executor, privilege: fix failure on grant USAGE privilege operation (p…

…ingcap#22748)
HelloMensa · Mar 2, 2021 · 17eca20 · 17eca20
1 parent d57b75e
commit 17eca20
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/executor/grant.go b/executor/grant.go
@@ -404,7 +404,7 @@ func (e *GrantExec) grantLevelPriv(priv *ast.PrivElem, user *ast.UserSpec, inter
 
 // grantGlobalLevel manipulates mysql.user table.
 func (e *GrantExec) grantGlobalLevel(priv *ast.PrivElem, user *ast.UserSpec, internalSession sessionctx.Context) error {
-	if priv.Priv == 0 {
+	if priv.Priv == 0 || priv.Priv == mysql.UsagePriv {
 		return nil
 	}
 
@@ -422,6 +422,9 @@ func (e *GrantExec) grantGlobalLevel(priv *ast.PrivElem, user *ast.UserSpec, int
 
 // grantDBLevel manipulates mysql.db table.
 func (e *GrantExec) grantDBLevel(priv *ast.PrivElem, user *ast.UserSpec, internalSession sessionctx.Context) error {
+	if priv.Priv == mysql.UsagePriv {
+		return nil
+	}
 	dbName := e.Level.DBName
 	if len(dbName) == 0 {
 		dbName = e.ctx.GetSessionVars().CurrentDB
@@ -441,6 +444,9 @@ func (e *GrantExec) grantDBLevel(priv *ast.PrivElem, user *ast.UserSpec, interna
 
 // grantTableLevel manipulates mysql.tables_priv table.
 func (e *GrantExec) grantTableLevel(priv *ast.PrivElem, user *ast.UserSpec, internalSession sessionctx.Context) error {
+	if priv.Priv == mysql.UsagePriv {
+		return nil
+	}
 	dbName := e.Level.DBName
 	if len(dbName) == 0 {
 		dbName = e.ctx.GetSessionVars().CurrentDB

diff --git a/executor/grant_test.go b/executor/grant_test.go
@@ -384,3 +384,14 @@ func (s *testSuite3) TestGrantOnNonExistTable(c *C) {
 	_, err = tk.Exec("grant Select,Update on test.xx to 'genius'")
 	c.Assert(err, IsNil)
 }
+
+func (s *testSuite3) TestIssue22721(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	tk.MustExec("use test")
+	tk.MustExec("create table if not exists xx (id int)")
+	tk.MustExec("CREATE USER 'sync_ci_data'@'%' IDENTIFIED BY 'sNGNQo12fEHe0n3vU';")
+	tk.MustExec("GRANT USAGE ON *.* TO 'sync_ci_data'@'%';")
+	tk.MustExec("GRANT USAGE ON sync_ci_data.* TO 'sync_ci_data'@'%';")
+	tk.MustExec("GRANT USAGE ON test.* TO 'sync_ci_data'@'%';")
+	tk.MustExec("GRANT USAGE ON test.xx TO 'sync_ci_data'@'%';")
+}
diff --git a/privilege/privileges/cache.go b/privilege/privileges/cache.go
@@ -919,6 +919,10 @@ func (p *MySQLPrivilege) matchColumns(user, host, db, table, column string) *col
 
 // RequestVerification checks whether the user have sufficient privileges to do the operation.
 func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, priv mysql.PrivilegeType) bool {
+	if priv == mysql.UsagePriv {
+		return true
+	}
+
 	roleList := p.FindAllRole(activeRoles)
 	roleList = append(roleList, &auth.RoleIdentity{Username: user, Hostname: host})