权限转授,对象权限级联回收失败

OceanBase 技术问题
#1

【 使用环境 】测试环境
【 OB or 其他组件 】OB
【 使用版本 】4.3.1
【问题描述】官方文档中说,回收对象权限时,要同时回收该用户转授给其他用户的对应权限,即 A 授予 B 权限,B 授予 C 权限,如果 A 收回 B 的权限,C 的权限也会被回收。测试环境验证C的权限没有回收
【复现路径】
1.登录root用户,创建 A_test 用户并授予A_test对象权限
obclient [(none)]> create user A_test identified by ‘DBAdba_baofoo@64’;
Query OK, 0 rows affected (0.211 sec)

obclient [(none)]> grant select on ob_test.t2 to A_test with grant option;
Query OK, 0 rows affected (0.345 sec)

2.登录root用户,创建 B_test 用户
obclient [(none)]> create user B_test identified by ‘DBAdba_baofoo@64’;
Query OK, 0 rows affected (0.310 sec)

3.登录A_test 用户并授予B_test对象权限
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uA_test@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222455960
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]> grant select on ob_test.t2 to B_test;
Query OK, 0 rows affected (0.203 sec)

obclient [(none)]> quit
Bye

4.验证B_test的查询权限
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uB_test@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222461160
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]>
obclient [(none)]> select * from ob_test.t2;
Empty set (0.001 sec)

obclient [(none)]> quit
Bye

5.登录root用户,并回收A_test的对象权限
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uroot@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222463515
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]> revoke select on ob_test.t2 from A_test;
Query OK, 0 rows affected (0.196 sec)

obclient [(none)]>
obclient [(none)]>
obclient [(none)]> show grants for A_test;
±------------------------------------------------------------+
| Grants for A_test@% |
±------------------------------------------------------------+
| GRANT USAGE ON . TO ‘A_test’ |
| GRANT USAGE ON ob_test.t2 TO ‘A_test’ WITH GRANT OPTION |
±------------------------------------------------------------+
2 rows in set (0.005 sec)

obclient [(none)]> quit
Bye

6.登录A_test用户验证查询权限
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uA_test@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222469466
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]> select * from ob_test.t2;
ERROR 1142 (42000): SELECT command denied to user ‘A_test’@’%’ for table ‘t2’

obclient [(none)]> quit
Bye

7.登录B_test用户,验证权限
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uB_test@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222471644
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]> select * from ob_test.t2;
Empty set (0.003 sec)

obclient [(none)]>
obclient [(none)]>
obclient [(none)]> show grants for B_test;
±-------------------------------------------+
| Grants for B_test@% |
±-------------------------------------------+
| GRANT USAGE ON . TO ‘B_test’ |
| GRANT SELECT ON ob_test.t2 TO ‘B_test’ |
±-------------------------------------------+
2 rows in set (0.005 sec)

结论: B_test的对象查询权限并没有级联回收

obclient [(none)]>
【附件及日志】推荐使用OceanBase敏捷诊断工具obdiag收集诊断信息,详情参见链接(右键跳转查看):

【SOP系列 22 】——故障诊断第一步(自助诊断和诊断信息收集)

#3

image
image1368×253 11.8 KB

#4

image
image1387×719 79.7 KB

权限转授-OceanBase 数据库-OceanBase文档中心-分布式数据库使用文档

#6

这里说的是权限转授被回收,不是权限被回收,你测试的是权限,不是with grant option的权限转授

#7

[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uroot@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222516058
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]> create user A_test identified by ‘DBAdba_bb@64’;
Query OK, 0 rows affected (0.791 sec)

obclient [(none)]> grant select on ob_test.t2 to A_test with grant option;
Query OK, 0 rows affected (0.589 sec)

obclient [(none)]> create user B_test identified by ‘DBAdba_bb@64’;
Query OK, 0 rows affected (0.263 sec)

obclient [(none)]> quit
Bye
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uA_test@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222525823
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]> grant select on ob_test.t2 to B_test with grant option;
Query OK, 0 rows affected (0.387 sec)

obclient [(none)]> show grants for A_test;
±-------------------------------------------------------------+
| Grants for A_test@% |
±-------------------------------------------------------------+
| GRANT USAGE ON . TO ‘A_test’ |
| GRANT SELECT ON ob_test.t2 TO ‘A_test’ WITH GRANT OPTION |
±-------------------------------------------------------------+
2 rows in set (0.009 sec)

obclient [(none)]> quit
Bye
[root@DC01 ~]# obclient -h10.0.22.30 -P2881 -uroot@dba_test2 -p
Enter password:
Welcome to the OceanBase. Commands end with ; or \g.
Your OceanBase connection id is 3222529960
Server version: OceanBase_CE 4.3.0.1 (r100000242024032211-0193a343bc60b4699ec47792c3fc4ce166a182f9) (Built Mar 22 2024 13:19:48)

Copyright (c) 2000, 2018, OceanBase and/or its affiliates. All rights reserved.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

obclient [(none)]>
obclient [(none)]> revoke select,grant option on ob_test.t2 from A_test;
Query OK, 0 rows affected (0.367 sec)

obclient [(none)]>
obclient [(none)]>
obclient [(none)]>
obclient [(none)]> show grants for A_test;
±-------------------------------+
| Grants for A_test@% |
±-------------------------------+
| GRANT USAGE ON . TO ‘A_test’ |
±-------------------------------+
1 row in set (0.007 sec)

obclient [(none)]> show grants for B_test;
±-------------------------------------------------------------+
| Grants for B_test@% |
±-------------------------------------------------------------+
| GRANT USAGE ON . TO ‘B_test’ |
| GRANT SELECT ON ob_test.t2 TO ‘B_test’ WITH GRANT OPTION |
±-------------------------------------------------------------+
2 rows in set (0.011 sec)

obclient [(none)]> quit

#8

感谢您的提问,这个我们确认了下,是文档这里存在问题