MDEV-14443 DENY statement

Implements DENY/REVOKE DENY and associated tasks.

Author: vaintroub

libmysqld/lib_sql.cc

@@ -787,7 +787,7 @@ int check_embedded_connection(MYSQL *mysql, const char *db)
   strmake_buf(sctx->priv_user, mysql->user);
   sctx->user= my_strdup(PSI_NOT_INSTRUMENTED, mysql->user, MYF(0));
   sctx->proxy_user[0]= 0;
-  sctx->master_access= GLOBAL_ACLS;       // Full rights
+  sctx->master_access= access_t(GLOBAL_ACLS);       // Full rights
   emb_transfer_connect_attrs(mysql);
 
   /* Change database if necessary */

mysql-test/main/deny_admin.result

@@ -0,0 +1,71 @@
+#
+# Test DENY for global administrative privileges
+#
+CREATE USER user1@localhost;
+CREATE USER user2@localhost;
+# Test RELOAD privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY RELOAD ON *.* TO user1@localhost;
+connect  con1, localhost, user1,,;
+FLUSH TABLES;
+ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
+FLUSH LOGS;
+ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
+connection default;
+disconnect con1;
+# Test SHUTDOWN privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY SHUTDOWN ON *.* TO user1@localhost;
+connect  con1, localhost, user1,,;
+SHUTDOWN;
+ERROR 42000: Access denied; you need (at least one of) the SHUTDOWN privilege(s) for this operation
+connection default;
+disconnect con1;
+# Test PROCESS privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY PROCESS ON *.* TO user1@localhost;
+connect  con1, localhost, user1,,;
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.PROCESSLIST WHERE USER <> 'user1';
+COUNT(*)
+0
+connection default;
+disconnect con1;
+# Test FILE privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY FILE ON *.* TO user1@localhost;
+connect  con1, localhost, user1,,;
+SELECT 'test' INTO OUTFILE '/tmp/test.txt';
+ERROR 28000: Access denied for user 'user1'@'localhost' (using password: NO)
+connection default;
+disconnect con1;
+# Test combination of DENY on multiple global privileges
+GRANT ALL PRIVILEGES ON *.* TO user2@localhost;
+DENY RELOAD, SHUTDOWN ON *.* TO user2@localhost;
+connect  con2, localhost, user2,,;
+FLUSH TABLES;
+ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
+SHUTDOWN;
+ERROR 42000: Access denied; you need (at least one of) the SHUTDOWN privilege(s) for this operation
+connection default;
+disconnect con2;
+# Cleanup
+DROP USER user1@localhost;
+DROP USER user2@localhost;
+#
+# Test CONNECTION ADMIN privilege behaviors with DENY
+#
+CREATE USER user_super@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user_super@localhost;
+DENY CONNECTION ADMIN ON *.* TO user_super@localhost;
+connect  con_super, localhost, user_super,,;
+# Should not be able to kill other connections
+connection default;
+connection con_super;
+KILL ID;
+ERROR HY000: You are not owner of thread ID
+# Should not be able to set global variables
+SET GLOBAL max_connections = 200;
+ERROR 42000: Access denied; you need (at least one of) the CONNECTION ADMIN privilege(s) for this operation
+connection default;
+disconnect con_super;
+DROP USER user_super@localhost;

mysql-test/main/deny_admin.test

@@ -0,0 +1,108 @@
+--source include/not_embedded.inc
+
+--echo #
+--echo # Test DENY for global administrative privileges
+--echo #
+
+CREATE USER user1@localhost;
+CREATE USER user2@localhost;
+
+--echo # Test RELOAD privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY RELOAD ON *.* TO user1@localhost;
+
+connect (con1, localhost, user1,,);
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+FLUSH TABLES;
+
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+FLUSH LOGS;
+
+connection default;
+disconnect con1;
+
+--echo # Test SHUTDOWN privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY SHUTDOWN ON *.* TO user1@localhost;
+
+connect (con1, localhost, user1,,);
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHUTDOWN;
+
+connection default;
+disconnect con1;
+
+--echo # Test PROCESS privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY PROCESS ON *.* TO user1@localhost;
+
+let $count_sessions= 1;
+--source include/wait_until_count_sessions.inc
+
+connect (con1, localhost, user1,,);
+SELECT COUNT(*) FROM INFORMATION_SCHEMA.PROCESSLIST WHERE USER <> 'user1';
+
+connection default;
+disconnect con1;
+
+
+--echo # Test FILE privilege
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+DENY FILE ON *.* TO user1@localhost;
+
+connect (con1, localhost, user1,,);
+
+--error ER_ACCESS_DENIED_ERROR
+SELECT 'test' INTO OUTFILE '/tmp/test.txt';
+
+connection default;
+disconnect con1;
+
+--echo # Test combination of DENY on multiple global privileges
+GRANT ALL PRIVILEGES ON *.* TO user2@localhost;
+DENY RELOAD, SHUTDOWN ON *.* TO user2@localhost;
+
+connect (con2, localhost, user2,,);
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+FLUSH TABLES;
+
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHUTDOWN;
+
+connection default;
+disconnect con2;
+
+#--echo # Verify SHOW GRANTS displays DENY correctly
+#SHOW GRANTS FOR user1@localhost;
+#SHOW GRANTS FOR user2@localhost;
+
+--echo # Cleanup
+DROP USER user1@localhost;
+DROP USER user2@localhost;
+
+--echo #
+--echo # Test CONNECTION ADMIN privilege behaviors with DENY
+--echo #
+CREATE USER user_super@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user_super@localhost;
+DENY CONNECTION ADMIN ON *.* TO user_super@localhost;
+
+connect (con_super, localhost, user_super,,);
+
+--echo # Should not be able to kill other connections
+connection default;
+let $default_id = `SELECT CONNECTION_ID()`;
+
+connection con_super;
+--replace_result $default_id ID
+--error ER_KILL_DENIED_ERROR
+eval KILL $default_id;
+
+--echo # Should not be able to set global variables
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL max_connections = 200;
+
+
+connection default;
+disconnect con_super;
+DROP USER user_super@localhost;

mysql-test/main/deny_column.result

@@ -0,0 +1,145 @@
+#
+# Column-level DENY privilege test
+#
+CREATE DATABASE deny_col_db;
+CREATE TABLE deny_col_db.sensitive_data (
+id INT,
+public_info VARCHAR(50),
+salary DECIMAL(10,2),
+ssn VARCHAR(11),
+address VARCHAR(100)
+);
+INSERT INTO deny_col_db.sensitive_data VALUES
+(1, 'John Doe', 75000.00, '123-45-6789', '123 Main St'),
+(2, 'Jane Smith', 85000.00, '987-65-4321', '456 Oak Ave');
+CREATE USER col_user1@localhost;
+CREATE USER col_user2@localhost;
+#
+# Basic column-level DENY
+#
+GRANT SELECT ON deny_col_db.sensitive_data TO col_user1@localhost;
+DENY SELECT (salary, ssn) ON deny_col_db.sensitive_data TO col_user1@localhost;
+connect  con1, localhost, col_user1,,deny_col_db;
+SELECT id, public_info FROM sensitive_data;
+id	public_info
+1	John Doe
+2	Jane Smith
+SELECT salary FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+SELECT ssn FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'ssn' in table 'sensitive_data'
+SELECT * FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+SELECT id, salary FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+disconnect con1;
+connection default;
+REVOKE SELECT ON deny_col_db.sensitive_data FROM col_user1@localhost;
+REVOKE DENY SELECT (salary, ssn) ON deny_col_db.sensitive_data FROM col_user1@localhost;
+#
+# Column DENY takes precedence over explicit column GRANT
+#
+GRANT SELECT (salary,id,public_info) ON deny_col_db.sensitive_data TO col_user1@localhost;
+DENY SELECT (salary) ON deny_col_db.sensitive_data TO col_user1@localhost;
+connect  con3, localhost, col_user1,,deny_col_db;
+SELECT id, public_info FROM sensitive_data;
+id	public_info
+1	John Doe
+2	Jane Smith
+SELECT salary FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+disconnect con3;
+connection default;
+REVOKE SELECT (salary,id,public_info) ON deny_col_db.sensitive_data FROM col_user1@localhost;
+REVOKE DENY SELECT (salary) ON deny_col_db.sensitive_data FROM col_user1@localhost;
+#
+# REVOKE DENY on a column
+#
+GRANT SELECT (salary) ON deny_col_db.sensitive_data TO col_user1@localhost;
+DENY SELECT (salary,ssn) ON deny_col_db.sensitive_data TO col_user1@localhost;
+REVOKE DENY SELECT (salary) ON deny_col_db.sensitive_data FROM col_user1@localhost;
+connect  con4, localhost, col_user1,,deny_col_db;
+SELECT salary FROM sensitive_data;
+salary
+75000.00
+85000.00
+SELECT ssn FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'ssn' in table 'sensitive_data'
+disconnect con4;
+connection default;
+REVOKE DENY SELECT (ssn) ON deny_col_db.sensitive_data FROM  col_user1@localhost;
+#
+# Multiple column DENYs
+#
+GRANT SELECT ON deny_col_db.sensitive_data TO col_user2@localhost;
+DENY SELECT (salary, ssn, address) ON deny_col_db.sensitive_data TO col_user2@localhost;
+connect  con5, localhost, col_user2,,deny_col_db;
+SELECT id, public_info FROM sensitive_data;
+id	public_info
+1	John Doe
+2	Jane Smith
+SELECT salary FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user2'@'localhost' for column 'salary' in table 'sensitive_data'
+SELECT address FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user2'@'localhost' for column 'address' in table 'sensitive_data'
+SELECT * FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user2'@'localhost' for column 'salary' in table 'sensitive_data'
+disconnect con5;
+connection default;
+REVOKE DENY SELECT (salary, ssn, address) ON deny_col_db.sensitive_data FROM col_user2@localhost;
+REVOKE SELECT ON deny_col_db.sensitive_data FROM col_user2@localhost;
+#
+# Column DENY with INSERT/UPDATE operations
+#
+CREATE TABLE deny_col_db.audit_log (
+id INT AUTO_INCREMENT PRIMARY KEY,
+action VARCHAR(50),
+modified_by VARCHAR(50),
+timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+GRANT SELECT, INSERT ON deny_col_db.audit_log TO col_user1@localhost;
+DENY INSERT (modified_by) ON deny_col_db.audit_log TO col_user1@localhost;
+connect  con8, localhost, col_user1,,deny_col_db;
+INSERT INTO audit_log (action) VALUES ('test_action');
+INSERT INTO audit_log (action, modified_by) VALUES ('test', 'hacker');
+ERROR 42000: INSERT command denied to user 'col_user1'@'localhost' for column 'modified_by' in table 'audit_log'
+SELECT * FROM audit_log;
+id	action	modified_by	timestamp
+1	test_action	NULL	TIMESTAMP
+disconnect con8;
+connection default;
+#
+# Column DENY with UPDATE
+#
+GRANT UPDATE ON deny_col_db.sensitive_data TO col_user1@localhost;
+DENY UPDATE (salary) ON deny_col_db.sensitive_data TO col_user1@localhost;
+GRANT SELECT(id,public_info) on deny_col_db.sensitive_data TO col_user1@localhost;
+connect  con9, localhost, col_user1,,deny_col_db;
+UPDATE sensitive_data SET public_info = 'Updated' WHERE id = 1;
+UPDATE sensitive_data SET salary = 100000 WHERE id = 1;
+ERROR 42000: UPDATE command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+UPDATE sensitive_data SET public_info = 'X', salary = 90000 WHERE id = 2;
+ERROR 42000: UPDATE command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+disconnect con9;
+connection default;
+#
+# Column DENY is case-insensitive
+#
+GRANT SELECT ON deny_col_db.sensitive_data TO col_user1@localhost;
+DENY SELECT (SaLaRy) ON deny_col_db.sensitive_data TO col_user1@localhost;
+connect  con10, localhost, col_user1,,deny_col_db;
+SELECT salary FROM sensitive_data;
+ERROR 42000: SELECT command denied to user 'col_user1'@'localhost' for column 'salary' in table 'sensitive_data'
+disconnect con10;
+connection default;
+REVOKE DENY SELECT (SaLaRy) ON deny_col_db.sensitive_data FROM col_user1@localhost;
+REVOKE SELECT ON deny_col_db.sensitive_data FROM col_user1@localhost;
+#
+# Cleanup
+#
+DROP USER col_user1@localhost;
+DROP USER col_user2@localhost;
+DROP DATABASE deny_col_db;
+#
+# End of column-level DENY tests
+#