Support GRANT ... AS user [WITH ROLE r] (definer-context grants)

[kyleconroy]

Summary

Marino does not parse the AS user [WITH ROLE r] tail on GRANT, used to evaluate a grant under a different definer context.

MySQL version

Introduced in MySQL 8.0.27.

Current state in marino

grep -in 'GrantStmt\|GRANT.*AS' parser/parser.y shows no AS UserSpec WITH ROLE continuation in the GrantStmt rule.

Example SQL

Global privilege granted under a role context:

CREATE ROLE r_demo;
CREATE USER fact_u IDENTIFIED BY 'p';
GRANT r_demo TO fact_u;

GRANT BACKUP_ADMIN ON *.* TO fact_u
  AS root@localhost
  WITH ROLE r_demo;

WITH ROLE accepts:

GRANT SELECT ON *.* TO u AS root@localhost WITH ROLE DEFAULT;
GRANT SELECT ON *.* TO u AS root@localhost WITH ROLE NONE;
GRANT SELECT ON *.* TO u AS root@localhost WITH ROLE ALL EXCEPT r1, r2;
GRANT SELECT ON *.* TO u AS root@localhost WITH ROLE r1, r2;

Validation

The GRANT ... AS root@localhost WITH ROLE r_demo form parses against MySQL 9.2.0 Community. (Server returned ER_USER_DOES_NOT_EXIST / ER_DA_GRANT_AS_NOT_PERMITTED for the demo user, which is ER_*, not ER_PARSE_ERROR.)

Notes for the implementer

• Extend GrantStmt with optional AS UserSpec [WITH ROLE RoleSpec] tail.
• WITH ROLE body can be: DEFAULT, NONE, ALL [EXCEPT role_list], or an explicit role_list.
• AST: add AsUser *auth.UserIdentity and a role spec field.
• Reference: https://dev.mysql.com/doc/refman/9.2/en/grant.html