Skip to content

Commit

Permalink
check: filter more privilege from AWS (#387)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lance6716
lance6716 authored Aug 28, 2020
1 parent fdf2b06 commit 03575b1
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 10 deletions.
13 changes: 7 additions & 6 deletions pkg/check/privilege.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func (pc *SourceDumpPrivilegeChecker) Check(ctx context.Context) *Result {

// Name implements the Checker interface.
func (pc *SourceDumpPrivilegeChecker) Name() string {
return "source db dump privilege chcker"
return "source db dump privilege checker"
}

/*****************************************************/
Expand Down Expand Up @@ -99,7 +99,7 @@ func (pc *SourceReplicatePrivilegeChecker) Check(ctx context.Context) *Result {

// Name implements the Checker interface.
func (pc *SourceReplicatePrivilegeChecker) Name() string {
return "source db replication privilege chcker"
return "source db replication privilege checker"
}

func verifyPrivileges(result *Result, grants []string, expectedGrants []string) {
Expand All @@ -122,10 +122,11 @@ func verifyPrivileges(result *Result, grants []string, expectedGrants []string)
}

// Aurora has some privilege failing parsing
firstGrant = strings.Replace(firstGrant, "LOAD FROM S3", "", 1)
firstGrant = strings.ReplaceAll(firstGrant, ", ,", ",")
firstGrant = strings.Replace(firstGrant, "SELECT INTO S3", "", 1)
firstGrant = strings.ReplaceAll(firstGrant, ", ,", ",")
awsPrivilege := []string{"LOAD FROM S3", "SELECT INTO S3", "INVOKE LAMBDA", "INVOKE SAGEMAKER", "INVOKE COMPREHEND"}
for _, p := range awsPrivilege {
firstGrant = strings.Replace(firstGrant, p, "", 1)
firstGrant = strings.ReplaceAll(firstGrant, ", ,", ",")
}
firstGrant = strings.ReplaceAll(firstGrant, "GRANT ,", "GRANT ")
firstGrant = strings.ReplaceAll(firstGrant, ", ON", " ON")

Expand Down
10 changes: 6 additions & 4 deletions pkg/check/privilege_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
grants: []string{ // lack optional privilege
"GRANT REPLICATION SLAVE ON *.* TO 'user'@'%'",
"GRANT REPLICATION CLIENT ON *.* TO 'user'@'%'",
"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO user1@domain-or-ip-address1",
},
dumpState: StateFailure,
replcationState: StateSuccess,
Expand All @@ -63,6 +64,7 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
"GRANT REPLICATION SLAVE ON *.* TO 'user'@'%'",
"GRANT REPLICATION CLIENT ON *.* TO 'user'@'%'",
"GRANT RELOAD ON *.* TO 'user'@'%'",
"GRANT EXECUTE ON FUNCTION db1.anomaly_score TO user1@domain-or-ip-address1",
},
dumpState: StateFailure,
replcationState: StateSuccess,
Expand Down Expand Up @@ -131,15 +133,15 @@ func (t *testCheckSuite) TestVerifyPrivileges(c *tc.C) {
replcationState: StateSuccess,
},
{
grants: []string{ // Aurora have `LOAD FROM S3, SELECT INTO S3`
"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, LOAD FROM S3, SELECT INTO S3 ON *.* TO 'root'@'%' WITH GRANT OPTION",
grants: []string{ // Aurora have `LOAD FROM S3, SELECT INTO S3, INVOKE LAMBDA`
"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, LOAD FROM S3, SELECT INTO S3, INVOKE LAMBDA, INVOKE SAGEMAKER, INVOKE COMPREHEND ON *.* TO 'root'@'%' WITH GRANT OPTION",
},
dumpState: StateSuccess,
replcationState: StateSuccess,
},
{
grants: []string{ // Aurora have `LOAD FROM S3, SELECT INTO S3`
"GRANT INSERT, UPDATE, DELETE, CREATE, DROP, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, LOAD FROM S3, SELECT INTO S3 ON *.* TO 'root'@'%' WITH GRANT OPTION",
grants: []string{ // Aurora have `LOAD FROM S3, SELECT INTO S3, INVOKE LAMBDA`
"GRANT INSERT, UPDATE, DELETE, CREATE, DROP, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, LOAD FROM S3, SELECT INTO S3, INVOKE LAMBDA, INVOKE SAGEMAKER, INVOKE COMPREHEND ON *.* TO 'root'@'%' WITH GRANT OPTION",
},
dumpState: StateFailure,
replcationState: StateFailure,
Expand Down

0 comments on commit 03575b1

Please sign in to comment.