Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Root user lack rights to use tidb_mdl_view #53292

Closed
tangenta opened this issue May 15, 2024 · 3 comments · Fixed by #53265
Closed

Root user lack rights to use tidb_mdl_view #53292

tangenta opened this issue May 15, 2024 · 3 comments · Fixed by #53265
Labels
affects-8.0 affects-8.1 This bug affects the 8.1.x(LTS) versions. component/ddl This issue is related to DDL of TiDB. report/community The community has encountered this bug. severity/major type/bug The issue is confirmed as a bug. type/regression

Comments

@tangenta
Copy link
Contributor

tangenta commented May 15, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

mysql> select * from mysql.tidb_mdl_view;
ERROR 1356 (HY000): View 'mysql.tidb_mdl_view' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
mysql> select host, user, select_priv, process_priv from mysql.user;
+------+------+-------------+--------------+
| host | user | select_priv | process_priv |
+------+------+-------------+--------------+
| %    | root | Y           | Y            |
+------+------+-------------+--------------+
1 row in set (0.00 sec)

2. What did you expect to see? (Required)

No error

3. What did you see instead (Required)

ERROR 1356

4. What is your TiDB version? (Required)

4b91fee

@tangenta
Copy link
Contributor Author

The problem is that privilege check on system table mysql is failed:

if !pm.RequestVerificationWithUser(v.db, v.table, v.column, v.privilege, tableInfo.View.Definer) {

When I check the value of tableInfo.View.Definer, it comes to be ''@'', which is not maintained by privilege manager. It will absolutely fail the check.

Since tidb_mdl_view is created during cluster initialization, no user is suitable to be View.Definer. So there is nothing wrong with ''@''.

#48728 changed the definition of tidb_mdl_view. Previously, we joined three system tables from information_schema:

FROM information_schema.ddl_jobs,
    information_schema.cluster_tidb_trx,
    information_schema.cluster_processlist

After #48728, they become

FROM mysql.tidb_ddl_job
    mysql.tidb_mdl_info,
    information_schema.cluster_tidb_trx

RequestVerificationWithUser() skips all checks related to information_schema:

// Skip check for INFORMATION_SCHEMA database.
// See https://dev.mysql.com/doc/refman/5.7/en/information-schema.html
if strings.EqualFold(db, "INFORMATION_SCHEMA") {
return true
}

When it is changed to mysql, the problem occurs.

@kennedy8312
Copy link

/type regression

@seiya-annie
Copy link

/found community

@ti-chi-bot ti-chi-bot bot added the report/community The community has encountered this bug. label Jun 13, 2024
@jebter jebter added the component/ddl This issue is related to DDL of TiDB. label Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-8.0 affects-8.1 This bug affects the 8.1.x(LTS) versions. component/ddl This issue is related to DDL of TiDB. report/community The community has encountered this bug. severity/major type/bug The issue is confirmed as a bug. type/regression
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants