privilege: fix create temporary tables privileges related bugs (#60313)

Defined2014 · web-flow · commit d91661402687 · 2025-03-31T06:04:12.000Z
close #29280, close #29281
diff --git a/pkg/executor/show.go b/pkg/executor/show.go
@@ -629,7 +629,7 @@ func (e *ShowExec) fetchShowTables(ctx context.Context) error {
 	for _, v := range showInfos {
 		// Test with mysql.AllPrivMask means any privilege would be OK.
 		// TODO: Should consider column privileges, which also make a table visible.
-		if checker != nil && !checker.RequestVerification(activeRoles, e.DBName.O, v.Name.O, "", mysql.AllPrivMask) {
+		if checker != nil && !checker.RequestVerification(activeRoles, e.DBName.O, v.Name.O, "", mysql.AllPrivMask&(^mysql.CreateTMPTablePriv)) {
 			continue
 		} else if fieldFilter != "" && v.Name.L != fieldFilter {
 			continue
diff --git a/pkg/parser/mysql/privs.go b/pkg/parser/mysql/privs.go
@@ -257,7 +257,7 @@ const (
 	CreateRolePriv
 	// DropRolePriv is the privilege to drop a role.
 	DropRolePriv
-	// CreateTMPTablePriv is the privilege to create a temporary table.
+	// CreateTMPTablePriv is the privilege to create a local temporary table.
 	CreateTMPTablePriv
 	// LockTablesPriv is the privilege to lock tables.
 	LockTablesPriv
diff --git a/pkg/planner/core/logical_plans_test.go b/pkg/planner/core/logical_plans_test.go
@@ -1406,7 +1406,7 @@ func TestVisitInfo(t *testing.T) {
 		{
 			sql: `show create table test.ttt`,
 			ans: []visitInfo{
-				{mysql.AllPrivMask, "test", "ttt", "", nil, false, nil, false},
+				{mysql.AllPrivMask & (^mysql.CreateTMPTablePriv), "test", "ttt", "", nil, false, nil, false},
 			},
 		},
 		{
diff --git a/pkg/planner/core/planbuilder.go b/pkg/planner/core/planbuilder.go
@@ -3439,6 +3439,7 @@ func (b *PlanBuilder) buildShow(ctx context.Context, show *ast.ShowStmt) (base.P
 	}.Init(b.ctx)
 	isView := false
 	isSequence := false
+	isTempTableLocal := false
 	// It depends on ShowPredicateExtractor now
 	buildPattern := true
 
@@ -3456,6 +3457,7 @@ func (b *PlanBuilder) buildShow(ctx context.Context, show *ast.ShowStmt) (base.P
 		if table, err := b.is.TableByName(ctx, show.Table.Schema, show.Table.Name); err == nil {
 			isView = table.Meta().IsView()
 			isSequence = table.Meta().IsSequence()
+			isTempTableLocal = table.Meta().TempTableType == model.TempTableLocal
 		}
 		user := b.ctx.GetSessionVars().User
 		if isView {
@@ -3467,7 +3469,11 @@ func (b *PlanBuilder) buildShow(ctx context.Context, show *ast.ShowStmt) (base.P
 			if user != nil {
 				err = plannererrors.ErrTableaccessDenied.GenWithStackByArgs("SHOW", user.AuthUsername, user.AuthHostname, show.Table.Name.L)
 			}
-			b.visitInfo = appendVisitInfo(b.visitInfo, mysql.AllPrivMask, show.Table.Schema.L, show.Table.Name.L, "", err)
+			if isTempTableLocal {
+				b.visitInfo = appendVisitInfo(b.visitInfo, mysql.AllPrivMask, show.Table.Schema.L, show.Table.Name.L, "", err)
+			} else {
+				b.visitInfo = appendVisitInfo(b.visitInfo, mysql.AllPrivMask&(^mysql.CreateTMPTablePriv), show.Table.Schema.L, show.Table.Name.L, "", err)
+			}
 		}
 	case ast.ShowConfig:
 		privErr := plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("CONFIG")
diff --git a/pkg/privilege/privileges/cache.go b/pkg/privilege/privileges/cache.go
@@ -56,7 +56,7 @@ var (
 	tablePrivMask          = computePrivMask(mysql.AllTablePrivs)
 )
 
-const globalDBVisible = mysql.CreatePriv | mysql.SelectPriv | mysql.InsertPriv | mysql.UpdatePriv | mysql.DeletePriv | mysql.ShowDBPriv | mysql.DropPriv | mysql.AlterPriv | mysql.IndexPriv | mysql.CreateViewPriv | mysql.ShowViewPriv | mysql.GrantPriv | mysql.TriggerPriv | mysql.ReferencesPriv | mysql.ExecutePriv
+const globalDBVisible = mysql.CreatePriv | mysql.SelectPriv | mysql.InsertPriv | mysql.UpdatePriv | mysql.DeletePriv | mysql.ShowDBPriv | mysql.DropPriv | mysql.AlterPriv | mysql.IndexPriv | mysql.CreateViewPriv | mysql.ShowViewPriv | mysql.GrantPriv | mysql.TriggerPriv | mysql.ReferencesPriv | mysql.ExecutePriv | mysql.CreateTMPTablePriv
 
 const (
 	sqlLoadRoleGraph        = "SELECT HIGH_PRIORITY FROM_USER, FROM_HOST, TO_USER, TO_HOST FROM mysql.role_edges"
diff --git a/pkg/privilege/privileges/privileges_test.go b/pkg/privilege/privileges/privileges_test.go
@@ -722,8 +722,9 @@ func TestShowCreateTable(t *testing.T) {
 	store := createStoreAndPrepareDB(t)
 
 	tk := testkit.NewTestKit(t, store)
-	tk.MustExec(`CREATE USER tsct1, tsct2`)
+	tk.MustExec(`CREATE USER tsct1, tsct2, tsct3`)
 	tk.MustExec(`GRANT select ON mysql.* to tsct2`)
+	tk.MustExec(`GRANT create temporary tables on mysql.* to tsct3`)
 
 	// should fail
 	require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "tsct1", Hostname: "localhost", AuthUsername: "tsct1", AuthHostname: "%"}, nil, nil, nil))
@@ -733,6 +734,12 @@ func TestShowCreateTable(t *testing.T) {
 	// should pass
 	require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "tsct2", Hostname: "localhost", AuthUsername: "tsct2", AuthHostname: "%"}, nil, nil, nil))
 	tk.MustExec(`SHOW CREATE TABLE mysql.user`)
+
+	// should fail
+	// https://github.com/pingcap/tidb/issues/29281
+	require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "tsct3", Hostname: "localhost", AuthUsername: "tsct3", AuthHostname: "%"}, nil, nil, nil))
+	err = tk.ExecToErr(`SHOW CREATE TABLE mysql.user`)
+	require.True(t, terror.ErrorEqual(err, plannererrors.ErrTableaccessDenied))
 }
 
 func TestAnalyzeTable(t *testing.T) {
diff --git a/tests/integrationtest/r/privilege/privileges.result b/tests/integrationtest/r/privilege/privileges.result
@@ -722,3 +722,13 @@ Error 1227 (42000): Access denied; you need (at least one of) the CREATE USER pr
 alter user test account unlock;
 Error 1227 (42000): Access denied; you need (at least one of) the CREATE USER privilege(s) for this operation
 alter user u59677 identified by 'abcde';
+drop database if exists tmpdb;
+create database tmpdb;
+drop user test_user;
+create user test_user;
+grant create temporary tables on tmpdb.* to test_user;
+show databases;
+Database
+INFORMATION_SCHEMA
+tmpdb
+create temporary table tmpdb.tmp(id int);
diff --git a/tests/integrationtest/t/privilege/privileges.test b/tests/integrationtest/t/privilege/privileges.test
@@ -977,3 +977,16 @@ alter user test account unlock;
 alter user u59677 identified by 'abcde';
 disconnect u59677;
 connection default;
+
+# TestIssue29280
+drop database if exists tmpdb;
+create database tmpdb;
+drop user test_user;
+create user test_user;
+grant create temporary tables on tmpdb.* to test_user;
+connect (test_user, localhost, test_user,,);
+show databases;
+create temporary table tmpdb.tmp(id int);
+disconnect test_user;
+connection default;
+

Original file line number	Diff line number	Diff line change
`@@ -1406,7 +1406,7 @@ func TestVisitInfo(t *testing.T) {`
`1406`	`1406`	`{`
`1407`	`1407`	sql: `show create table test.ttt`,
`1408`	`1408`	`ans: []visitInfo{`
`1409`		`- {mysql.AllPrivMask, "test", "ttt", "", nil, false, nil, false},`
	`1409`	`+ {mysql.AllPrivMask & (^mysql.CreateTMPTablePriv), "test", "ttt", "", nil, false, nil, false},`
`1410`	`1410`	`},`
`1411`	`1411`	`},`
`1412`	`1412`	`{`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ var (`
`56`	`56`	`tablePrivMask = computePrivMask(mysql.AllTablePrivs)`
`57`	`57`	`)`
`58`	`58`
`59`		`-const globalDBVisible = mysql.CreatePriv \| mysql.SelectPriv \| mysql.InsertPriv \| mysql.UpdatePriv \| mysql.DeletePriv \| mysql.ShowDBPriv \| mysql.DropPriv \| mysql.AlterPriv \| mysql.IndexPriv \| mysql.CreateViewPriv \| mysql.ShowViewPriv \| mysql.GrantPriv \| mysql.TriggerPriv \| mysql.ReferencesPriv \| mysql.ExecutePriv`
	`59`	`+const globalDBVisible = mysql.CreatePriv \| mysql.SelectPriv \| mysql.InsertPriv \| mysql.UpdatePriv \| mysql.DeletePriv \| mysql.ShowDBPriv \| mysql.DropPriv \| mysql.AlterPriv \| mysql.IndexPriv \| mysql.CreateViewPriv \| mysql.ShowViewPriv \| mysql.GrantPriv \| mysql.TriggerPriv \| mysql.ReferencesPriv \| mysql.ExecutePriv \| mysql.CreateTMPTablePriv`
`60`	`60`
`61`	`61`	`const (`
`62`	`62`	`sqlLoadRoleGraph = "SELECT HIGH_PRIORITY FROM_USER, FROM_HOST, TO_USER, TO_HOST FROM mysql.role_edges"`