Hi, Anel, On Apr 25, Anel Husakovic wrote:

revision-id: 585cd1f52e7 (mariadb-10.5.14-10-g585cd1f52e7) parent(s): 52b32c60c26 author: Anel Husakovic committer: Anel Husakovic timestamp: 2022-02-14 13:59:24 +0100 message:

MDEV-26875: Wrong user in SET DEFAULT ROLE error

- Caused by 7c02e8717de5, where 957cb7b7ba35 introduced the bug.

Reviewed by:

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c4e66cf5d73..e83bc5635dc 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -3277,10 +3277,14 @@ static int check_user_can_set_role(THD *thd, const char *user, check_role_is_granted_callback, NULL) == -1)) { - /* Role is not granted but current user can see the role */ - my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s", - MYF(0), thd->security_ctx->priv_user, - thd->security_ctx->priv_host, rolename); + /* If the SET ROLE is applied on the anonymous user, host is null */ + if (!host) + my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s", + MYF(0), thd->security_ctx->priv_user, thd->security_ctx->priv_host, rolename);

I don't understand it. 1) what does it mean? why for anonymous user you print priv_user@priv_host ? 2) do you have any tests for that? There are none in the commit

+ else + /* Role is not granted but current user can see the role */ + my_printf_error(ER_INVALID_ROLE, "User %`s@%`s has not been granted role %`s", + MYF(0), user, host, rolename); } else {

Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org