Skip to content

MDEV-35743 Role-granted routine privileges lost after FLUSH PRIVILEGES #5306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vaintroub wants to merge 1 commit into
base: 10.11
Choose a base branch
from
+68 −2
Open

MDEV-35743 Role-granted routine privileges lost after FLUSH PRIVILEGES #5306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions mysql-test/suite/roles/MDEV-35743.result
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
create user supervisor;
create role r_admin;
create role r_limit_mod;
create role r_limit_view;
grant r_limit_mod to r_admin with admin option;
grant r_limit_view to r_admin with admin option;
grant r_limit_view to r_limit_mod;
create or replace function g1(p int) returns int return p+1;
grant execute on function g1 to r_limit_mod;
grant r_admin to supervisor with admin option;
set default role r_admin for supervisor;
connect con, localhost, supervisor;
select g1(1);
g1(1)
2
disconnect con;
connection default;
flush privileges;
connect con, localhost, supervisor;
select g1(2);
g1(2)
3
disconnect con;
connection default;
drop function g1;
drop role r_limit_view;
drop role r_limit_mod;
drop role r_admin;
drop user supervisor;
34 changes: 34 additions & 0 deletions mysql-test/suite/roles/MDEV-35743.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# MDEV-35743: FLUSH PRIVILEGES breaks role-based function execution grants
create user supervisor;

create role r_admin;
create role r_limit_mod;
create role r_limit_view;

grant r_limit_mod to r_admin with admin option;
grant r_limit_view to r_admin with admin option;
grant r_limit_view to r_limit_mod;

create or replace function g1(p int) returns int return p+1;

grant execute on function g1 to r_limit_mod;
grant r_admin to supervisor with admin option;
set default role r_admin for supervisor;

--connect con, localhost, supervisor
select g1(1);
--disconnect con
--connection default
Comment on lines +18 to +21

@gemini-code-assist gemini-code-assist Bot Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

There is a mismatch between the .test file and the .result file. The .test file uses the -- prefix for connect, disconnect, and connection commands, which prevents them from being logged to the result file. However, the .result file expects these commands to be logged (without the -- prefix). This mismatch will cause the test suite to fail. Please remove the -- prefix and add semicolons to match the .result file.

connect con, localhost, supervisor;
select g1(1);
disconnect con;
connection default;

flush privileges;

--connect con, localhost, supervisor
select g1(2);
--disconnect con
--connection default
Comment on lines +24 to +27

@gemini-code-assist gemini-code-assist Bot Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Similarly to the previous connection block, there is a mismatch here between the .test file and the .result file due to the -- prefix on connect, disconnect, and connection commands. Please remove the -- prefix and add semicolons to ensure the test passes successfully.

connect con, localhost, supervisor;
select g1(2);
disconnect con;
connection default;


# Cleanup
drop function g1;
drop role r_limit_view;
drop role r_limit_mod;
drop role r_admin;
drop user supervisor;
7 changes: 5 additions & 2 deletions sql/sql_acl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6359,6 +6359,7 @@ struct PRIVS_TO_MERGE
ALL, GLOBAL, DB, TABLE_COLUMN, PROC, FUNC, PACKAGE_SPEC, PACKAGE_BODY
} what;
const char *db, *name;
bool rebuild_all; // full rebuild (acl_load/FLUSH): merge all roles, no shortcut
};


Expand Down Expand Up @@ -6413,7 +6414,7 @@ static void propagate_role_grants(ACL_ROLE *role,
return;

mysql_mutex_assert_owner(&acl_cache->lock);
PRIVS_TO_MERGE data= { what, db, name };
PRIVS_TO_MERGE data= { what, db, name, false };

/*
Before updating grants to roles that inherit from this role, ensure that
Expand Down Expand Up @@ -7222,6 +7223,8 @@ static int merge_role_privileges(ACL_USER_BASE *,
changed|= merge_role_routine_grant_privileges(grantee,
data->db, data->name, &role_hash,
&package_body_priv_hash);
if (data->rebuild_all)
return 0; // full rebuild: always descend so every counter reaches zero
return !changed; // don't recurse into the subgraph if privs didn't change
}

Expand Down Expand Up @@ -8295,7 +8298,7 @@ static my_bool propagate_role_grants_action(void *role_ptr,
return 0;

mysql_mutex_assert_owner(&acl_cache->lock);
PRIVS_TO_MERGE data= { PRIVS_TO_MERGE::ALL, 0, 0 };
PRIVS_TO_MERGE data= { PRIVS_TO_MERGE::ALL, 0, 0, true };
traverse_role_graph_up(role, &data, NULL, merge_role_privileges);
return 0;
}
Expand Down