Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: fix user without process privilege can access cluster_tidb_trx #26255

Closed
wants to merge 4 commits into from
Closed

test: fix user without process privilege can access cluster_tidb_trx #26255

wants to merge 4 commits into from

Conversation

AilinKid
Copy link
Contributor

What problem does this PR solve?

Issue Number: close #26127

What is changed and how it works?

*: What's Changed: add the privileges check when read the memory table

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

  • test: fix user without process privilege can access cluster_tidb_trx

@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has not been approved.

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 14, 2021
@AilinKid AilinKid requested review from mjonss and djshow832 July 14, 2021 16:45
@github-actions github-actions bot added sig/execution SIG execution sig/sql-infra SIG: SQL Infra labels Jul 14, 2021
mjonss
mjonss reviewed Jul 14, 2021
View reviewed changes
Copy link
Contributor

@mjonss mjonss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you also fixed:
CLUSTER_SYSTEMINFO, CLUSTER_HARDWARE and CLUSTER_LOAD, or is that just from a previous patch?

infoschema/tables_test.go Outdated Show resolved Hide resolved
infoschema/tables_test.go Show resolved Hide resolved
infoschema/tables_test.go Show resolved Hide resolved
infoschema/tables_test.go Outdated Show resolved Hide resolved
@youjiali1995 youjiali1995 requested a review from MyonKeminta July 15, 2021 02:35
@AilinKid AilinKid mentioned this pull request Jul 16, 2021
Closed
10 tasks
@MyonKeminta
Copy link
Contributor

In our design TIDB_TRX and CLUSTER_TIDB_TRX shows all information to users with PROCESS privilege, but it only shows transactions executed by the current user if the user doesn't have PROCESS privilege. Is this design improper or you misunderstood its behavior?

@AilinKid
Copy link
Contributor Author

AilinKid commented Jul 16, 2021
edited
Loading

In our design TIDB_TRX and CLUSTER_TIDB_TRX shows all information to users with PROCESS privilege, but it only shows transactions executed by the current user if the user doesn't have PROCESS privilege. Is this design improper or you misunderstood its behavior?

Misunderstood before. Maybe the designer see a user without PROCESS privilege get access to this even though it gets empty result set.

@AilinKid AilinKid closed this Jul 16, 2021
@MyonKeminta
Copy link
Contributor

This actually referenced the processlist table:

If you have the PROCESS privilege, you can see all threads, even those belonging to other users. Otherwise (without the PROCESS privilege), nonanonymous users have access to information about their own threads but not threads for other users, and anonymous users have no access to thread information.

It's a problem that this behavior seems to lack of test coverage. cc @longfangsong
And I just notice that the privilege requirements to the system tables are not well explained in our documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djshow832 djshow832 djshow832 left review comments

@mjonss mjonss mjonss left review comments

@MyonKeminta MyonKeminta Awaiting requested review from MyonKeminta

Assignees
No one assigned
Labels
sig/execution SIG execution sig/sql-infra SIG: SQL Infra size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users without process privilege should be unable to query CLUSTER_TIDB_TRX
5 participants
@AilinKid @ti-chi-bot @MyonKeminta @mjonss @djshow832