Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

account who only has USAGE privilege can see information_schema.CLUSTER_CONFIG #26062

Closed
Tracked by #26120
SunRunAway opened this issue Jul 8, 2021 · 3 comments · Fixed by #26071
Closed
Tracked by #26120

account who only has USAGE privilege can see information_schema.CLUSTER_CONFIG #26062

SunRunAway opened this issue Jul 8, 2021 · 3 comments · Fixed by #26071
Assignees
@morgo
Labels
security Everything related with security severity/major sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.

Comments

@SunRunAway
Copy link
Contributor

SunRunAway commented Jul 8, 2021
edited
Loading

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

2. What did you expect to see? (Required)

mysql -h127.0.0.1 -uroot -P4000 
create user USAGE_USER;

mysql -h127.0.0.1 -uUSAGE_USER -P4000


mysql> show grants for USAGE_USER;
+----------------------------------------+
| Grants for USAGE_USER@%                |
+----------------------------------------+
| GRANT USAGE ON *.* TO 'USAGE_USER'@'%' |
+----------------------------------------+
1 row in set (0.00 sec)

mysql> select * from information_schema.CLUSTER_CONFIG limit 3;
+------+---------------------+----------------------+----------------+
| TYPE | INSTANCE            | KEY                  | VALUE          |
+------+---------------------+----------------------+----------------+
| tidb | 192.168.189.37:4000 | advertise-address    | 192.168.189.37 |
| tidb | 192.168.189.37:4000 | alter-primary-key    | false          |
| tidb | 192.168.189.37:4000 | binlog.binlog-socket |                |
+------+---------------------+----------------------+----------------+
3 rows in set (0.01 sec)

INFORMATION_SCHEMA and Privileges
For most INFORMATION_SCHEMA tables, each MySQL user has the right to access them, but can see only the rows in the tables that correspond to objects for which the user has the proper access privileges. In some cases (for example, the ROUTINE_DEFINITION column in the INFORMATION_SCHEMA ROUTINES table), users who have insufficient privileges see NULL. Some tables have different privilege requirements; for these, the requirements are mentioned in the applicable table descriptions. For example, InnoDB tables (tables with names that begin with INNODB_) require the PROCESS privilege.

The same privileges apply to selecting information from INFORMATION_SCHEMA and viewing the same information through SHOW statements. In either case, you must have some privilege on an object to see information about it.

3. What did you see instead (Required)

4. What is your TiDB version? (Required)
@SunRunAway SunRunAway added type/bug The issue is confirmed as a bug. security Everything related with security labels Jul 8, 2021
@SunRunAway
Copy link
Contributor Author 

mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| USAGE_USER@%   |
+----------------+
1 row in set (0.01 sec)

mysql> show grants for USAGE_USER;
+----------------------------------------+
| Grants for USAGE_USER@%                |
+----------------------------------------+
| GRANT USAGE ON *.* TO 'USAGE_USER'@'%' |
+----------------------------------------+
1 row in set (0.00 sec)

mysql> select * from information_schema.USER_PRIVILEGES limit 5;
+------------------+---------------+----------------+--------------+
| GRANTEE          | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+------------------+---------------+----------------+--------------+
| 'USAGE_USER'@'%' | def           | USAGE          | NO           |
| 'cloudAdmin'@'%' | def           | Process        | NO           |
| 'cloudAdmin'@'%' | def           | SHUTDOWN       | NO           |
| 'cloudAdmin'@'%' | def           | RELOAD         | NO           |
| 'root'@'%'       | def           | Select         | YES          |
+------------------+---------------+----------------+--------------+
5 rows in set (0.00 sec)

@morgo morgo self-assigned this Jul 8, 2021
@morgo
Copy link
Contributor

morgo commented Jul 8, 2021

@SunRunAway I'm going to fork the information_schema.USER_PRIVILEGES to a separate bug report. I have a PR ready for it.

This was referenced Jul 8, 2021
Closed
Merged
@djshow832 djshow832 mentioned this issue Jul 12, 2021
Closed
10 tasks
@ti-srebot
Copy link
Contributor

Please edit this comment or add a new comment to complete the following information

Not a bug

  1. Remove the 'type/bug' label
  2. Add notes to indicate why it is not a bug

Duplicate bug

  1. Add the 'type/duplicate' label
  2. Add the link to the original bug

Bug

Note: Make Sure that 'component', and 'severity' labels are added
Example for how to fill out the template: #20100

1. Root Cause Analysis (RCA) (optional)

2. Symptom (optional)

3. All Trigger Conditions (optional)

4. Workaround (optional)

5. Affected versions

6. Fixed versions

@ti-srebot ti-srebot mentioned this issue Jul 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@morgo morgo

Labels
security Everything related with security severity/major sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

executor, privilege: require CONFIG privilege for is.cluster_config morgo/tidb
4 participants
@morgo @SunRunAway @ChenPeng2013 @ti-srebot