Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege,planner/core: add dynamic privilege RESOURCE_GROUP_ADMIN for resource group operation | tidb-test=pr/2068 #40632

Merged
merged 6 commits into from
Jan 17, 2023
Merged

privilege,planner/core: add dynamic privilege RESOURCE_GROUP_ADMIN for resource group operation | tidb-test=pr/2068 #40632

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
61f2dab
privilege,planner/core: add dynamic privilege RESOURCE_GROUP_ADMIN fo…
tiancaiamao Jan 16, 2023
3d6b57b
fix test show
tiancaiamao Jan 17, 2023
ea5aca5
Merge branch 'master' into resource-control-privilege
hawkingrei Jan 17, 2023
77b8710
Merge branch 'master' into resource-control-privilege
tiancaiamao Jan 17, 2023
65da710
Merge branch 'master' into resource-control-privilege
ti-chi-bot Jan 17, 2023
258b2e9
Merge branch 'master' into resource-control-privilege
ti-chi-bot Jan 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions executor/executor_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,7 @@ func TestShow(t *testing.T) {
"RESTRICTED_USER_ADMIN Server Admin ",
"RESTRICTED_CONNECTION_ADMIN Server Admin ",
"RESTRICTED_REPLICA_WRITER_ADMIN Server Admin ",
"RESOURCE_GROUP_ADMIN Server Admin ",
))
require.Len(t, tk.MustQuery("show table status").Rows(), 1)
}
Expand Down
3 changes: 3 additions & 0 deletions planner/core/planbuilder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4755,6 +4755,9 @@ func (b *PlanBuilder) buildDDL(ctx context.Context, node ast.DDLNode) (Plan, err
case *ast.DropPlacementPolicyStmt, *ast.CreatePlacementPolicyStmt, *ast.AlterPlacementPolicyStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or PLACEMENT_ADMIN")
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "PLACEMENT_ADMIN", false, err)
case *ast.CreateResourceGroupStmt, *ast.DropResourceGroupStmt, *ast.AlterResourceGroupStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or RESOURCE_GROUP_ADMIN")
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, "RESOURCE_GROUP_ADMIN", false, err)
}
p := &DDL{Statement: node}
return p, nil
Expand Down
1 change: 1 addition & 0 deletions privilege/privileges/privileges.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ var dynamicPrivs = []string{
"RESTRICTED_USER_ADMIN", // User can not have their access revoked by SUPER users.
"RESTRICTED_CONNECTION_ADMIN", // Can not be killed by PROCESS/CONNECTION_ADMIN privilege
"RESTRICTED_REPLICA_WRITER_ADMIN", // Can write to the sever even when tidb_restriced_read_only is turned on.
"RESOURCE_GROUP_ADMIN", // Create/Drop/Alter RESOURCE GROUP
}
var dynamicPrivLock sync.Mutex
var defaultTokenLife = 15 * time.Minute
Expand Down
40 changes: 40 additions & 0 deletions privilege/privileges/privileges_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2571,6 +2571,46 @@ func TestPlacementPolicyStmt(t *testing.T) {
tk.MustExec(dropStmt)
}

func TestResourceGroupAdminDynamicPriv(t *testing.T) {
store := createStoreAndPrepareDB(t)

tk1 := testkit.NewTestKit(t, store)
// tk1 is the root user, create a new user for test.
tk1.Session().Auth(&auth.UserIdentity{
Username: "root",
Hostname: "localhost",
}, nil, nil)
tk1.MustExec("CREATE USER resource_group_user")
tk1.MustExec("set @@global.tidb_enable_resource_control = 1")

// tk2 is the new user.
tk2 := testkit.NewTestKit(t, store)
tk2.Session().Auth(&auth.UserIdentity{
Username: "resource_group_user",
Hostname: "localhost",
}, nil, nil)
err := tk2.ExecToErr("CREATE RESOURCE GROUP test RRU_PER_SEC = 666")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")

// grant the RESOURCE_GROUP_ADMIN dynamic privilege to the user.
tk1.MustExec("GRANT RESOURCE_GROUP_ADMIN ON *.* TO resource_group_user")
tk1.MustQuery("SHOW GRANTS FOR resource_group_user").Check(testkit.Rows(
`GRANT USAGE ON *.* TO 'resource_group_user'@'%'`,
`GRANT RESOURCE_GROUP_ADMIN ON *.* TO 'resource_group_user'@'%'`))

tk2.MustExec("CREATE RESOURCE GROUP test RRU_PER_SEC = 666")
tk2.MustExec("CREATE RESOURCE GROUP test2 WRU_PER_SEC = 999")

tk2.MustExec("ALTER RESOURCE GROUP test2 WRU_PER_SEC = 1000")
tk2.MustExec("DROP RESOURCE GROUP test2")

tk1.MustExec("REVOKE RESOURCE_GROUP_ADMIN ON *.* FROM resource_group_user")
err = tk2.ExecToErr("ALTER RESOURCE GROUP test RRU_PER_SEC = 667")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")
err = tk2.ExecToErr("DROP RESOURCE GROUP test")
require.EqualError(t, err, "[planner:1227]Access denied; you need (at least one of) the SUPER or RESOURCE_GROUP_ADMIN privilege(s) for this operation")
}

func TestDBNameCaseSensitivityInTableLevel(t *testing.T) {
store := createStoreAndPrepareDB(t)
tk := testkit.NewTestKit(t, store)
Expand Down