2020-11-16 10:01:44 +01:00
|
|
|
CREATE USER user1@localhost IDENTIFIED BY '';
|
|
|
|
|
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
|
MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.
Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.
On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.
As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
2022-12-10 12:08:31 +01:00
|
|
|
REVOKE SLAVE MONITOR ON *.* FROM user1@localhost;
|
2020-11-16 10:01:44 +01:00
|
|
|
FLUSH PRIVILEGES;
|
|
|
|
|
connect con1,localhost,user1,,;
|
|
|
|
|
connection con1;
|
|
|
|
|
SHOW GRANTS;
|
|
|
|
|
Grants for user1@localhost
|
2023-09-04 13:04:06 +02:00
|
|
|
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SHOW CREATE ROUTINE ON *.* TO `user1`@`localhost`
|
2020-11-16 10:01:44 +01:00
|
|
|
#
|
|
|
|
|
# Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW SLAVE STATUS
|
MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.
Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.
On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.
As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
2022-12-10 12:08:31 +01:00
|
|
|
# Expected error: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation
|
2020-11-16 10:01:44 +01:00
|
|
|
#
|
|
|
|
|
SHOW SLAVE STATUS;
|
MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.
Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.
On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.
As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
2022-12-10 12:08:31 +01:00
|
|
|
ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation
|
2024-05-14 22:47:59 +02:00
|
|
|
SELECT * from information_schema.slave_status;
|
|
|
|
|
ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation
|
2020-11-16 10:01:44 +01:00
|
|
|
#
|
|
|
|
|
# Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW RELAYLOG EVENTS
|
|
|
|
|
# Expected error: Access denied; you need (at least one of) the REPLICA MONITOR
|
|
|
|
|
# privilege(s) for this operation
|
|
|
|
|
#
|
|
|
|
|
SHOW RELAYLOG EVENTS;
|
|
|
|
|
ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation
|
|
|
|
|
disconnect con1;
|
2020-11-16 10:19:46 +01:00
|
|
|
#
|
2020-11-16 10:01:44 +01:00
|
|
|
# SHOW SLAVE STATUS and SHOW RELAYLOG EVENTS are allowed with SLAVE MONITOR privilege
|
|
|
|
|
#
|
|
|
|
|
connection default;
|
|
|
|
|
GRANT SLAVE MONITOR ON *.* TO user1@localhost;
|
|
|
|
|
FLUSH PRIVILEGES;
|
|
|
|
|
connect con1,localhost,user1,,;
|
|
|
|
|
connection con1;
|
|
|
|
|
SHOW GRANTS;
|
|
|
|
|
Grants for user1@localhost
|
MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.
Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.
On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.
As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
2022-12-10 12:08:31 +01:00
|
|
|
GRANT ALL PRIVILEGES ON *.* TO `user1`@`localhost`
|
2020-11-16 10:01:44 +01:00
|
|
|
SHOW SLAVE STATUS;
|
|
|
|
|
SHOW RELAYLOG EVENTS;
|
|
|
|
|
disconnect con1;
|
|
|
|
|
connection default;
|
|
|
|
|
DROP USER user1@localhost;
|
|
|
|
|
#
|
2021-04-21 12:51:39 +02:00
|
|
|
# MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant
|
|
|
|
|
#
|
|
|
|
|
insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'),
|
|
|
|
|
('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'),
|
|
|
|
|
('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}');
|
|
|
|
|
flush privileges;
|
|
|
|
|
show grants for foo7@bar;
|
|
|
|
|
Grants for foo7@bar
|
2024-02-29 18:16:06 +01:00
|
|
|
GRANT ALL PRIVILEGES ON *.* TO `foo7`@`bar` WITH GRANT OPTION
|
2021-04-21 12:51:39 +02:00
|
|
|
show grants for foo8@bar;
|
|
|
|
|
Grants for foo8@bar
|
2023-09-04 13:04:06 +02:00
|
|
|
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo8`@`bar` WITH GRANT OPTION
|
2021-04-21 12:51:39 +02:00
|
|
|
show grants for foo9@bar;
|
|
|
|
|
Grants for foo9@bar
|
2023-09-04 13:04:06 +02:00
|
|
|
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo9`@`bar` WITH GRANT OPTION
|
2021-04-21 12:51:39 +02:00
|
|
|
drop user foo7@bar, foo8@bar, foo9@bar;
|
|
|
|
|
#
|
|
|
|
|
# End of 10.5 tests
|
|
|
|
|
#
|
