1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
|
# suite/funcs_1/t/is_column_privileges.test
#
# Check the layout of information_schema.column_privileges and the impact of
# CREATE/ALTER/DROP TABLE/VIEW/SCHEMA ... on it.
#
# Note:
# This test is not intended
# - to show information about the all time existing tables
# within the databases information_schema and mysql
# - for checking storage engine properties
# Therefore please do not alter $engine_type and $other_engine_type.
#
# Author:
# 2008-01-23 mleich WL#4203 Reorganize and fix the data dictionary tests of
# testsuite funcs_1
# Create this script based on older scripts and new code.
#
# --source suite/funcs_1/datadict/datadict.pre
let $engine_type = MEMORY;
let $other_engine_type = MyISAM;
let $is_table = COLUMN_PRIVILEGES;
# The table INFORMATION_SCHEMA.COLUMN_PRIVILEGES must exist
eval SHOW TABLES FROM information_schema LIKE '$is_table';
--echo #######################################################################
--echo # Testcase 3.2.1.1: INFORMATION_SCHEMA tables can be queried via SELECT
--echo #######################################################################
# Ensure that every INFORMATION_SCHEMA table can be queried with a SELECT
# statement, just as if it were an ordinary user-defined table.
#
--source suite/funcs_1/datadict/is_table_query.inc
--echo #########################################################################
--echo # Testcase 3.2.5.1: INFORMATION_SCHEMA.COLUMN_PRIVILEGES layout
--echo #########################################################################
# Ensure that the INFORMATION_SCHEMA.COLUMN_PRIVILEGES table has the following
# columns, in the following order:
#
# GRANTEE (shows the name of a user who has either granted,
# or been granted a column privilege),
# TABLE_CATALOG (always shows NULL),
# TABLE_SCHEMA (shows the name of the schema, or database, in which the table
# for which a column privilege has been granted resides),
# TABLE_NAME (shows the name of the table),
# COLUMN_NAME (shows the name of the column on which a column privilege has
# been granted),
# PRIVILEGE_TYPE (shows the type of privilege that was granted; must be either
# SELECT, INSERT, UPDATE, or REFERENCES),
# IS_GRANTABLE (shows whether that privilege was granted WITH GRANT OPTION).
#
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval DESCRIBE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW CREATE TABLE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW COLUMNS FROM information_schema.$is_table;
# Note: Retrieval of information within information_schema.columns
# about information_schema.column_privileges is in is_columns_is.test.
# Show that TABLE_CATALOG is always NULL.
SELECT table_catalog, table_schema, table_name, column_name, privilege_type
FROM information_schema.column_privileges WHERE table_catalog IS NOT NULL;
--echo ######################################################################
--echo # Testcase 3.2.5.2+3.2.5.3+3.2.5.4:
--echo # INFORMATION_SCHEMA.COLUMN_PRIVILEGES accessible information
--echo ######################################################################
# 3.2.5.2: Ensure that the table shows the relevant information on every
# column privilege which has been granted to the current user or
# PUBLIC, or which was granted by the current user.
# 3.2.5.3: Ensure that the table does not show any information on any column
# privilege which was granted to any user other than the current user
# or PUBLIC, or which was granted by any user other than
# the current user.
# 3.2.5.4: Ensure that the table does not show any information on any
# privileges that are not column privileges for the current user.
#
# Note: Check of content within information_schema.column_privileges about the
# databases information_schema, mysql and test is in
# is_column_privileges_is_mysql_test.test
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $other_engine_type <other_engine_type>
eval
CREATE TABLE db_datadict.t1 (f1 INT, f2 DECIMAL, f3 TEXT)
ENGINE = $other_engine_type;
USE db_datadict;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser2'@'localhost';
CREATE USER 'testuser2'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser3'@'localhost';
CREATE USER 'testuser3'@'localhost';
GRANT SELECT(f1, f3) ON db_datadict.t1 TO 'testuser1'@'localhost';
GRANT INSERT(f1) ON db_datadict.t1 TO 'testuser1'@'localhost';
GRANT UPDATE(f2) ON db_datadict.t1 TO 'testuser1'@'localhost';
GRANT SELECT(f2) ON db_datadict.t1 TO 'testuser2'@'localhost';
GRANT INSERT, SELECT ON db_datadict.t1 TO 'testuser3'@'localhost';
GRANT SELECT(f3) ON db_datadict.t1 TO 'testuser3'@'localhost';
GRANT INSERT, SELECT ON db_datadict.t1 TO 'testuser3'@'localhost'
WITH GRANT OPTION;
GRANT ALL ON db_datadict.* TO 'testuser3'@'localhost';
let $select= SELECT * FROM information_schema.column_privileges
WHERE grantee LIKE '''testuser%'''
ORDER BY grantee, table_schema,table_name,column_name,privilege_type;
eval $select;
# Note: WITH GRANT OPTION applies to all privileges on this table
# and not to the columns mentioned only.
GRANT UPDATE(f3) ON db_datadict.t1 TO 'testuser1'@'localhost'
WITH GRANT OPTION;
eval $select;
--echo # Establish connection testuser1 (user=testuser1)
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, , db_datadict);
eval $select;
--echo # Establish connection testuser2 (user=testuser2)
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser2, localhost, testuser2, , db_datadict);
eval $select;
--echo # Establish connection testuser3 (user=testuser3)
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser3, localhost, testuser3, , db_datadict);
--echo # FIXME: Is it correct that granted TABLES do not occur in COLUMN_PRIVILEGES?
SELECT * FROM information_schema.table_privileges
WHERE grantee LIKE '''testuser%'''
ORDER BY grantee,table_schema,table_name,privilege_type;
SELECT * FROM information_schema.schema_privileges
WHERE grantee LIKE '''testuser%'''
ORDER BY grantee,table_schema,privilege_type;
eval $select;
GRANT SELECT(f1, f3) ON db_datadict.t1 TO 'testuser2'@'localhost';
--echo # FIXME: Is it intended that *my* grants to others are *NOT* shown here?
eval $select;
--echo # Switch to connection testuser2 (user=testuser2)
connection testuser2;
eval $select;
# Cleanup
--echo # Switch to connection default and close connections testuser1,testuser2,testuser3
connection default;
disconnect testuser1;
disconnect testuser2;
disconnect testuser3;
DROP DATABASE db_datadict;
DROP USER 'testuser1'@'localhost';
DROP USER 'testuser2'@'localhost';
DROP USER 'testuser3'@'localhost';
--echo ################################################################################
--echo # 3.2.1.13+3.2.1.14+3.2.1.15: INFORMATION_SCHEMA.COLUMN_PRIVILEGES modifications
--echo ################################################################################
# 3.2.1.13: Ensure that the creation of any new database object (e.g. table or
# column) automatically inserts all relevant information on that
# object into every appropriate INFORMATION_SCHEMA table.
# 3.2.1.14: Ensure that the alteration of any existing database object
# automatically updates all relevant information on that object in
# every appropriate INFORMATION_SCHEMA table.
# 3.2.1.15: Ensure that the dropping of any existing database object
# automatically deletes all relevant information on that object from
# every appropriate INFORMATION_SCHEMA table.
#
# Note (mleich):
# The MySQL privilege system allows to GRANT objects before they exist.
# (Exception: Grant privileges for columns of not existing tables/views.)
# There is also no migration of privileges if objects (tables, views, columns)
# are moved to other databases (tables only), renamed or dropped.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.my_table (f1 BIGINT, f2 CHAR(10), f3 DATE)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT ALL ON test.* TO 'testuser1'@'localhost';
let $my_select = SELECT * FROM information_schema.column_privileges
WHERE table_name = 'my_table'
ORDER BY grantee, table_schema,table_name,column_name,privilege_type;
let $my_show = SHOW GRANTS FOR 'testuser1'@'localhost';
eval $my_select;
eval $my_show;
--echo # Establish connection testuser1 (user=testuser1)
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, , test);
eval $my_select;
eval $my_show;
--echo # Switch to connection default
connection default;
GRANT SELECT (f1,f3) ON db_datadict.my_table TO 'testuser1'@'localhost';
eval $my_select;
eval $my_show;
--echo # Switch to connection testuser1
connection testuser1;
eval $my_select;
eval $my_show;
--echo # Switch to connection default
connection default;
ALTER TABLE db_datadict.my_table DROP COLUMN f3;
GRANT UPDATE (f1) ON db_datadict.my_table TO 'testuser1'@'localhost';
eval $my_select;
eval $my_show;
--echo # Switch to connection testuser1
connection testuser1;
eval $my_select;
eval $my_show;
--error ER_BAD_FIELD_ERROR
SELECT f1, f3 FROM db_datadict.my_table;
--echo # Switch to connection default
connection default;
ALTER TABLE db_datadict.my_table CHANGE COLUMN f1 my_col BIGINT;
eval $my_select;
eval $my_show;
--echo # Switch to connection testuser1
connection testuser1;
eval $my_select;
eval $my_show;
--echo # Switch to connection default
connection default;
DROP TABLE db_datadict.my_table;
eval $my_select;
eval $my_show;
--echo # Switch to connection testuser1
connection testuser1;
eval $my_select;
eval $my_show;
--echo # Switch to connection default
connection default;
REVOKE ALL ON db_datadict.my_table FROM 'testuser1'@'localhost';
eval $my_select;
eval $my_show;
--echo # Switch to connection testuser1
connection testuser1;
eval $my_select;
eval $my_show;
--echo # Switch to connection default and close connection testuser1
connection default;
disconnect testuser1;
DROP USER 'testuser1'@'localhost';
DROP DATABASE db_datadict;
--echo ########################################################################
--echo # Testcases 3.2.1.3-3.2.1.5 + 3.2.1.8-3.2.1.12: INSERT/UPDATE/DELETE and
--echo # DDL on INFORMATION_SCHEMA table are not supported
--echo ########################################################################
# 3.2.1.3: Ensure that no user may execute an INSERT statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.4: Ensure that no user may execute an UPDATE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.5: Ensure that no user may execute a DELETE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.8: Ensure that no user may create an index on an
# INFORMATION_SCHEMA table.
# 3.2.1.9: Ensure that no user may alter the definition of an
# INFORMATION_SCHEMA table.
# 3.2.1.10: Ensure that no user may drop an INFORMATION_SCHEMA table.
# 3.2.1.11: Ensure that no user may move an INFORMATION_SCHEMA table to any
# other database.
# 3.2.1.12: Ensure that no user may directly add to, alter, or delete any data
# in an INFORMATION_SCHEMA table.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.t1 (f1 BIGINT, f2 BIGINT)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT SELECT (f1) ON db_datadict.t1 TO 'testuser1'@'localhost';
--error ER_DBACCESS_DENIED_ERROR
INSERT INTO information_schema.column_privileges
SELECT * FROM information_schema.column_privileges;
--error ER_DBACCESS_DENIED_ERROR
UPDATE information_schema.column_privileges SET table_schema = 'test'
WHERE table_name = 't1';
--error ER_DBACCESS_DENIED_ERROR
DELETE FROM information_schema.column_privileges WHERE table_name = 't1';
--error ER_DBACCESS_DENIED_ERROR
TRUNCATE information_schema.column_privileges;
--error ER_DBACCESS_DENIED_ERROR
CREATE INDEX my_idx_on_tables
ON information_schema.column_privileges(table_schema);
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.column_privileges ADD f1 INT;
--error ER_DBACCESS_DENIED_ERROR
DROP TABLE information_schema.column_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.column_privileges
RENAME db_datadict.column_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.column_privileges
RENAME information_schema.xcolumn_privileges;
# Cleanup
DROP DATABASE db_datadict;
DROP USER 'testuser1'@'localhost';
|