'show stats_meta' requires the whole mysql db privilege · pingcap/tidb#27941

(3 comments) (1 reaction) (1 assignee)Go (40,090 stars) (6,186 forks)batch import

help wantedsig/sql-infratype/question

Description

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

create a user with mysql.stats_meta table select privilege granted

show stats_meta

2. What did you expect to see? (Required)

I think the user should be able to execute show stats_meta

3. What did you see instead (Required)

privilege check failed, it requires the whole mysql db privilege.

The bug is in planner/core/planbuilder.go, see:

case ast.ShowStatsBuckets, ast.ShowStatsHistograms, ast.ShowStatsMeta, ast.ShowStatsExtended, ast.ShowStatsHealthy, ast.ShowStatsTopN:
		user := b.ctx.GetSessionVars().User
		var err error
		if user != nil {
			err = ErrDBaccessDenied.GenWithStackByArgs(user.AuthUsername, user.AuthHostname, mysql.SystemDB)
		}
		b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SelectPriv, mysql.SystemDB, "", "", err)

4. What is your TiDB version? (Required)

mysql> select tidb_version();
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                                                                           |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v5.3.0-alpha-58-g8f642929e
Edition: Community
Git Commit Hash: 8f642929e04cf35c982314c576b71bedf57d9f22
Git Branch: master
UTC Build Time: 2021-09-10 01:17:12
GoVersion: go1.16.7
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Contributor guide

Tech stack: gomysql
Domain: backenddatabasesecurity
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: mostly clear
Prerequisites: Go programmingunderstanding of MySQL privilege system
Newbie friendliness: 45
Research direction: Look at the file planner/core/planbuilder.go, specifically the case statement for 'show stats meta'. The current code grants access only if the user has SELECT privilege on the entire mysql system database. The fix should check for SELECT privilege specifically on the mysql.stats meta table. This is a localized change that can be found in the switch case block around line numbers referenced in the issue. Ensure the new privilege check aligns with existing patterns in the codebase.