Chillax-0v0 opened a new issue #13435:
URL: https://github.com/apache/shardingsphere/issues/13435
## Bug Report
Similar to #11550 , but something new.
### Which version of ShardingSphere did you use?
5.0.0-beta
### Which project did you use? ShardingSphere-JDBC or ShardingSphere-Proxy?
ShardingSphere-Proxy
### What Happened?
I use Aliyun RDS. There's a user named 'root', with nearly all privileges
except "Super_priv". Like this:
```
mysql> select * from mysql.user where User='root'\G
*************************** 1. row ***************************
Host: %
User: root
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: N
Process_priv: Y
File_priv: N
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: N
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: N
```
( By the way, I can use "SHOW TABLES" without any errors in this rds. )
I configure user 'root' in `server.yaml`.
Then I successfully start the ShardingSphere-Proxy. However when I enter
"SHOW TABLES", it returns:
```
ERROR 1999 (C1999): Unknown exception: [SQL checking failed. Error message:
.]
```
When I give user 'root' the "Super_priv" like this:
```MYSQL
UPDATE mysql.user SET Super_Priv='Y' WHERE user='root' AND host='%';
```
Everything plays well.
### Reason analyze (If you can)
I find authority check
[here](https://github.com/apache/shardingsphere/blob/32362a4263a6739116119761a9cc6d7c4498634b/shardingsphere-kernel/shardingsphere-authority/shardingsphere-authority-core/src/main/java/org/apache/shardingsphere/authority/provider/natived/model/privilege/admin/AdministrativePrivileges.java#L43):
```Java
public boolean hasPrivileges(final Collection<PrivilegeType> privileges)
{
return this.privileges.contains(PrivilegeType.SUPER) ||
this.privileges.containsAll(privileges);
}
```
When I enter "SHOW TABLES", param `privileges` will be a `SingletonList`
with a `null` in it. And `this.privileges.containsAll(privileges)` will
***surely*** be `false`. So if the user does not have super privilege, the
authority check will fail.
Then I find param `privileges` is generated
[here](https://github.com/apache/shardingsphere/blob/32362a4263a6739116119761a9cc6d7c4498634b/shardingsphere-kernel/shardingsphere-authority/shardingsphere-authority-core/src/main/java/org/apache/shardingsphere/authority/checker/AuthorityChecker.javaL73):
```Java
return privileges.map(optional -> new
SQLCheckResult(optional.hasPrivileges(Collections.singletonList(getPrivilege(sqlStatement))),
"")).orElseGet(() -> new SQLCheckResult(false, ""));
```
We can see function `getPrivilege` will return `null` by default:
```Java
private PrivilegeType getPrivilege(final SQLStatement sqlStatement) {
if (sqlStatement instanceof MySQLShowDatabasesStatement) {
return PrivilegeType.SHOW_DB;
}
if (sqlStatement instanceof DMLStatement) {
return getDMLPrivilege(sqlStatement);
}
if (sqlStatement instanceof DDLStatement) {
return getDDLPrivilege(sqlStatement);
}
// TODO add more Privilege and SQL statement mapping
return null;
}
```
I think this means "*if we haven't stated which privilege the SQL needs, the
SQL will need no privilege*".
However, `null` will not pass the authority check unless user have THE super
privilege. I think it's wrong.
### Example codes for reproduce this issue (such as a github link).
The root cause of this problem is:
When you use `a.containsAll(b)`, if there is `null` in `b` but not in `a`,
you will get `false`.
So I think 'null' should be filtered out when check authority. Like
[this](https://github.com/Chillax-0v0/shardingsphere/commit/e2a5cc6204bb57e1fa59ffd1a1bbeda4ddf97fd4)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
