Bug #72905 Workbench ignores column-level permissions
Submitted: 6 Jun 2014 21:02 Modified: 27 Aug 2014 3:10
Reporter: Robert Kline Email Updates:
Status: Closed Impact on me:
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.1.6 OS:Any
Assigned to: CPU Architecture:Any

[6 Jun 2014 21:02] Robert Kline
Workbench incorrectly reports that the current user does not have permission to execute a SELECT query which requests values from columns for which the user has been explicitly granted SELECT permission. For example, the following GRANT was issued on the users table:

GRANT SELECT (picture, uid, data, created, access, name, status, login) ON `oce_ebms`.`users` TO 'read_ebms'@'%'

I have confirmed that the GRANT took effect using the mysql command-line client:

mysql> select uid, name from users where name like 'b%';
| uid | name             |
... [ data omitted ] ...
17 rows in set (0.01 sec)

When the same query is submitted from Workbench:

0	21	16:51:37	select uid, name from users where name like 'b%'
 LIMIT 0, 1000	Error Code: 1142
 SELECT command denied to user 'read_ebms'@'xx.xxx.xxx.xxx' [IP address redacted] for table 'users'	

How to repeat:
1. Create a MySQL table with multiple columns.
2. GRANT SELECT for only a subset of the columns to a test user.
3. Log on to the database in Workbench with that account.
4. Submit a SELECT query for the allowed columns.

Suggested fix:
Let MySQL decide which columns an account should see.
[6 Jun 2014 21:07] MySQL Verification Team
Please check against the latest release 6.1.6. Thanks.
[7 Jun 2014 15:49] Robert Kline
Same behavior in version build 1642.
[8 Jun 2014 18:15] MySQL Verification Team
Thank you for the bug report.
[25 Jun 2014 23:06] Alfredo Kojima
Posted by developer:
The query was being executed but the check whether the query is editable was failing. A fix to ignore the error while checking whether query is editable was commited to the repository.
[27 Aug 2014 3:10] Philip Olson
Fixed as of the upcoming MySQL Workbench 6.2.2 release, and here's the changelog entry:

MySQL Workbench incorrectly reported that the current user did not have
permission to execute a SELECT query that requested values from columns
that the user was explicitly granted SELECT permission.

Thank you for the bug report.