planner, privilege: check user priv on SET GLOBAL (#8837)

* planner, privilege: check user priv on SET GLOBAL
pingcap · Jan 5, 2019 · 081a2c5 · 081a2c5
1 parent cfff965
commit 081a2c5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/planner/core/planbuilder.go b/planner/core/planbuilder.go
@@ -248,6 +248,9 @@ func (b *PlanBuilder) buildDo(v *ast.DoStmt) (Plan, error) {
 func (b *PlanBuilder) buildSet(v *ast.SetStmt) (Plan, error) {
 	p := &Set{}
 	for _, vars := range v.Variables {
+		if vars.IsGlobal {
+			b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", nil)
+		}
 		assign := &expression.VarAssignment{
 			Name:     vars.Name,
 			IsGlobal: vars.IsGlobal,

diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go
@@ -326,6 +326,21 @@ func (s *testPrivilegeSuite) TestUseDb(c *C) {
 
 }
 
+func (s *testPrivilegeSuite) TestSetGlobal(c *C) {
+	se := newSession(c, s.store, s.dbName)
+	mustExec(c, se, `CREATE USER setglobal_a@localhost`)
+	mustExec(c, se, `CREATE USER setglobal_b@localhost`)
+	mustExec(c, se, `GRANT SUPER ON *.* to setglobal_a@localhost`)
+	mustExec(c, se, `FLUSH PRIVILEGES`)
+
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "setglobal_a", Hostname: "localhost"}, nil, nil), IsTrue)
+	mustExec(c, se, `set global innodb_commit_concurrency=16`)
+
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "setglobal_b", Hostname: "localhost"}, nil, nil), IsTrue)
+	_, err := se.Execute(context.Background(), `set global innodb_commit_concurrency=16`)
+	c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
+}
+
 func (s *testPrivilegeSuite) TestAnalyzeTable(c *C) {
 
 	se := newSession(c, s.store, s.dbName)