| Bug #84244 | Distinguish roles and plain users in mysql.user | ||
|---|---|---|---|
| Submitted: | 17 Dec 2016 11:27 | Modified: | 9 Feb 2017 12:54 |
| Reporter: | Peter Laursen (Basic Quality Contributor) | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Security: Privileges | Severity: | S2 (Serious) |
| Version: | 8 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[17 Dec 2016 11:27]
Peter Laursen
[17 Dec 2016 11:40]
Peter Laursen
Another example that confuses the server, as it cannot distinguish roles and plain users: CREATE role someone; CREATE USER someone; -- Error Code: 1396: Operation CREATE USER failed for 'someone'@'%' DROP USER someone; -- success. Erhh??? The role was dropped as shown by SELECT COUNT(*) FROM mysql.user WHERE `host` = '%'; -- returns "0"
[17 Dec 2016 16:04]
Peter Laursen
In my first post please correct It is "Y" for the View and "N" for the Table. >> It is "Y" for the role and "N" for the user.
[18 Dec 2016 9:52]
Peter Laursen
Changin severity.
[19 Dec 2016 12:48]
MySQL Verification Team
Hello Peter, Thank you for the report. Thanks, Umesh
[19 Dec 2016 13:03]
Peter Laursen
Thanks for verification. I simply have a requirement to 1) display a list of users that are not roles 2) display a list of roles that are not plain users 3) identify if a an entry in mysql.user represents a role or a plain user -- and I don't think this is possible now.
[9 Feb 2017 12:54]
Peter Laursen
MariaDB 10.2 got it right:
SHOW COLUMNS FROM mysql.user; -- note the "is_role" column in the result.
FIELD TYPE NULL KEY DEFAULT Extra
---------------------- --------------------------------- ------ ------ -------- --------
HOST CHAR(60) NO PRI
USER CHAR(80) NO PRI
PASSWORD CHAR(41) NO
Select_priv ENUM('N','Y') NO N
Insert_priv ENUM('N','Y') NO N
Update_priv ENUM('N','Y') NO N
Delete_priv ENUM('N','Y') NO N
Create_priv ENUM('N','Y') NO N
Drop_priv ENUM('N','Y') NO N
Reload_priv ENUM('N','Y') NO N
Shutdown_priv ENUM('N','Y') NO N
Process_priv ENUM('N','Y') NO N
File_priv ENUM('N','Y') NO N
Grant_priv ENUM('N','Y') NO N
References_priv ENUM('N','Y') NO N
Index_priv ENUM('N','Y') NO N
Alter_priv ENUM('N','Y') NO N
Show_db_priv ENUM('N','Y') NO N
Super_priv ENUM('N','Y') NO N
Create_tmp_table_priv ENUM('N','Y') NO N
Lock_tables_priv ENUM('N','Y') NO N
Execute_priv ENUM('N','Y') NO N
Repl_slave_priv ENUM('N','Y') NO N
Repl_client_priv ENUM('N','Y') NO N
Create_view_priv ENUM('N','Y') NO N
Show_view_priv ENUM('N','Y') NO N
Create_routine_priv ENUM('N','Y') NO N
Alter_routine_priv ENUM('N','Y') NO N
Create_user_priv ENUM('N','Y') NO N
Event_priv ENUM('N','Y') NO N
Trigger_priv ENUM('N','Y') NO N
Create_tablespace_priv ENUM('N','Y') NO N
ssl_type ENUM('','ANY','X509','SPECIFIED') NO
ssl_cipher BLOB NO (NULL)
x509_issuer BLOB NO (NULL)
x509_subject BLOB NO (NULL)
max_questions INT(11) UNSIGNED NO 0
max_updates INT(11) UNSIGNED NO 0
max_connections INT(11) UNSIGNED NO 0
MAX_USER_CONNECTIONS INT(11) NO 0
PLUGIN CHAR(64) NO
authentication_string TEXT NO (NULL)
password_expired ENUM('N','Y') NO N
is_role ENUM('N','Y') NO N
default_role CHAR(80) NO
max_statement_time DECIMAL(12,6) NO 0.000000
[27 Mar 2017 12:37]
Kristofer Pettersson
Both roles and users are in fact authorization identifiers and share the same namespace per design. A role is functionally a role when it's present in role_edges. Any authorization identifier can be a role and any user can be a role (ie you can authenticate to any authorization identifier unless it's locked or otherwise restricted) There's no artificial restriction embedded in the system to prevent this but you are free to do as you please. As a DBA you might still have a personal intention that a specific authorization identifier must be a role, and then using a name scheme to communicate this intention is in fact not a bad choice. You can for example add a prefix "r_" to those authorization IDs which you intend to be roles and nothing else.
