bug. Verified as reported.
[7 Aug 2023 23:04]
Jon Stephens
Documented fix as follows in the MySQL 8.2.0 changelog: For a user with no roles granted to it, any SET ROLE statement caused MySQL to forget any permissions associated directly with that user account until the session ongoing was terminated and a new one started. For example, a SHOW TABLES that succeeded previously was rejected following SET ROLE ALL, SET ROLE NONE, or SET ROLE DEFAULT because the user's privileges were no longer recognized. Closed.
[8 Aug 2023 12:23]
MySQL Verification Team
Thank you, Jon.