set session level `sql_require_primary_key` didn't check privilege · pingcap/tidb#61825

(4 comments) (0 reactions) (0 assignees)Go (40,090 stars) (6,186 forks)batch import

good first issueseverity/moderatesig/sql-infratype/bug

Description

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

mysql> CREATE USER 'test'@'%' IDENTIFIED BY '';
Query OK, 0 rows affected (0.027 sec)

$ mysql -u test -h 127.0.0.1 -P 4000
...
mysql> set sql_require_primary_key = 0;
Query OK, 0 rows affected (0.000 sec)

mysql> set global sql_require_primary_key = 0;
ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation

2. What did you expect to see? (Required)

both session and global level should fail. https://dev.mysql.com/doc/refman/8.4/en/server-system-variables.html#sysvar_sql_require_primary_key

3. What did you see instead (Required)

session level has no error

4. What is your TiDB version? (Required)

at least v8.5.2

Contributor guide

Tech stack: gomysql
Domain: databasesecurity
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: clear
Prerequisites: basic Gofamiliarity with TiDB privilege system
Newbie friendliness: 65
Research direction: Investigate the session level setter for `sql require primary key` in TiDB's codebase. Compare with the global setter that correctly denies the operation. Look in `sessionctx/variable` or `privilege` packages for privilege check functions. The fix likely involves adding a privilege check call in the session setter path.