Bug #52142 | Deleting an MEM user doesn't prevent them from using an existing session | ||
---|---|---|---|
Submitted: | 17 Mar 2010 14:46 | Modified: | 27 May 2010 13:13 |
Reporter: | MC Brown | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Enterprise Monitor: Web | Severity: | S3 (Non-critical) |
Version: | 2.2.0.1709 | OS: | Any |
Assigned to: | Josh Sled | CPU Architecture: | Any |
[17 Mar 2010 14:46]
MC Brown
[27 Apr 2010 9:38]
Sveta Smirnova
Thank you for the report. Verified as described, although this behavior is same as server, so can be considered as not a bug.
[27 Apr 2010 9:39]
Sveta Smirnova
If considered as not a bug good to have it documented in MEM user manual.
[10 May 2010 16:11]
Kevin Benton
Documented or not, it's a security flaw. User permissions are stored in the server and deleting a user should immediately prevent the user from being able to do anything else whether or not that user has a session open. Not doing that increases security risk. A user with malicious intent that is deleted can still keep on messing things up. The same is true in mysqld - any change to permissions should automatically flush any permissions cache and force any existing sessions to re-establish permissions immediately. kbcmdba
[19 May 2010 19:03]
Enterprise Tools JIRA Robot
Josh Sled writes: revno: 8081 revision-id: josh.sled@oracle.com-20100519190214-tsc6vx441mo5f92a parent: josh.sled@oracle.com-20100519180823-ilayr4dvb5vnpj2w committer: Josh Sled <josh.sled@oracle.com> branch nick: 2.2 timestamp: Wed 2010-05-19 15:02:14 -0400 message: EM-4194: if the (db) user technically exists but is not active because they have been "deleted", treat that as the user not existing
[24 May 2010 16:46]
Enterprise Tools JIRA Robot
Andy Bang writes: In build build 2.2.1.1721.
[24 May 2010 17:41]
Enterprise Tools JIRA Robot
Marcos Palacios writes: Verified fixed in Monitor build 2.2.1.1721.
[27 May 2010 13:13]
MC Brown
A note has been added to the 2.2.1 changelog: Deleting a user while the user is currently logged in and using &merlin_client; would not prevent the user from continuing to use the &merlin_client;, even though the user no longer existed in the system.