implement ignore and if exists

Author: James Cor

enginetest/queries/priv_auth_queries.go

@@ -1230,6 +1230,27 @@ var UserPrivTests = []UserPrivilegeTest{
 				Query:    "SELECT User, Host, Select_priv FROM mysql.user WHERE User = 'tester';",
 				Expected: []sql.Row{{"tester", "localhost", "N"}},
 			},
+
+			{
+				// Re-revoking does nothing
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE SELECT ON *.* FROM tester@localhost;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
+			{
+				// IF EXISTS option does nothing
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE IF EXISTS SELECT ON *.* FROM tester@localhost;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
+			{
+				User:     "root",
+				Host:     "localhost",
+				Query:    "SELECT User, Host, Select_priv FROM mysql.user WHERE User = 'tester';",
+				Expected: []sql.Row{{"tester", "localhost", "N"}},
+			},
 		},
 	},
 	{
@@ -1325,6 +1346,39 @@ var UserPrivTests = []UserPrivilegeTest{
 				Query:    "SELECT User, Host, Select_priv, Insert_priv, Grant_priv FROM mysql.user WHERE User = 'tester2';",
 				Expected: []sql.Row{{"tester2", "localhost", "N", "N", "N"}},
 			},
+			{
+				// Re-revoking does nothing
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE ALL PRIVILEGES, GRANT OPTION FROM tester2@localhost;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
+			{
+				// IF EXISTS does nothing
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE IF EXISTS ALL PRIVILEGES, GRANT OPTION FROM tester2@localhost;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
+			{
+				User:     "root",
+				Host:     "localhost",
+				Query:    "SELECT User, Host, Select_priv, Insert_priv, Grant_priv FROM mysql.user WHERE User = 'tester2';",
+				Expected: []sql.Row{{"tester2", "localhost", "N", "N", "N"}},
+			},
+			{
+				User:        "root",
+				Host:        "localhost",
+				Query:       "REVOKE IF EXISTS ALL PRIVILEGES, GRANT OPTION FROM fake1@localhost, fake2@localhost, fake3@localhost;",
+				ExpectedErr: sql.ErrRevokeUserDoesNotExist,
+			},
+			{
+				// TODO: check warnings
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE IF EXISTS ALL PRIVILEGES, GRANT OPTION FROM fake1@localhost, fake2@localhost, fake3@localhost IGNORE UNKNOWN USER;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
 		},
 	},
 	{
@@ -1444,6 +1498,32 @@ var UserPrivTests = []UserPrivilegeTest{
 				Query:    "SELECT COUNT(*) FROM mysql.user WHERE User = 'tester';",
 				Expected: []sql.Row{{1}},
 			},
+			{
+				User:        "root",
+				Host:        "localhost",
+				Query:       "REVOKE fake_role FROM tester@localhost;",
+				ExpectedErr: sql.ErrGrantRevokeRoleDoesNotExist,
+			},
+			{
+				// TODO: check for warning
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE IF EXISTS fake_role FROM tester@localhost;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
+			{
+				User:        "root",
+				Host:        "localhost",
+				Query:       "REVOKE test_role FROM fake_user@localhost;",
+				ExpectedErr: sql.ErrGrantRevokeRoleDoesNotExist,
+			},
+			{
+				// TODO: check for warning
+				User:     "root",
+				Host:     "localhost",
+				Query:    "REVOKE test_role FROM fake_user@localhost IGNORE UNKNOWN USER;",
+				Expected: []sql.Row{{types.NewOkResult(0)}},
+			},
 		},
 	},
 	{

sql/plan/revoke.go

@@ -26,11 +26,12 @@ import (
 
 // Revoke represents the statement REVOKE [privilege...] ON [item] FROM [user...].
 type Revoke struct {
-	Privileges     []Privilege
-	ObjectType     ObjectType
-	PrivilegeLevel PrivilegeLevel
-	Users          []UserName
-	MySQLDb        sql.Database
+	Privileges        []Privilege
+	ObjectType        ObjectType
+	PrivilegeLevel    PrivilegeLevel
+	Users             []UserName
+	IgnoreUnknownUser bool
+	MySQLDb           sql.Database
 }
 
 var _ sql.Node = (*Revoke)(nil)
@@ -497,9 +498,11 @@ func (*RevokeAll) CollationCoercibility(ctx *sql.Context) (collation sql.Collati
 
 // RevokeRole represents the statement REVOKE [role...] FROM [user...].
 type RevokeRole struct {
-	Roles       []UserName
-	TargetUsers []UserName
-	MySQLDb     sql.Database
+	Roles             []UserName
+	TargetUsers       []UserName
+	IfExists          bool
+	IgnoreUnknownUser bool
+	MySQLDb           sql.Database
 }
 
 var _ sql.Node = (*RevokeRole)(nil)
@@ -508,11 +511,13 @@ var _ sql.CollationCoercible = (*RevokeRole)(nil)
 var _ sql.AuthorizationCheckerNode = (*RevokeRole)(nil)
 
 // NewRevokeRole returns a new RevokeRole node.
-func NewRevokeRole(roles []UserName, users []UserName) *RevokeRole {
+func NewRevokeRole(roles []UserName, users []UserName, ifExists, ignoreUnknownUser bool) *RevokeRole {
 	return &RevokeRole{
-		Roles:       roles,
-		TargetUsers: users,
-		MySQLDb:     sql.UnresolvedDatabase("mysql"),
+		Roles:             roles,
+		TargetUsers:       users,
+		IfExists:          ifExists,
+		IgnoreUnknownUser: ignoreUnknownUser,
+		MySQLDb:           sql.UnresolvedDatabase("mysql"),
 	}
 }
 
@@ -613,19 +618,23 @@ func (*RevokeRole) CollationCoercibility(ctx *sql.Context) (collation sql.Collat
 
 // RevokeProxy represents the statement REVOKE PROXY.
 type RevokeProxy struct {
-	On   UserName
-	From []UserName
+	On                UserName
+	From              []UserName
+	IfExists          bool
+	ignoreUnknownUser bool
 }
 
 var _ sql.Node = (*RevokeProxy)(nil)
 var _ sql.CollationCoercible = (*RevokeProxy)(nil)
 var _ sql.AuthorizationCheckerNode = (*RevokeProxy)(nil)
 
 // NewRevokeProxy returns a new RevokeProxy node.
-func NewRevokeProxy(on UserName, from []UserName) *RevokeProxy {
+func NewRevokeProxy(on UserName, from []UserName, ifExists, ignoreUnknownUser bool) *RevokeProxy {
 	return &RevokeProxy{
-		On:   on,
-		From: from,
+		On:                on,
+		From:              from,
+		IfExists:          ifExists,
+		ignoreUnknownUser: ignoreUnknownUser,
 	}
 }
 

sql/planbuilder/priv.go

@@ -516,11 +516,12 @@ func (b *Builder) buildRevokePrivilege(inScope *scope, n *ast.RevokePrivilege) (
 	}
 	outScope = inScope.push()
 	outScope.node = &plan.Revoke{
-		Privileges:     privs,
-		ObjectType:     objType,
-		PrivilegeLevel: level,
-		Users:          users,
-		MySQLDb:        b.resolveDb("mysql"),
+		Privileges:        privs,
+		ObjectType:        objType,
+		PrivilegeLevel:    level,
+		Users:             users,
+		IgnoreUnknownUser: n.IgnoreUnknownUser,
+		MySQLDb:           b.resolveDb("mysql"),
 	}
 	n.Auth.Extra = outScope.node
 	if err := b.cat.AuthorizationHandler().HandleAuth(b.ctx, b.authQueryState, n.Auth); err != nil && b.authEnabled {
@@ -542,9 +543,11 @@ func (b *Builder) buildRevokeAllPrivileges(inScope *scope, n *ast.RevokeAllPrivi
 func (b *Builder) buildRevokeRole(inScope *scope, n *ast.RevokeRole) (outScope *scope) {
 	outScope = inScope.push()
 	outScope.node = &plan.RevokeRole{
-		Roles:       convertAccountName(n.Roles...),
-		TargetUsers: convertAccountName(n.From...),
-		MySQLDb:     b.resolveDb("mysql"),
+		Roles:             convertAccountName(n.Roles...),
+		TargetUsers:       convertAccountName(n.From...),
+		IfExists:          n.IfExists,
+		IgnoreUnknownUser: n.IgnoreUnknownUser,
+		MySQLDb:           b.resolveDb("mysql"),
 	}
 	n.Auth.Extra = outScope.node
 	if err := b.cat.AuthorizationHandler().HandleAuth(b.ctx, b.authQueryState, n.Auth); err != nil && b.authEnabled {
@@ -558,7 +561,7 @@ func (b *Builder) buildRevokeProxy(inScope *scope, n *ast.RevokeProxy) (outScope
 		b.handleErr(err)
 	}
 	outScope = inScope.push()
-	outScope.node = plan.NewRevokeProxy(convertAccountName(n.On)[0], convertAccountName(n.From...))
+	outScope.node = plan.NewRevokeProxy(convertAccountName(n.On)[0], convertAccountName(n.From...), n.IfExists, n.IgnoreUnknownUser)
 	return
 }
 

sql/rowexec/priv.go

@@ -88,12 +88,22 @@ func (b *BaseBuilder) buildRevokeRole(ctx *sql.Context, n *plan.RevokeRole, row
 	for _, targetUser := range n.TargetUsers {
 		user := mysqlDb.GetUser(editor, targetUser.Name, targetUser.Host, false)
 		if user == nil {
-			return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetUser.String("`"))
+			err := sql.ErrGrantRevokeRoleDoesNotExist.New(targetUser.String("`"))
+			if n.IgnoreUnknownUser {
+				ctx.Warn(1362, err.Error())
+				continue
+			}
+			return nil, err
 		}
 		for _, targetRole := range n.Roles {
 			role := mysqlDb.GetUser(editor, targetRole.Name, targetRole.Host, true)
 			if role == nil {
-				return nil, sql.ErrGrantRevokeRoleDoesNotExist.New(targetRole.String("`"))
+				err := sql.ErrGrantRevokeRoleDoesNotExist.New(targetUser.String("`"))
+				if n.IfExists {
+					ctx.Warn(3523, err.Error())
+					continue
+				}
+				return nil, err
 			}
 			//TODO: if a role is mentioned in the "mandatory_roles" system variable then they cannot be revoked
 			editor.RemoveRoleEdge(mysql_db.RoleEdgesPrimaryKey{
@@ -210,7 +220,12 @@ func (b *BaseBuilder) buildRevoke(ctx *sql.Context, n *plan.Revoke, row sql.Row)
 	for _, revokeUser := range n.Users {
 		user := mysqlDb.GetUser(editor, revokeUser.Name, revokeUser.Host, false)
 		if user == nil {
-			return nil, sql.ErrGrantUserDoesNotExist.New()
+			err := sql.ErrRevokeUserDoesNotExist.New(revokeUser.Name, revokeUser.Host)
+			if n.IgnoreUnknownUser {
+				ctx.Warn(3162, err.Error())
+				continue
+			}
+			return nil, err
 		}
 		users = append(users, user)
 	}