[BUG]: GRANT ... REQUIRE NONE doesn"t unset SSL requirements
am 23.10.2002 19:57:02 von Paul DuBoisI thought this had been fixed, but apparently not, or else the problem
has reappeared. Essentially, REQUIRE NONE in a GRANT statement doesn't
reset the ssl_type column to blank.
How-to-repeat:
First set up an account with no SSL requirements:
grant all on *.* to wilbur@localhost require none
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+----------+------------+-------------+--------------+
| ssl_type | ssl_cipher | x509_issuer | x509_subject |
+----------+------------+-------------+--------------+
| | | | |
+----------+------------+-------------+--------------+
Okay, that's correct.
Now require the account to use SSL:
grant all on *.* to wilbur@localhost require ssl
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+----------+------------+-------------+--------------+
| ssl_type | ssl_cipher | x509_issuer | x509_subject |
+----------+------------+-------------+--------------+
| ANY | | | |
+----------+------------+-------------+--------------+
Okay, that's still correct.
Now try to unset the SSL requirements.
grant all on *.* to wilbur@localhost require none
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+----------+------------+-------------+--------------+
| ssl_type | ssl_cipher | x509_issuer | x509_subject |
+----------+------------+-------------+--------------+
| ANY | | | |
+----------+------------+-------------+--------------+
That's not correct. The grant record still requires SSL.
Try changing the account to require a specific issuer:
grant all on *.* to wilbur@localhost require issuer
'/C=US/ST=WI/L=Madison/O=sampdb/OU=CA/CN=sampdb'
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+-----------+------------+---------------------------------- --------------+--------------+
| ssl_type | ssl_cipher | x509_issuer
| x509_subject |
+-----------+------------+---------------------------------- --------------+--------------+
| SPECIFIED | |
/C=US/ST=WI/L=Madison/O=sampdb/OU=CA/CN=sampdb | |
+-----------+------------+---------------------------------- --------------+--------------+
That's correct.
Now try unsetting the requirement:
grant all on *.* to wilbur@localhost require none
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+-----------+------------+---------------------------------- --------------+--------------+
| ssl_type | ssl_cipher | x509_issuer
| x509_subject |
+-----------+------------+---------------------------------- --------------+--------------+
| SPECIFIED | |
/C=US/ST=WI/L=Madison/O=sampdb/OU=CA/CN=sampdb | |
+-----------+------------+---------------------------------- --------------+--------------+
That's not correct. The issuer is still required.
Try changing the record to just require SSL again:
grant all on *.* to wilbur@localhost require ssl
select ssl_type,ssl_cipher,x509_issuer,x509_subject from user where
user='wilbur'
+----------+------------+-------------+--------------+
| ssl_type | ssl_cipher | x509_issuer | x509_subject |
+----------+------------+-------------+--------------+
| ANY | | | |
+----------+------------+-------------+--------------+
That's correct.
So it looks like REQUIRE NONE is failing to clear out the SSL-related
columns in the user table entry.
Or else I don't understand what REQUIRE NONE is supposed to do?
------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail bugs-thread12835@lists.mysql.com
To unsubscribe, e-mail