-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege checker doesn't support wildcard database permissions #7645
Comments
The problem is that A naive, insecure and incomplete fix would be the patch below. But this should give some information about where the problem is. This replaces the diff --git a/dm/pkg/checker/privilege.go b/dm/pkg/checker/privilege.go
index ea97d3d84..04e5e1766 100644
--- a/dm/pkg/checker/privilege.go
+++ b/dm/pkg/checker/privilege.go
@@ -17,6 +17,7 @@ import (
"context"
"database/sql"
"fmt"
+ "regexp"
"strings"
"github.com/pingcap/errors"
@@ -305,9 +306,15 @@ func VerifyPrivileges(
if !ok || privs.needGlobal {
continue
}
- if _, ok := privs.dbs[dbName]; !ok {
+ dbNameRegex, err := regexp.Compile(strings.ReplaceAll(dbName, "%", ".*"))
+ if err != nil {
continue
}
+ for db := range privs.dbs {
+ if dbNameRegex.MatchString(db) {
+ delete(privs.dbs, db)
+ }
+ }
// dumpling could report error if an allow-list table is lack of privilege.
// we only check that SELECT is granted on all columns, otherwise we can't SHOW CREATE TABLE
if privElem.Priv == mysql.SelectPriv && len(privElem.Cols) != 0 { |
Can you paste the link that how TiDB handles |
@lance6716: GitHub didn't allow me to assign the following users: liumengya94. Note that only pingcap members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What did you do?
Task:
Source DB privileges:
check-task output:
What did you expect to see?
Permission check to succeed.
What did you see instead?
Versions of the cluster
DM version (run
dmctl -V
ordm-worker -V
ordm-master -V
):v6.5.0 master at 9d60d064ef5e681867a60c95cdb2b99c10c0c67c
Upstream MySQL/MariaDB server version:
8.0.31
Downstream TiDB cluster version (execute
SELECT tidb_version();
in a MySQL client):v6.1.2
How did you deploy DM: tiup or manually?
local binary
current status of DM cluster (execute
query-status <task-name>
in dmctl)(paste current status of DM cluster here)
The text was updated successfully, but these errors were encountered: