Bug #58799 You cannot revoke using db.* syntax grants given with db.tablename
Submitted: 7 Dec 2010 19:55 Modified: 18 Dec 2010 0:13
Reporter: Federico Sacerdoti Email Updates:
Status: Not a Bug Impact on me:
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version: OS:Any
Assigned to: CPU Architecture:Any
Tags: revoke

[7 Dec 2010 19:55] Federico Sacerdoti
mysql> revoke insert,update,delete on cluster.* from apache@localhost;
 Query OK, 0 rows affected (0.00 sec)

mysql> show grants for apache@localhost;
| GRANT SELECT, INSERT, UPDATE, DELETE ON `cluster`.`vm_disks` TO 'apache'@'localhost'                                       |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `cluster`.`os_attributes` TO 'apache'@'localhost' 

How to repeat:
grant select,update,insert,delete on cluster.boot to apache@localhost;
grant select,update,insert,delete on cluster.bootflags to apache@localhost;

revoke insert,update,delete on cluster.* from apache@localhost;

show grants for apache@localhost;

Suggested fix:
Alter the code to not change the accepted definition of "*".
[7 Dec 2010 19:56] Federico Sacerdoti
Mysql version 5.1.33
[14 Dec 2010 22:20] Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

You mix database and table privileges here. See http://dev.mysql.com/doc/refman/5.1/en/grant.html#grant-database-privileges and http://dev.mysql.com/doc/refman/5.1/en/grant.html#grant-table-privileges You can not revoke table privilege by revoking database privilege.
[18 Dec 2010 0:13] Federico Sacerdoti
Thank you Sveta. 

I will not fight this, and this will be my last post on the bug. However there is no syntactical cues for the user to know which grants affect tables and which affect databases. The behavior of your system is confusing, and as I said, goes against the traditional semantics of the * operator. 

I realize you may not be able to fix, but I'd like to lodge my request for database.* to smoothly integrate and understand table privs, leading to an easier to use system. At the moment it seems opaque, querulous, even truculent.