check: some privilege should be global-level (#407)

Author: lance6716

go.mod1

@@ -2,26 +2,30 @@ module github.com/pingcap/tidb-tools
 
 require (
 	github.com/BurntSushi/toml v0.3.1
-	github.com/DATA-DOG/go-sqlmock v1.4.1
+	github.com/DATA-DOG/go-sqlmock v1.5.0
 	github.com/Shopify/sarama v1.24.1
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golang/protobuf v1.3.4
+	github.com/onsi/ginkgo v1.11.0 // indirect
+	github.com/onsi/gomega v1.8.1 // indirect
 	github.com/pingcap/check v0.0.0-20200212061837-5e12011dc712
 	github.com/pingcap/dm v1.1.0-alpha.0.20200729032940-53a08d777030
-	github.com/pingcap/errors v0.11.5-0.20200917111840-a15ef68f753d
+	github.com/pingcap/errors v0.11.5-0.20201126102027-b0a155152ca3
 	github.com/pingcap/failpoint v0.0.0-20200702092429-9f69995143ce
-	github.com/pingcap/kvproto v0.0.0-20200828054126-d677e6fd224a
-	github.com/pingcap/log v0.0.0-20200828042413-fce0951f1463
-	github.com/pingcap/parser v0.0.0-20200924053142-5d7e8ebf605e
-	github.com/pingcap/tidb v1.1.0-beta.0.20200927065602-486e473a86e9
-	github.com/pingcap/tipb v0.0.0-20200618092958-4fad48b4c8c3
+	github.com/pingcap/kvproto v0.0.0-20201215060142-f3dafca4c7fd
+	github.com/pingcap/log v0.0.0-20201112100606-8f1e84a3abc8
+	github.com/pingcap/parser v0.0.0-20210105063241-09b74e077464
+	github.com/pingcap/tidb v1.1.0-beta.0.20201222032702-32d8cad845d6
+	github.com/pingcap/tipb v0.0.0-20201209065231-aa39b1b86217
 	github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726
-	github.com/tikv/pd v1.1.0-beta.0.20200907085700-5b04bec39b99
-	go.etcd.io/etcd v0.5.0-alpha.5.0.20191023171146-3cf2f69b5738
-	go.uber.org/atomic v1.6.0
+	github.com/syndtr/goleveldb v1.0.1-0.20190625010220-02440ea7a285 // indirect
+	github.com/tikv/pd v1.1.0-beta.0.20201125070607-d4b90eee0c70
+	go.etcd.io/bbolt v1.3.5 // indirect
+	go.etcd.io/etcd v0.5.0-alpha.5.0.20200824191128-ae9734ed278b
+	go.uber.org/atomic v1.7.0
 	go.uber.org/zap v1.16.0
-	golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc
-	google.golang.org/grpc v1.26.0
+	golang.org/x/net v0.0.0-20200904194848-62affa334b73
+	google.golang.org/grpc v1.27.1
 )
 
 replace github.com/golang/lint => golang.org/x/lint v0.0.0-20190930215403-16217165b5de

go.sum1

@@ -22,10 +22,30 @@ import (
 	"github.com/pingcap/errors"
 	"github.com/pingcap/parser"
 	"github.com/pingcap/parser/ast"
+	"github.com/pingcap/parser/mysql"
 	"github.com/pingcap/tidb-tools/pkg/dbutil"
 	_ "github.com/pingcap/tidb/types/parser_driver" // for parser driver
 )
 
+var (
+	dumpPrivileges = map[mysql.PrivilegeType]struct{}{
+		mysql.ReloadPriv: {},
+		mysql.SelectPriv: {},
+	}
+	replicationPrivileges = map[mysql.PrivilegeType]struct{}{
+		mysql.ReplicationClientPriv: {},
+		mysql.ReplicationSlavePriv:  {},
+	}
+
+	// some privileges are only effective on global level. in other words, GRANT ALL ON test.* is not enough for them
+	// https://dev.mysql.com/doc/refman/5.7/en/grant.html#grant-global-privileges
+	privNeedGlobal = map[mysql.PrivilegeType]struct{}{
+		mysql.ReloadPriv:            {},
+		mysql.ReplicationClientPriv: {},
+		mysql.ReplicationSlavePriv:  {},
+	}
+)
+
 /*****************************************************/
 
 // SourceDumpPrivilegeChecker checks dump privileges of source DB.
@@ -55,7 +75,7 @@ func (pc *SourceDumpPrivilegeChecker) Check(ctx context.Context) *Result {
 		return result
 	}
 
-	verifyPrivileges(result, grants, []string{"RELOAD", "SELECT"})
+	verifyPrivileges(result, grants, dumpPrivileges)
 	return result
 }
 
@@ -93,7 +113,7 @@ func (pc *SourceReplicatePrivilegeChecker) Check(ctx context.Context) *Result {
 		return result
 	}
 
-	verifyPrivileges(result, grants, []string{"REPLICATION SLAVE", "REPLICATION CLIENT"})
+	verifyPrivileges(result, grants, replicationPrivileges)
 	return result
 }
 
@@ -102,74 +122,103 @@ func (pc *SourceReplicatePrivilegeChecker) Name() string {
 	return "source db replication privilege checker"
 }
 
-func verifyPrivileges(result *Result, grants []string, expectedGrants []string) {
+// TODO: if we add more privilege in future, we might add special checks (globally granted?) for that new privilege
+func verifyPrivileges(result *Result, grants []string, expectedGrants map[mysql.PrivilegeType]struct{}) {
+	result.State = StateFailure
 	if len(grants) == 0 {
 		result.ErrorMsg = "there is no such grant defined for current user on host '%'"
 		return
 	}
 
-	// TiDB parser does not support parse `IDENTIFIED BY PASSWORD <secret>`,
-	// but it may appear in some cases, ref: https://bugs.mysql.com/bug.php?id=78888.
-	// We do not need the password in grant statement, so we can replace it.
-	firstGrant := strings.Replace(grants[0], "IDENTIFIED BY PASSWORD <secret>", "IDENTIFIED BY PASSWORD 'secret'", 1)
-
-	// support parse `IDENTIFIED BY PASSWORD WITH {GRANT OPTION | resource_option} ...`
-	firstGrant = strings.Replace(firstGrant, "IDENTIFIED BY PASSWORD WITH", "IDENTIFIED BY PASSWORD 'secret' WITH", 1)
-
-	// support parse `IDENTIFIED BY PASSWORD`
-	if strings.HasSuffix(firstGrant, "IDENTIFIED BY PASSWORD") {
-		firstGrant = firstGrant + " 'secret'"
+	var (
+		user       string
+		lackGrants = make(map[mysql.PrivilegeType]struct{}, len(expectedGrants))
+	)
+	for k := range expectedGrants {
+		lackGrants[k] = struct{}{}
 	}
 
-	// Aurora has some privilege failing parsing
-	awsPrivilege := []string{"LOAD FROM S3", "SELECT INTO S3", "INVOKE LAMBDA", "INVOKE SAGEMAKER", "INVOKE COMPREHEND"}
-	for _, p := range awsPrivilege {
-		firstGrant = strings.Replace(firstGrant, p, "", 1)
-		firstGrant = strings.ReplaceAll(firstGrant, ", ,", ",")
-	}
-	firstGrant = strings.ReplaceAll(firstGrant, "GRANT ,", "GRANT ")
-	firstGrant = strings.ReplaceAll(firstGrant, ",  ON", " ON")
+	for i, grant := range grants {
+		// TiDB parser does not support parse `IDENTIFIED BY PASSWORD <secret>`,
+		// but it may appear in some cases, ref: https://bugs.mysql.com/bug.php?id=78888.
+		// We do not need the password in grant statement, so we can replace it.
+		grant := strings.Replace(grant, "IDENTIFIED BY PASSWORD <secret>", "IDENTIFIED BY PASSWORD 'secret'", 1)
 
-	// get username and hostname
-	node, err := parser.New().ParseOneStmt(firstGrant, "", "")
-	if err != nil {
-		result.ErrorMsg = errors.ErrorStack(errors.Annotatef(err, "grants[0] %s, firstGrant after replace %s", grants[0], firstGrant))
-		return
-	}
-	grantStmt, ok := node.(*ast.GrantStmt)
-	if !ok {
-		result.ErrorMsg = fmt.Sprintf("%s is not grant statment", grants[0])
-		return
-	}
+		// support parse `IDENTIFIED BY PASSWORD WITH {GRANT OPTION | resource_option} ...`
+		grant = strings.Replace(grant, "IDENTIFIED BY PASSWORD WITH", "IDENTIFIED BY PASSWORD 'secret' WITH", 1)
 
-	if len(grantStmt.Users) == 0 {
-		result.ErrorMsg = fmt.Sprintf("grant has not user %s", grantStmt.Text())
-		return
-	}
+		// support parse `IDENTIFIED BY PASSWORD`
+		if strings.HasSuffix(grant, "IDENTIFIED BY PASSWORD") {
+			grant = grant + " 'secret'"
+		}
 
-	// TODO: user tidb parser(which not works very well now)
-	lackOfPrivileges := make([]string, 0, len(expectedGrants))
-	for _, expected := range expectedGrants {
-		hasPrivilege := false
-		for _, grant := range grants {
-			if strings.Contains(grant, "ALL PRIVILEGES") {
-				result.State = StateSuccess
+		// get username and hostname
+		node, err := parser.New().ParseOneStmt(grant, "", "")
+		if err != nil {
+			result.ErrorMsg = errors.ErrorStack(errors.Annotatef(err, "grant %s, grant after replace %s", grants[i], grant))
+			return
+		}
+		grantStmt, ok := node.(*ast.GrantStmt)
+		if !ok {
+			switch node.(type) {
+			case *ast.GrantProxyStmt, *ast.GrantRoleStmt:
+				continue
+			default:
+				result.ErrorMsg = fmt.Sprintf("%s is not grant statment", grants[i])
 				return
 			}
-			if strings.Contains(grant, expected) {
-				hasPrivilege = true
-			}
 		}
-		if !hasPrivilege {
-			lackOfPrivileges = append(lackOfPrivileges, expected)
+
+		if len(grantStmt.Users) == 0 {
+			result.ErrorMsg = fmt.Sprintf("grant has no user %s", grantStmt.Text())
+			return
+		} else if user == "" {
+			// show grants will only output grants for requested user
+			user = grantStmt.Users[0].User.Username
+		}
+
+		for _, privElem := range grantStmt.Privs {
+			if privElem.Priv == mysql.AllPriv {
+				if grantStmt.Level.Level == ast.GrantLevelGlobal {
+					result.State = StateSuccess
+					return
+				} else {
+					// REPLICATION CLIENT, REPLICATION SLAVE, RELOAD should be global privileges,
+					// thus a non-global GRANT ALL is not enough
+					for expectedGrant := range lackGrants {
+						if _, ok := privNeedGlobal[expectedGrant]; !ok {
+							delete(lackGrants, expectedGrant)
+						}
+					}
+				}
+			} else {
+				// check every privilege and remove it from expectedGrants
+				if _, ok := lackGrants[privElem.Priv]; ok {
+					if _, ok := privNeedGlobal[privElem.Priv]; ok {
+						if grantStmt.Level.Level == ast.GrantLevelGlobal {
+							delete(lackGrants, privElem.Priv)
+						}
+					} else {
+						// currently, only SELECT privilege goes here. we didn't require SELECT to be granted globally,
+						// dumpling could report error if an allow-list table is lack of privilege.
+						// we only check that SELECT is granted on all columns, otherwise we can't SHOW CREATE TABLE
+						if len(privElem.Cols) == 0 {
+							delete(lackGrants, privElem.Priv)
+						}
+					}
+				}
+			}
 		}
 	}
 
-	user := grantStmt.Users[0]
-	if len(lackOfPrivileges) != 0 {
-		privileges := strings.Join(lackOfPrivileges, ",")
+	if len(lackGrants) != 0 {
+		lackGrantsStr := make([]string, 0, len(lackGrants))
+		for g := range lackGrants {
+			lackGrantsStr = append(lackGrantsStr, mysql.Priv2Str[g])
+		}
+		privileges := strings.Join(lackGrantsStr, ",")
 		result.ErrorMsg = fmt.Sprintf("lack of %s privilege", privileges)
-		result.Instruction = fmt.Sprintf("GRANT %s ON *.* TO '%s'@'%s';", privileges, user.User.Username, "%")
+		result.Instruction = fmt.Sprintf("GRANT %s ON *.* TO '%s'@'%s';", privileges, user, "%")
 		return
 	}
 

pkg/check/privilege.go

@@ -15,11 +15,6 @@ var _ = tc.Suite(&testCheckSuite{})
 type testCheckSuite struct{}
 
 func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
-	var (
-		dumpPrivileges        = []string{"RELOAD", "SELECT"}
-		replicationPrivileges = []string{"REPLICATION SLAVE", "REPLICATION CLIENT"}
-	)
-
 	cases := []struct {
 		grants          []string
 		dumpState       State
@@ -54,7 +49,7 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
 			grants: []string{ // lack optional privilege
 				"GRANT REPLICATION SLAVE ON *.* TO 'user'@'%'",
 				"GRANT REPLICATION CLIENT ON *.* TO 'user'@'%'",
-				"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO user1@domain-or-ip-address1",
+				"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO 'user1'@'domain-or-ip-address1'",
 			},
 			dumpState:       StateFailure,
 			replcationState: StateSuccess,
@@ -64,7 +59,7 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
 				"GRANT REPLICATION SLAVE ON *.* TO 'user'@'%'",
 				"GRANT REPLICATION CLIENT ON *.* TO 'user'@'%'",
 				"GRANT RELOAD ON *.* TO 'user'@'%'",
-				"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO user1@domain-or-ip-address1",
+				"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO 'user1'@'domain-or-ip-address1'",
 			},
 			dumpState:       StateFailure,
 			replcationState: StateSuccess,
@@ -84,11 +79,11 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
 			replcationState: StateSuccess,
 		},
 		{
-			grants: []string{ // lower case not supported yet
+			grants: []string{ // lower case
 				"GRANT all privileges ON *.* TO 'user'@'%'",
 			},
-			dumpState:       StateFailure,
-			replcationState: StateFailure,
+			dumpState:       StateSuccess,
+			replcationState: StateSuccess,
 		},
 		{
 			grants: []string{ // IDENTIFIED BY PASSWORD
@@ -160,6 +155,39 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
 			dumpState:       StateSuccess,
 			replcationState: StateSuccess,
 		},
+		{
+			grants: []string{ // privilege on db/table level is not enough to execute SHOW MASTER STATUS
+				"GRANT ALL PRIVILEGES ON `medz`.* TO `zhangsan`@`10.8.1.9` WITH GRANT OPTION",
+			},
+			dumpState:       StateFailure,
+			replcationState: StateFailure,
+		},
+		{
+			grants: []string{ // privilege on column level is not enough to execute SHOW CREATE TABLE
+				"GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD ON *.* TO 'user'@'%'",
+				"GRANT SELECT (c) ON `lance`.`t` TO 'user'@'%'",
+			},
+			dumpState:       StateFailure,
+			replcationState: StateSuccess,
+		},
+		{
+			grants: []string{
+				"GRANT RELOAD ON *.* TO `u1`@`localhost`",
+				"GRANT SELECT, INSERT, UPDATE, DELETE ON `db1`.* TO `u1`@`localhost`",
+				"GRANT `r1`@`%`,`r2`@`%` TO `u1`@`localhost`",
+			},
+			dumpState:       StateSuccess,
+			replcationState: StateFailure,
+		},
+		{
+			grants: []string{
+				"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION",
+				"GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION",
+				"GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION",
+			},
+			dumpState:       StateSuccess,
+			replcationState: StateSuccess,
+		},
 	}
 
 	for _, cs := range cases {