Skip to content

privilege: add DDL and DML privilege check for system tables#15095

Merged
crazycs520 merged 6 commits intopingcap:masterfrom
djshow832:delete_stmt_summary
Mar 4, 2020
Merged

privilege: add DDL and DML privilege check for system tables#15095
crazycs520 merged 6 commits intopingcap:masterfrom
djshow832:delete_stmt_summary

Conversation

@djshow832
Copy link
Contributor

@djshow832 djshow832 commented Mar 3, 2020

What problem does this PR solve?

Add DDL and DML privilege check for system tables in performance_schema and metrics_schema.

What is changed and how it works?

Prevent users from executing ALTER, DROP, INDEX, INSERT, UPDATE, DELETE statements on predefined tables.
Privileges of those tables which are defined in these schema by users themselves are kept untouched.

Check List

Tests

  • Unit test
  • Manual test (add detailed scripts or steps below)
mysql> delete from events_statements_summary_by_digest;
ERROR 8121 (HY000): privilege check fail

Code changes

  • Has exported function/method change

Side effects

  • Breaking backward compatibility

Related changes

N/A

Release note

  • Forbid users to execute DDL and update/delete/insert predefined tables in performance_schema and metrics_schema.
  • Compatibility declaration: Executing DDL and update/delete/insert predefined tables in performance_schema and metrics_schema are not allowed any longer.

@codecov
Copy link

codecov bot commented Mar 3, 2020
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@2be64f6). Click here to learn what that means.
The diff coverage is 51.9607%.

@@             Coverage Diff             @@
##             master     #15095   +/-   ##
===========================================
  Coverage          ?   80.6817%           
===========================================
  Files             ?        502           
  Lines             ?     134686           
  Branches          ?          0           
===========================================
  Hits              ?     108667           
  Misses            ?      17616           
  Partials          ?       8403

@djshow832
Copy link
Contributor Author

djshow832 commented Mar 3, 2020

/run-all-tests

@djshow832 djshow832 force-pushed the delete_stmt_summary branch from cb5b63c to 5396c94 Compare March 3, 2020 10:16
@djshow832 djshow832 closed this Mar 3, 2020
@djshow832 djshow832 reopened this Mar 3, 2020
AilinKid
AilinKid reviewed Mar 3, 2020
View reviewed changes
Copy link
Contributor

@AilinKid AilinKid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rest LGTM

AilinKid
AilinKid reviewed Mar 3, 2020
View reviewed changes
Copy link
Contributor

@AilinKid AilinKid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Deardrops
Deardrops approved these changes Mar 4, 2020
View reviewed changes
Copy link
Contributor

@Deardrops Deardrops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@djshow832
Copy link
Contributor Author

djshow832 commented Mar 4, 2020

/merge

@djshow832
Copy link
Contributor Author

djshow832 commented Mar 4, 2020

/merge

@crazycs520 crazycs520 merged commit 9df0780 into pingcap:master Mar 4, 2020
@djshow832 djshow832 added compatibility-breaker Violation of forwards/backwards compatibility in a design-time piece. needs-cherry-pick-3.0 labels Mar 10, 2020
@djshow832
Copy link
Contributor Author

djshow832 commented Mar 17, 2020

/run-cherry-picker

sre-bot pushed a commit to sre-bot/tidb that referenced this pull request Mar 17, 2020
@djshow832 @sre-bot
privilege: add DDL and DML privilege check for system tables (pingcap…
025707b 
…#15095)
@sre-bot sre-bot mentioned this pull request Mar 17, 2020
Merged
@sre-bot
Copy link
Contributor

sre-bot commented Mar 17, 2020

cherry pick to release-3.0 in PR #15417

bb7133 pushed a commit that referenced this pull request Mar 17, 2020
@sre-bot
privilege: add DDL and DML privilege check for system tables (#15095) (
0885f6a 
…#15417)
sre-bot added a commit to sre-bot/tidb that referenced this pull request Mar 18, 2020
@sre-bot
privilege: add DDL and DML privilege check for system tables (pingcap…
c610c93 
…#15095) (pingcap#15417)
@sre-bot sre-bot mentioned this pull request Mar 18, 2020
Merged
bb7133 pushed a commit that referenced this pull request Mar 18, 2020
@sre-bot
privilege: add DDL and DML privilege check for system tables (#15095) (
19adfd7 
…#15417) (#15445)
@buzzers buzzers mentioned this pull request Aug 19, 2020
Open
@djshow832 djshow832 deleted the delete_stmt_summary branch February 27, 2025 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AilinKid AilinKid AilinKid left review comments

@Deardrops Deardrops Deardrops approved these changes

@crazycs520 crazycs520 Awaiting requested review from crazycs520

@lonng lonng Awaiting requested review from lonng

@zimulala zimulala Awaiting requested review from zimulala

@tangenta tangenta Awaiting requested review from tangenta

Assignees

No one assigned

Labels

compatibility-breaker Violation of forwards/backwards compatibility in a design-time piece. component/infoschema component/privilege

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@djshow832 @sre-bot @Deardrops @AilinKid @crazycs520