MDEV-21743 Split up SUPER privilege to smaller privileges

2025-04-18 21:25:32 +02:00 · 2020-02-28 21:59:01 +04:00 · 2020-02-28 21:59:01 +04:00 · a1e330de5a
commit a1e330de5a
parent 91ba789aaf
82 changed files with 1511 additions and 236 deletions
--- a/include/my_bit.h
+++ b/include/my_bit.h
@ -25,16 +25,50 @@ C_MODE_START

 extern const uchar _my_bits_reverse_table[256];

-/*
-  Find smallest X in 2^X >= value
-  This can be used to divide a number with value by doing a shift instead
-*/

-static inline uint my_bit_log2(ulong value)
+/*
+  my_bit_log2_xxx()
+
+  In the given value, find the highest bit set,
+  which is the smallest X that satisfies the condition: (2^X >= value).
+  Can be used as a reverse operation for (1<<X), to find X.
+
+  Examples:
+  - returns 0 for (1<<0)
+  - returns 1 for (1<<1)
+  - returns 2 for (1<<2)
+  - returns 2 for 3, which has (1<<2) as the highest bit set.
+
+  Note, the behaviour of log2(0) is not defined.
+  Let's return 0 for the input 0, for the code simplicity.
+  See the 000x branch. It covers both (1<<0) and 0.
+*/
+static inline CONSTEXPR uint my_bit_log2_hex_digit(uint8 value)
 {
-  uint bit;
-  for (bit=0 ; value > 1 ; value>>=1, bit++) ;
-  return bit;
+  return value & 0x0C ? /*1100*/ (value & 0x08 ? /*1000*/ 3 : /*0100*/ 2) :
+                        /*0010*/ (value & 0x02 ? /*0010*/ 1 : /*000x*/ 0);
+}
+static inline CONSTEXPR uint my_bit_log2_uint8(uint8 value)
+{
+  return value & 0xF0 ? my_bit_log2_hex_digit(value >> 4) + 4:
+                        my_bit_log2_hex_digit(value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint16(uint16 value)
+{
+  return value & 0xFF00 ? my_bit_log2_uint8((uint8) (value >> 8)) + 8 :
+                          my_bit_log2_uint8((uint8) value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint32(uint32 value)
+{
+  return value & 0xFFFF0000UL ?
+         my_bit_log2_uint16((uint16) (value >> 16)) + 16 :
+         my_bit_log2_uint16((uint16) value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint64(ulonglong value)
+{
+  return value & 0xFFFFFFFF00000000ULL ?
+         my_bit_log2_uint32((uint32) (value >> 32)) + 32 :
+         my_bit_log2_uint32((uint32) value);
 }


--- a/include/my_compiler.h
+++ b/include/my_compiler.h
@ -28,6 +28,14 @@
  Compiler-dependent internal convenience macros.
 */

+/* C vs C++ */
+#ifdef __cplusplus
+#define CONSTEXPR constexpr
+#else
+#define CONSTEXPR
+#endif /* __cplusplus */
+
+
 /* GNU C/C++ */
 #if defined __GNUC__
 /* Convenience macro to test the minimum required GCC version. */
--- a/mysql-test/main/alter_user.result
+++ b/mysql-test/main/alter_user.result
@ -21,26 +21,30 @@ alter user foo;
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
 %	foo		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0	mysql_native_password		N	N		0.000000
-# Test super privilege works correctly with a read only database.
+#
+# Test READ_ONLY privilege works correctly with a read only database.
+#
 SET @start_read_only = @@global.read_only;
 SET GLOBAL read_only=1;
 grant create user on *.* to foo;
-# Currently no super privileges.
+# Currently no READ_ONLY ADMIN privileges.
 connect  a, localhost, foo;
 select @@global.read_only;
@@global.read_only
 1
 alter user foo;
 ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
-# Grant super privilege to the user.
+# Grant READ_ONLY ADMIN privilege to the user.
 connection default;
-grant super on *.* to foo;
-# We now have super privilege. We should be able to run alter user.
+grant READ_ONLY ADMIN on *.* to foo;
+# We now have READ_ONLY ADMIN privilege. We should be able to run alter user.
 connect  b, localhost, foo;
 alter user foo;
 connection default;
 SET GLOBAL read_only = @start_read_only;
+#
 # Test inexistant user.
+#
 alter user boo;
 ERROR HY000: Operation ALTER USER failed for 'boo'
 #--warning ER_CANNOT_USER
@ -48,19 +52,21 @@ alter if exists user boo;
 Warnings:
 Error	1133	Can't find any matching row in the user table
 Note	1396	Operation ALTER USER failed for 'boo'
+#
 # Test password related altering.
+#
 alter user foo identified by 'something';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
 alter user foo identified by 'something2';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*9CD58369E930E28C8996A89DB18B63294E6DC10C	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*9CD58369E930E28C8996A89DB18B63294E6DC10C	N	N		0.000000
+%	foo	*9CD58369E930E28C8996A89DB18B63294E6DC10C	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*9CD58369E930E28C8996A89DB18B63294E6DC10C	N	N		0.000000
 alter user foo identified by password '*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
 alter user foo identified with 'somecoolplugin';
 ERROR HY000: Operation ALTER USER failed for 'foo'@'%'
 show warnings;
@ -70,32 +76,36 @@ Error	1396	Operation ALTER USER failed for 'foo'@'%'
 alter user foo identified with 'mysql_old_password';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_old_password		N	N		0.000000
+%	foo		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_old_password		N	N		0.000000
 alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	0123456789ABCDEF	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_old_password	0123456789ABCDEF	N	N		0.000000
+%	foo	0123456789ABCDEF	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N					0	0	0	0	mysql_old_password	0123456789ABCDEF	N	N		0.000000
+#
 # Test ssl related altering.
+#
 alter user foo identified by 'something' require SSL;
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	ANY				0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	ANY				0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
 alter user foo identified by 'something' require X509;
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	X509				0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	X509				0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
 alter user foo identified by 'something'
 require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	SPECIFIED	text	foo_issuer	foo_subject	0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	SPECIFIED	text	foo_issuer	foo_subject	0	0	0	0	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+#
 # Test resource limits altering.
+#
 alter user foo with MAX_QUERIES_PER_HOUR 10
 MAX_UPDATES_PER_HOUR 20
 MAX_CONNECTIONS_PER_HOUR 30
 MAX_USER_CONNECTIONS 40;
 select * from mysql.user where user = 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
-%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	SPECIFIED	text	foo_issuer	foo_subject	10	20	30	40	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
+%	foo	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	Y	N	N	N	N	SPECIFIED	text	foo_issuer	foo_subject	10	20	30	40	mysql_native_password	*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63	N	N		0.000000
 drop user foo;
 update mysql.global_priv set priv=@root_priv where user='root' and host='localhost';
--- a/mysql-test/main/alter_user.test
+++ b/mysql-test/main/alter_user.test
@ -16,36 +16,47 @@ select * from mysql.user where user = 'foo';
 alter user foo;
 select * from mysql.user where user = 'foo';

--echo # Test super privilege works correctly with a read only database.
+--echo #
+--echo # Test READ_ONLY privilege works correctly with a read only database.
+--echo #
+
 SET @start_read_only = @@global.read_only;
 SET GLOBAL read_only=1;
 grant create user on *.* to foo;

--echo # Currently no super privileges.
+--echo # Currently no READ_ONLY ADMIN privileges.
 connect (a, localhost, foo);
 select @@global.read_only;

 --error ER_OPTION_PREVENTS_STATEMENT
 alter user foo;

--echo # Grant super privilege to the user.
+--echo # Grant READ_ONLY ADMIN privilege to the user.
 connection default;
-grant super on *.* to foo;
+grant READ_ONLY ADMIN on *.* to foo;

--echo # We now have super privilege. We should be able to run alter user.
+--echo # We now have READ_ONLY ADMIN privilege. We should be able to run alter user.
 connect (b, localhost, foo);
 alter user foo;

 connection default;
 SET GLOBAL read_only = @start_read_only;

+
+--echo #
 --echo # Test inexistant user.
+--echo #
+
 --error ER_CANNOT_USER
 alter user boo;
 --echo #--warning ER_CANNOT_USER
 alter if exists user boo;

+
+--echo #
 --echo # Test password related altering.
+--echo #
+
 alter user foo identified by 'something';
 select * from mysql.user where user = 'foo';

@ -65,7 +76,11 @@ select * from mysql.user where user = 'foo';
 alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
 select * from mysql.user where user = 'foo';

+
+--echo #
 --echo # Test ssl related altering.
+--echo #
+
 alter user foo identified by 'something' require SSL;
 select * from mysql.user where user = 'foo';

@ -76,7 +91,11 @@ alter user foo identified by 'something'
 require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
 select * from mysql.user where user = 'foo';

+
+--echo #
 --echo # Test resource limits altering.
+--echo #
+
 alter user foo with MAX_QUERIES_PER_HOUR 10
                    MAX_UPDATES_PER_HOUR 20
                    MAX_CONNECTIONS_PER_HOUR 30
--- a/mysql-test/main/events_bugs.result
+++ b/mysql-test/main/events_bugs.result
@ -405,7 +405,7 @@ SELECT event_name, definer FROM INFORMATION_SCHEMA.EVENTS;
 event_name	definer
 e1	mysqltest_u1@localhost
 ALTER DEFINER=root@localhost EVENT e1 ON SCHEDULE EVERY 1 HOUR;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 SELECT event_name, definer FROM INFORMATION_SCHEMA.EVENTS;
 event_name	definer
 e1	mysqltest_u1@localhost
@ -418,7 +418,7 @@ event_name	definer
 e1	mysqltest_u1@localhost
 DROP EVENT e1;
 CREATE DEFINER=root@localhost EVENT e1 ON SCHEDULE EVERY 1 DAY DO SELECT 1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 DROP EVENT e1;
 ERROR HY000: Unknown event 'e1'
 disconnect conn1;
--- a/mysql-test/main/grant.result
+++ b/mysql-test/main/grant.result
@ -621,7 +621,10 @@ Process	Server Admin	To view the plain text of currently executing queries
 Proxy	Server Admin	To make proxy user possible
 References	Databases,Tables	To have references on tables
 Reload	Server Admin	To reload or refresh tables, logs and privileges
-Replication client	Server Admin	To ask where the slave or master servers are
+Binlog admin	Server	To purge binary logs
+Binlog monitor	Server	To use SHOW BINLOG STATUS and SHOW BINARY LOG
+Replication master admin	Server	To monitor connected slaves
+Replication slave admin	Server	To start/monitor/stop slave and apply binlog events
 Replication slave	Server Admin	To read binary log events from the master
 Select	Tables	To retrieve rows from table
 Show databases	Server Admin	To see all databases with SHOW DATABASES
@ -631,6 +634,10 @@ Super	Server Admin	To use KILL thread, SET GLOBAL, CHANGE MASTER, etc.
 Trigger	Tables	To use triggers
 Create tablespace	Server Admin	To create/alter/drop tablespaces
 Update	Tables	To update existing rows
+Set user	Server	To create views and stored routines with a different definer
+Federated admin	Server	To execute the CREATE SERVER, ALTER SERVER, DROP SERVER statements
+Connection admin	Server	To bypass connection limits and kill other users' connections
+Read_only admin	Server	To perform write operations even if @@read_only=ON
 Usage	Server Admin	No privileges - allow connect only
 connect  root,localhost,root,,test,$MASTER_MYPORT,$MASTER_MYSOCK;
 connection root;
@ -1958,7 +1965,7 @@ GRANT USAGE                   ON *.* TO mysqltest_u1@localhost;

 SHOW GRANTS FOR mysqltest_u1@localhost;
 Grants for mysqltest_u1@localhost
-GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER ON *.* TO `mysqltest_u1`@`localhost`
+GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, REPLICATION SLAVE, BINLOG MONITOR, CREATE USER ON *.* TO `mysqltest_u1`@`localhost`
 GRANT CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE, EVENT ON `mysqltest_db1`.* TO `mysqltest_u1`@`localhost`
 connect  con1,localhost,mysqltest_u1,,mysqltest_db1;
 connection con1;
--- a/mysql-test/main/grant_kill.result
+++ b/mysql-test/main/grant_kill.result
@ -0,0 +1,76 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges 
+#
+#
+# Test that KILL is not allowed without CONNECTION ADMIN or SUPER
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT ALL PRIVILEGES ON *.* TO bar@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM bar@localhost;
+connect  foo,localhost,foo,,;
+connect  bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+ERROR HY000: You are not owner of thread ID
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# Test that KILL is allowed with CONNECTION ADMIN
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, CONNECTION ADMIN ON *.* TO bar@localhost;
+connect  foo,localhost,foo,,;
+connect  bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+connection default;
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# Test that KILL is allowed with SUPER
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, SUPER ON *.* TO bar@localhost;
+connect  foo,localhost,foo,,;
+connect  bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+connection default;
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# End of 10.5 tests
+#
--- a/mysql-test/main/grant_kill.test
+++ b/mysql-test/main/grant_kill.test
@ -0,0 +1,88 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo #
+--echo # Test that KILL is not allowed without CONNECTION ADMIN or SUPER
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT ALL PRIVILEGES ON *.* TO bar@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--error ER_KILL_DENIED_ERROR
+--eval KILL $id
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # Test that KILL is allowed with CONNECTION ADMIN
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, CONNECTION ADMIN ON *.* TO bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--eval KILL $id
+--connection default
+let $wait_condition=
+    select count(*) = 0 from information_schema.processlist
+    where user = "foo";
+--source include/wait_condition.inc
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # Test that KILL is allowed with SUPER
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, SUPER ON *.* TO bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--eval KILL $id
+--connection default
+let $wait_condition=
+    select count(*) = 0 from information_schema.processlist
+    where user = "foo";
+--source include/wait_condition.inc
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
--- a/mysql-test/main/grant_master_admin.result
+++ b/mysql-test/main/grant_master_admin.result
@ -0,0 +1,36 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges 
+#
+#
+# Test that master admin statements are not allowed without REPLICATION MASTER ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION MASTER ADMIN ON *.* FROM user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW SLAVE HOSTS;
+ERROR 42000: Access denied; you need (at least one of) the REPLICATION MASTER ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that master admin statements are allowed with REPLICATION MASTER ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION MASTER ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT REPLICATION MASTER ADMIN ON *.* TO `user1`@`localhost`
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW SLAVE HOSTS;
+Server_id	Host	Port	Master_id
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
--- a/mysql-test/main/grant_master_admin.test
+++ b/mysql-test/main/grant_master_admin.test
@ -0,0 +1,47 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo #
+--echo # Test that master admin statements are not allowed without REPLICATION MASTER ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION MASTER ADMIN ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW SLAVE HOSTS;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that master admin statements are allowed with REPLICATION MASTER ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION MASTER ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SHOW SLAVE HOSTS;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
--- a/mysql-test/main/grant_read_only.result
+++ b/mysql-test/main/grant_read_only.result
@ -0,0 +1,73 @@
+#
+# Start of 10.5 tests
+#
+#
+# Test that @@read_only is not ignored without READ_ONLY ADMIN or SUPER
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE READ_ONLY ADMIN, SUPER ON *.* FROM user1@localhost;
+SET @@GLOBAL.read_only=1;
+connect  con1,localhost,user1,,;
+connection con1;
+UPDATE t1 SET a=11 WHERE a=10;
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+DELETE FROM t1 WHERE a=11;
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+INSERT INTO t1 VALUES (20);
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# Test that @@read_only is ignored with READ_ONLY ADMIN
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO `user1`@`localhost`
+SET @@GLOBAL.read_only=1;
+connect  con1,localhost,user1,,;
+connection con1;
+SELECT @@read_only;
+@@read_only
+1
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# Test that @@read_only is ignored with SUPER
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO `user1`@`localhost`
+SET @@GLOBAL.read_only=1;
+connect  con1,localhost,user1,,;
+connection con1;
+SELECT @@read_only;
+@@read_only
+1
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# End of 10.5 tests
+#
--- a/mysql-test/main/grant_read_only.test
+++ b/mysql-test/main/grant_read_only.test
@ -0,0 +1,83 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # Test that @@read_only is not ignored without READ_ONLY ADMIN or SUPER
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE READ_ONLY ADMIN, SUPER ON *.* FROM user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_OPTION_PREVENTS_STATEMENT
+UPDATE t1 SET a=11 WHERE a=10;
+--error ER_OPTION_PREVENTS_STATEMENT
+DELETE FROM t1 WHERE a=11;
+--error ER_OPTION_PREVENTS_STATEMENT
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+--echo #
+--echo # Test that @@read_only is ignored with READ_ONLY ADMIN
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+## TODO: it works even without INSERT/UPDATE/DELETE: file a bug report!
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SELECT @@read_only;
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+
+--echo #
+--echo # Test that @@read_only is ignored with SUPER
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+## TODO: it works even without INSERT/UPDATE/DELETE: file a bug report!
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SELECT @@read_only;
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
--- a/mysql-test/main/grant_server.result
+++ b/mysql-test/main/grant_server.result
@ -0,0 +1,61 @@
+#
+# Start of 10.5 tests
+#
+#
+# Test that SERVER DDL statements are not allowed without FEDERATED ADMIN or SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+DROP SERVER server_1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SERVER DDL statements are allowed with FEDERATED ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT FEDERATED ADMIN ON *.* TO `user1`@`localhost`
+connect  con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SERVER DDL statements are allowed with SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT SUPER ON *.* TO `user1`@`localhost`
+connect  con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
--- a/mysql-test/main/grant_server.test
+++ b/mysql-test/main/grant_server.test
@ -0,0 +1,75 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # Test that SERVER DDL statements are not allowed without FEDERATED ADMIN or SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+CREATE SERVER IF NOT EXISTS server_1
+  FOREIGN DATA WRAPPER mysql
+  OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that SERVER DDL statements are allowed with FEDERATED ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+  FOREIGN DATA WRAPPER mysql
+  OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that SERVER DDL statements are allowed with SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+  FOREIGN DATA WRAPPER mysql
+  OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
--- a/mysql-test/main/grant_slave_admin.result
+++ b/mysql-test/main/grant_slave_admin.result
@ -0,0 +1,96 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges 
+#
+#
+# Test that slave admin statements are not allowed without REPLICATION SLAVE ADMIN or SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+CHANGE MASTER TO MASTER_HOST='127.0.0.1';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+STOP SLAVE;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+SHOW SLAVE STATUS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+BINLOG '';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that slave admin statements are allowed with REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT REPLICATION SLAVE ADMIN ON *.* TO `user1`@`localhost`
+connect  con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR HY000: Misconfigured slave: MASTER_HOST was not set; Fix in config file or with CHANGE MASTER TO
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+Warnings:
+Note	1255	Slave already has been stopped
+SHOW SLAVE STATUS;
+BINLOG '';
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that slave admin statements are allowed with SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT SUPER ON *.* TO `user1`@`localhost`
+connect  con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR HY000: Misconfigured slave: MASTER_HOST was not set; Fix in config file or with CHANGE MASTER TO
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+Warnings:
+Note	1255	Slave already has been stopped
+SHOW SLAVE STATUS;
+BINLOG '';
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SHOW RELAYLOG EVENTS is not allowed without REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN ON *.* FROM user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW RELAYLOG EVENTS;
+ERROR 42000: Access denied; you need (at least one of) the REPLICATION SLAVE ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SHOW RELAYLOG EVENTS is allowed with REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW RELAYLOG EVENTS;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
--- a/mysql-test/main/grant_slave_admin.test
+++ b/mysql-test/main/grant_slave_admin.test
@ -0,0 +1,129 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo #
+--echo # Test that slave admin statements are not allowed without REPLICATION SLAVE ADMIN or SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+START SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+CHANGE MASTER TO MASTER_HOST='127.0.0.1';
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+STOP SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW SLAVE STATUS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+BINLOG '';
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is not allowed without REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN ON *.* FROM user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW RELAYLOG EVENTS;
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--disable_result_log
+SHOW RELAYLOG EVENTS;
+--enable_result_log
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
--- a/mysql-test/main/information_schema_db.result
+++ b/mysql-test/main/information_schema_db.result
@ -101,7 +101,7 @@ grant insert on v1 to testdb_2@localhost;
 create view v5 as select f1 from t1;
 grant select, show view on v5 to testdb_2@localhost;
 create definer=`no_such_user`@`no_such_host` view v6 as select f1 from t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection default;
 use testdb_1;
 create view v6 as select f1 from t1;
--- a/mysql-test/main/sp-security.result
+++ b/mysql-test/main/sp-security.result
@ -417,7 +417,7 @@ CREATE DATABASE mysqltest;
 CREATE USER mysqltest_1@localhost;
 GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_1@localhost;
 CREATE USER mysqltest_2@localhost;
-GRANT SUPER ON *.* TO mysqltest_2@localhost;
+GRANT SET USER ON *.* TO mysqltest_2@localhost;
 GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_2@localhost;
 connect  mysqltest_2_con,localhost,mysqltest_2,,mysqltest;
 connect  mysqltest_1_con,localhost,mysqltest_1,,mysqltest;
@ -428,9 +428,9 @@ CREATE FUNCTION wl2897_f1() RETURNS INT RETURN 1;
 connection mysqltest_1_con;
 USE mysqltest;
 CREATE DEFINER=root@localhost PROCEDURE wl2897_p2() SELECT 2;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 CREATE DEFINER=root@localhost FUNCTION wl2897_f2() RETURNS INT RETURN 2;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection mysqltest_2_con;
 use mysqltest;
 CREATE DEFINER='a @ b @ c'@localhost PROCEDURE wl2897_p3() SELECT 3;
--- a/mysql-test/main/sp-security.test
+++ b/mysql-test/main/sp-security.test
@ -594,7 +594,7 @@ CREATE USER mysqltest_1@localhost;
 GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_1@localhost;

 CREATE USER mysqltest_2@localhost;
-GRANT SUPER ON *.* TO mysqltest_2@localhost;
+GRANT SET USER ON *.* TO mysqltest_2@localhost;
 GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_2@localhost;

 --connect (mysqltest_2_con,localhost,mysqltest_2,,mysqltest)
--- a/mysql-test/main/system_mysql_db_error_log.result
+++ b/mysql-test/main/system_mysql_db_error_log.result
@ -9,10 +9,13 @@ SET @all_known_privileges_100500= (1 << 30) - 1;
 SELECT HEX(@all_known_privileges_100500);
 HEX(@all_known_privileges_100500)
 3FFFFFFF
-SET @all_known_privileges_current= (1 << 30) - 1;
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost WITH GRANT OPTION;
+SET @all_known_privileges_current=(SELECT CAST(json_value(Priv, '$.access') AS UNSIGNED) FROM mysql.global_priv WHERE host='localhost' and user='user1');
+DROP USER user1@localhost;
 SELECT HEX(@all_known_privileges_current);
 HEX(@all_known_privileges_current)
-3FFFFFFF
+1FFFFFFFFF
 CREATE USER bad_access1@localhost;
 UPDATE
 mysql.global_priv
@ -103,7 +106,7 @@ host='localhost' and user='good_version_id_100500';
 FLUSH PRIVILEGES;
 SHOW GRANTS FOR good_version_id_100500@localhost;
 Grants for good_version_id_100500@localhost
-GRANT SUPER ON *.* TO `good_version_id_100500`@`localhost`
+GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN ON *.* TO `good_version_id_100500`@`localhost`
 DROP USER good_version_id_100500@localhost;
 FOUND 1 /Warning.*'user' entry 'bad_access1@localhost' has a wrong 'access' value.*version_id=/ in system_mysql_db_error_log.err
 FOUND 1 /Warning.*'user' entry 'bad_version_id_1000000@localhost' has a wrong 'version_id' value 1000000/ in system_mysql_db_error_log.err
--- a/mysql-test/main/system_mysql_db_error_log.test
+++ b/mysql-test/main/system_mysql_db_error_log.test
@ -10,9 +10,13 @@ SELECT HEX(@super_acl_100500);
 SET @all_known_privileges_100500= (1 << 30) - 1;
 SELECT HEX(@all_known_privileges_100500);

-SET @all_known_privileges_current= (1 << 30) - 1;
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost WITH GRANT OPTION;
+SET @all_known_privileges_current=(SELECT CAST(json_value(Priv, '$.access') AS UNSIGNED) FROM mysql.global_priv WHERE host='localhost' and user='user1');
+DROP USER user1@localhost;
 SELECT HEX(@all_known_privileges_current);

+
 CREATE USER bad_access1@localhost;
 UPDATE
  mysql.global_priv
--- a/mysql-test/main/trigger_notembedded.result
+++ b/mysql-test/main/trigger_notembedded.result
@ -112,10 +112,10 @@ CREATE DEFINER='mysqltest_inv'@'localhost'
  TRIGGER trg1 BEFORE INSERT ON t1
 FOR EACH ROW
 SET @new_sum = 0;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection default;
 use mysqltest_db1;
-GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
+GRANT SET USER ON *.* TO mysqltest_dfn@localhost;
 disconnect wl2818_definer_con;
 connect  wl2818_definer_con,localhost,mysqltest_dfn,,mysqltest_db1;
 connection wl2818_definer_con;
--- a/mysql-test/main/trigger_notembedded.test
+++ b/mysql-test/main/trigger_notembedded.test
@ -255,7 +255,7 @@ CREATE DEFINER='mysqltest_inv'@'localhost'

 use mysqltest_db1;

-GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
+GRANT SET USER ON *.* TO mysqltest_dfn@localhost;

 --disconnect wl2818_definer_con
 --connect (wl2818_definer_con,localhost,mysqltest_dfn,,mysqltest_db1)
--- a/mysql-test/main/view_grant.result
+++ b/mysql-test/main/view_grant.result
@ -22,7 +22,7 @@ grant create view,select on test.* to mysqltest_1@localhost;
 connect  user1,localhost,mysqltest_1,,test;
 connection user1;
 create definer=root@localhost view v1 as select * from mysqltest.t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create view v1 as select * from mysqltest.t1;
 alter view v1 as select * from mysqltest.t1;
 ERROR 42000: DROP command denied to user 'mysqltest_1'@'localhost' for table 'v1'
@ -833,12 +833,30 @@ connect  def,localhost,def_17254,,db17254;
 connection def;
 CREATE VIEW v1 AS SELECT * FROM t1;
 connection root;
+GRANT SELECT ON db17254.v1 TO inv_17254@localhost;
 DROP USER def_17254@localhost;
 connect  inv,localhost,inv_17254,,db17254;
 connection inv;
-for a user
+for a user without SET USER
 SELECT * FROM v1;
-ERROR 42000: SELECT command denied to user 'inv_17254'@'localhost' for table 'v1'
+ERROR 28000: Access denied for user 'inv_17254'@'localhost' (using password: NO)
+disconnect inv;
+connection root;
+GRANT SET USER ON *.* TO inv_17254@localhost;
+connect  inv2,localhost,inv_17254,,db17254;
+connection inv2;
+SHOW GRANTS;
+Grants for inv_17254@localhost
+GRANT SET USER ON *.* TO `inv_17254`@`localhost`
+GRANT SELECT ON `db17254`.`t1` TO `inv_17254`@`localhost`
+GRANT SELECT ON `db17254`.`v1` TO `inv_17254`@`localhost`
+SELECT CURRENT_USER, SYSTEM_USER(), USER();
+CURRENT_USER	SYSTEM_USER()	USER()
+inv_17254@localhost	inv_17254@localhost	inv_17254@localhost
+for a user with SET USER
+SELECT * FROM v1;
+ERROR HY000: The user specified as a definer ('def_17254'@'localhost') does not exist
+disconnect inv2;
 connection root;
 for a superuser
 SELECT * FROM v1;
@ -846,7 +864,6 @@ ERROR HY000: The user specified as a definer ('def_17254'@'localhost') does not
 DROP USER inv_17254@localhost;
 DROP DATABASE db17254;
 disconnect def;
-disconnect inv;
 DROP DATABASE IF EXISTS mysqltest_db1;
 DROP DATABASE IF EXISTS mysqltest_db2;
 DROP USER mysqltest_u1;
@ -915,7 +932,7 @@ ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table '
 ALTER VIEW v2 AS SELECT f2 FROM t1;
 ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
 ALTER VIEW v3 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection root;
 SHOW CREATE VIEW v3;
 View	Create View	character_set_client	collation_connection
@ -943,9 +960,9 @@ GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@loc
 GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
 connect  u2,localhost,u29908_2,,mysqltest_29908;
 ALTER VIEW v1 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 ALTER VIEW v2 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 SHOW CREATE VIEW v2;
 View	Create View	character_set_client	collation_connection
 v2	CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1`	latin1	latin1_swedish_ci
--- a/mysql-test/main/view_grant.test
+++ b/mysql-test/main/view_grant.test
@ -987,13 +987,27 @@ connection def;
 CREATE VIEW v1 AS SELECT * FROM t1;

 connection root;
+GRANT SELECT ON db17254.v1 TO inv_17254@localhost;
 DROP USER def_17254@localhost;

 connect (inv,localhost,inv_17254,,db17254);
 connection inv;
--echo for a user
--error ER_TABLEACCESS_DENIED_ERROR
+--echo for a user without SET USER
+--error ER_ACCESS_DENIED_ERROR
 SELECT * FROM v1;
+disconnect inv;
+
+connection root;
+GRANT SET USER ON *.* TO inv_17254@localhost;
+
+connect (inv2,localhost,inv_17254,,db17254);
+connection inv2;
+SHOW GRANTS;
+SELECT CURRENT_USER, SYSTEM_USER(), USER();
+--echo for a user with SET USER
+--error ER_NO_SUCH_USER
+SELECT * FROM v1;
+disconnect inv2;

 connection root;
 --echo for a superuser
@ -1002,7 +1016,6 @@ SELECT * FROM v1;
 DROP USER inv_17254@localhost;
 DROP DATABASE db17254;
 disconnect def;
-disconnect inv;


 #
--- a/mysql-test/suite/binlog/r/binlog_grant.result
+++ b/mysql-test/suite/binlog/r/binlog_grant.result
@ -38,6 +38,91 @@ connect rpl,localhost,mysqltest_1,,;
 connection rpl;
 SHOW MASTER LOGS;
 SHOW BINARY LOGS;
+SHOW BINLOG STATUS;
 disconnect rpl;
 connection default;
 DROP USER 'mysqltest_1'@'localhost';
+#
+# Start of 10.5 test
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges 
+#
+# Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT BINLOG MONITOR ON *.* TO `user1`@`localhost`
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT USAGE ON *.* TO `user1`@`localhost`
+DROP USER user1@localhost;
+# Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW MASTER LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINARY LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINLOG STATUS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 test
+#
--- a/mysql-test/suite/binlog/t/binlog_grant.test
+++ b/mysql-test/suite/binlog/t/binlog_grant.test
@ -68,9 +68,110 @@ GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
 --disable_result_log
 SHOW MASTER LOGS;
 SHOW BINARY LOGS;
--enable_result_log
+SHOW BINLOG STATUS;
+--enable_result_log 

 # clean up
 --disconnect rpl
 connection default;
 DROP USER 'mysqltest_1'@'localhost';
+
+
+--echo #
+--echo # Start of 10.5 test
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo # Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW MASTER LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINARY LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG STATUS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG EVENTS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--disable_result_log
+SHOW BINLOG EVENTS;
+--enable_result_log
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # End of 10.5 test
+--echo #
--- a/mysql-test/suite/funcs_1/r/innodb_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/innodb_trig_03.result
@ -78,7 +78,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke TRIGGER on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER on *.* to test_yesprivs@localhost;
 grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@ -168,7 +168,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke UPDATE  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -183,7 +183,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 select f1 from t1 order by f1;
 f1
 insert 3.5.3.2-no
@ -441,7 +441,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke SELECT  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -457,7 +457,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 create trigger trg5a_1 before INSERT on t1 for each row
 set @test_var = new.f1;
 connection default;
--- a/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
@ -603,7 +603,7 @@ trig 1_1-yes
 revoke TRIGGER on *.* from test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 disconnect yes_privs;
 connect  yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
 select current_user;
@ -656,7 +656,7 @@ root@localhost
 grant TRIGGER on priv_db.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`

 trigger privilege on db level for create:
@ -1350,7 +1350,7 @@ drop trigger trg1_0;
 create definer=not_ex_user@localhost trigger trg1_0
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create definer=current_user trigger trg1_1
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_1-yes';
@ -1385,7 +1385,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
 create definer=not_ex_user@localhost trigger trg1_3
 after UPDATE on t1 for each row
 set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection default;
 select current_user;
 current_user
--- a/mysql-test/suite/funcs_1/r/memory_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/memory_trig_03.result
@ -78,7 +78,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke TRIGGER on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER on *.* to test_yesprivs@localhost;
 grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@ -168,7 +168,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke UPDATE  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -183,7 +183,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 select f1 from t1 order by f1;
 f1
 insert 3.5.3.2-no
@ -441,7 +441,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke SELECT  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -457,7 +457,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 create trigger trg5a_1 before INSERT on t1 for each row
 set @test_var = new.f1;
 connection default;
--- a/mysql-test/suite/funcs_1/r/memory_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/memory_trig_03e.result
@ -604,7 +604,7 @@ trig 1_1-yes
 revoke TRIGGER on *.* from test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 disconnect yes_privs;
 connect  yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
 select current_user;
@ -657,7 +657,7 @@ root@localhost
 grant TRIGGER on priv_db.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`

 trigger privilege on db level for create:
@ -1351,7 +1351,7 @@ drop trigger trg1_0;
 create definer=not_ex_user@localhost trigger trg1_0
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create definer=current_user trigger trg1_1
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_1-yes';
@ -1386,7 +1386,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
 create definer=not_ex_user@localhost trigger trg1_3
 after UPDATE on t1 for each row
 set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection default;
 select current_user;
 current_user
--- a/mysql-test/suite/funcs_1/r/myisam_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/myisam_trig_03.result
@ -78,7 +78,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke TRIGGER on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER on *.* to test_yesprivs@localhost;
 grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@ -168,7 +168,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke UPDATE  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -183,7 +183,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 select f1 from t1 order by f1;
 f1
 insert 3.5.3.2-no
@ -441,7 +441,7 @@ grant ALL  on *.* to test_noprivs@localhost;
 revoke SELECT  on *.* from test_noprivs@localhost;
 show grants for test_noprivs@localhost;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
 grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
@ -457,7 +457,7 @@ test_noprivs@localhost
 use priv_db;
 show grants;
 Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 create trigger trg5a_1 before INSERT on t1 for each row
 set @test_var = new.f1;
 connection default;
--- a/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
@ -604,7 +604,7 @@ trig 1_1-yes
 revoke TRIGGER on *.* from test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 disconnect yes_privs;
 connect  yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
 select current_user;
@ -657,7 +657,7 @@ root@localhost
 grant TRIGGER on priv_db.* to test_yesprivs@localhost;
 show grants for test_yesprivs@localhost;
 Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
 GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`

 trigger privilege on db level for create:
@ -1351,7 +1351,7 @@ drop trigger trg1_0;
 create definer=not_ex_user@localhost trigger trg1_0
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create definer=current_user trigger trg1_1
 before INSERT on t1 for each row
 set new.f1 = 'trig 1_1-yes';
@ -1386,7 +1386,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
 create definer=not_ex_user@localhost trigger trg1_3
 after UPDATE on t1 for each row
 set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 connection default;
 select current_user;
 current_user
--- a/mysql-test/suite/perfschema/r/read_only.result
+++ b/mysql-test/suite/perfschema/r/read_only.result
@ -32,7 +32,7 @@ select * from performance_schema.setup_instruments;
 update performance_schema.setup_instruments set enabled='NO';
 update performance_schema.setup_instruments set enabled='YES';
 connection default;
-grant super on *.* to pfsuser@localhost;
+grant READ_ONLY ADMIN on *.* to pfsuser@localhost;
 flush privileges;
 disconnect con1;
 connect  con1, localhost, pfsuser, , test;
@ -41,7 +41,7 @@ select @@global.read_only;
 1
 show grants;
 Grants for pfsuser@localhost
-GRANT SUPER ON *.* TO `pfsuser`@`localhost`
+GRANT READ_ONLY ADMIN ON *.* TO `pfsuser`@`localhost`
 GRANT SELECT, UPDATE ON `performance_schema`.* TO `pfsuser`@`localhost`
 select * from performance_schema.setup_instruments;
 update performance_schema.setup_instruments set enabled='NO';
--- a/mysql-test/suite/perfschema/t/read_only.test
+++ b/mysql-test/suite/perfschema/t/read_only.test
@ -51,7 +51,7 @@ update performance_schema.setup_instruments set enabled='YES';

 connection default;

-grant super on *.* to pfsuser@localhost;
+grant READ_ONLY ADMIN on *.* to pfsuser@localhost;
 flush privileges;

 disconnect con1;
--- a/mysql-test/suite/roles/admin.result
+++ b/mysql-test/suite/roles/admin.result
@ -8,9 +8,9 @@ create role role3 with admin role1;
 create role role4 with admin root@localhost;
 connect  c1, localhost, foo,,;
 create role role5 with admin root@localhost;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create role role5 with admin role3;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 create role role5 with admin foo@localhost;
 connection default;
 call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
--- a/mysql-test/suite/roles/definer.result
+++ b/mysql-test/suite/roles/definer.result
@ -666,7 +666,7 @@ CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
 BEGIN
 SELECT NOW(), VERSION();
 END;//
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
 set role r1;
 CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
 BEGIN
--- a/plugin/userstat/client_stats.cc
+++ b/plugin/userstat/client_stats.cc
@ -78,7 +78,7 @@ static int send_user_stats(THD* thd, HASH *all_user_stats, TABLE *table)

 static int client_stats_fill(THD* thd, TABLE_LIST* tables, COND* cond)
 {
-  if (check_global_access(thd, SUPER_ACL | PROCESS_ACL, true))
+  if (check_global_access(thd, PROCESS_ACL, true))
    return 0;

  return send_user_stats(thd, &global_client_stats, tables->table);
--- a/plugin/userstat/user_stats.cc
+++ b/plugin/userstat/user_stats.cc
@ -34,7 +34,7 @@ static ST_FIELD_INFO user_stats_fields[]=

 static int user_stats_fill(THD* thd, TABLE_LIST* tables, COND* cond)
 {
-  if (check_global_access(thd, SUPER_ACL | PROCESS_ACL, true))
+  if (check_global_access(thd, PROCESS_ACL, true))
    return 0;

  return send_user_stats(thd, &global_user_stats,  tables->table);
--- a/sql/event_data_objects.cc
+++ b/sql/event_data_objects.cc
@ -25,7 +25,6 @@
                                           // date_add_interval,
                                           // calc_time_diff
 #include "tztime.h"     // my_tz_find, my_tz_OFFSET0, struct Time_zone
-#include "sql_acl.h"    // EVENT_ACL, SUPER_ACL
 #include "sp.h"         // load_charset, load_collation
 #include "events.h"
 #include "event_data_objects.h"
@ -1518,7 +1517,7 @@ end:
      */

      privilege_t saved_master_access(thd->security_ctx->master_access);
-      thd->security_ctx->master_access |= SUPER_ACL;
+      thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
      bool save_tx_read_only= thd->tx_read_only;
      thd->tx_read_only= false;

--- a/sql/event_db_repository.cc
+++ b/sql/event_db_repository.cc
@ -24,7 +24,6 @@
 #include "sql_db.h"                        // get_default_db_collation
 #include "sql_time.h"                      // interval_type_to_name
 #include "tztime.h"                             // struct Time_zone
-#include "sql_acl.h" // SUPER_ACL, MYSQL_DB_FIELD_COUNT, mysql_db_table_fields
 #include "records.h"          // init_read_record, end_read_record
 #include "sp_head.h"
 #include "event_data_objects.h"
@ -1128,7 +1127,7 @@ update_timing_fields_for_event(THD *thd,
  */
  save_binlog_format= thd->set_current_stmt_binlog_format_stmt();

-  DBUG_ASSERT(thd->security_ctx->master_access & SUPER_ACL);
+  DBUG_ASSERT(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY);

  if (open_event_table(thd, TL_WRITE, &table))
    goto end;
--- a/sql/event_scheduler.cc
+++ b/sql/event_scheduler.cc
@ -22,7 +22,7 @@
 #include "event_queue.h"
 #include "event_db_repository.h"
 #include "sql_connect.h"         // init_new_connection_handler_thread
-#include "sql_acl.h"             // SUPER_ACL
+#include "sql_class.h"

 /**
  @addtogroup Event_Scheduler
@ -417,7 +417,7 @@ Event_scheduler::start(int *err_no)

    Same goes for transaction access mode. Set it to read-write for this thd.
  */
-  new_thd->security_ctx->master_access |= SUPER_ACL;
+  new_thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
  new_thd->variables.tx_read_only= false;
  new_thd->tx_read_only= false;

--- a/sql/events.cc
+++ b/sql/events.cc
@ -1172,7 +1172,7 @@ Events::load_events_from_db(THD *thd)
  */

  privilege_t saved_master_access(thd->security_ctx->master_access);
-  thd->security_ctx->master_access |= SUPER_ACL;
+  thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
  bool save_tx_read_only= thd->tx_read_only;
  thd->tx_read_only= false;

--- a/sql/handler.cc
+++ b/sql/handler.cc
@ -30,7 +30,6 @@
 #include "key.h"     // key_copy, key_unpack, key_cmp_if_same, key_cmp
 #include "sql_table.h"                   // build_table_filename
 #include "sql_parse.h"                          // check_stack_overrun
-#include "sql_acl.h"            // SUPER_ACL
 #include "sql_base.h"           // TDC_element
 #include "discover.h"           // extension_based_table_discovery, etc
 #include "log_event.h"          // *_rows_log_event
@ -1563,7 +1562,7 @@ int ha_commit_trans(THD *thd, bool all)

  if (rw_trans &&
      opt_readonly &&
-      !(thd->security_ctx->master_access & SUPER_ACL) &&
+      !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
      !thd->slave_thread)
  {
    my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@ -43,7 +43,6 @@
 #include "set_var.h"
 #include "sql_base.h"
 #include "sql_time.h"
-#include "sql_acl.h"                            // SUPER_ACL
 #include "des_key_file.h"       // st_des_keyschedule, st_des_keyblock
 #include "password.h"           // my_make_scrambled_password,
                                // my_make_scrambled_password_323
@ -838,7 +837,7 @@ String *Item_func_des_decrypt::val_str(String *str)
  {
    uint key_number=(uint) (*res)[0] & 127;
    // Check if automatic key and that we have privilege to uncompress using it
-    if (!(current_thd->security_ctx->master_access & SUPER_ACL) ||
+    if (!(current_thd->security_ctx->master_access & PRIV_DES_DECRYPT_ONE_ARG) ||
        key_number > 9)
      goto error;

--- a/sql/lex.h
+++ b/sql/lex.h
@ -239,6 +239,7 @@ static SYMBOL symbols[] = {
  { "FALSE",		SYM(FALSE_SYM)},
  { "FAST",		SYM(FAST_SYM)},
  { "FAULTS",  SYM(FAULTS_SYM)},
+  { "FEDERATED", SYM(FEDERATED_SYM)},
  { "FETCH",            SYM(FETCH_SYM)},
  { "FIELDS",		SYM(COLUMNS)},
  { "FILE",		SYM(FILE_SYM)},
@ -405,6 +406,7 @@ static SYMBOL symbols[] = {
  { "MODE",		SYM(MODE_SYM)},
  { "MODIFIES",		SYM(MODIFIES_SYM)},
  { "MODIFY",		SYM(MODIFY_SYM)},
+  { "MONITOR",          SYM(MONITOR_SYM)},
  { "MONTH",		SYM(MONTH_SYM)},
  { "MUTEX",  SYM(MUTEX_SYM)},
  { "MYSQL",            SYM(MYSQL_SYM)},
--- a/sql/lock.cc
+++ b/sql/lock.cc
@ -76,7 +76,6 @@
 #include "lock.h"
 #include "sql_base.h"                       // close_tables_for_reopen
 #include "sql_parse.h"                     // is_log_table_write_query
-#include "sql_acl.h"                       // SUPER_ACL
 #include "sql_handler.h"
 #include <hash.h>
 #include "wsrep_mysqld.h"
@ -109,12 +108,13 @@ static int
 lock_tables_check(THD *thd, TABLE **tables, uint count, uint flags)
 {
  uint system_count, i;
-  bool is_superuser, log_table_write_query;
+  bool ignore_read_only, log_table_write_query;

  DBUG_ENTER("lock_tables_check");

  system_count= 0;
-  is_superuser= (thd->security_ctx->master_access & SUPER_ACL) != NO_ACL;
+  ignore_read_only=
+    (thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) != NO_ACL;
  log_table_write_query= (is_log_table_write_query(thd->lex->sql_command)
                         || ((flags & MYSQL_LOCK_LOG_TABLE) != 0));

@ -179,7 +179,7 @@ lock_tables_check(THD *thd, TABLE **tables, uint count, uint flags)
    if (!(flags & MYSQL_LOCK_IGNORE_GLOBAL_READ_ONLY) && !t->s->tmp_table)
    {
      if (t->reginfo.lock_type >= TL_WRITE_ALLOW_WRITE &&
-          !is_superuser && opt_readonly && !thd->slave_thread)
+          !ignore_read_only && opt_readonly && !thd->slave_thread)
      {
        my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
        DBUG_RETURN(1);
--- a/sql/log.cc
+++ b/sql/log.cc
@ -34,7 +34,6 @@
 #include "sql_parse.h"                          // command_name
 #include "sql_time.h"           // calc_time_from_sec, my_time_compare
 #include "tztime.h"             // my_tz_OFFSET0, struct Time_zone
-#include "sql_acl.h"            // SUPER_ACL
 #include "log_event.h"          // Query_log_event
 #include "rpl_filter.h"
 #include "rpl_rli.h"
@ -10496,7 +10495,7 @@ static struct st_mysql_sys_var *binlog_sys_vars[]=
 /*
  Copy out the non-directory part of binlog position filename for the
  `binlog_snapshot_file' status variable, same way as it is done for
-  SHOW MASTER STATUS.
+  SHOW BINLOG STATUS.
 */
 static void
 set_binlog_snapshot_file(const char *src)
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@ -3443,7 +3443,7 @@ SHOW_VAR com_status_vars[]= {
  {"show_generic",         STMT_STATUS(SQLCOM_SHOW_GENERIC)},
  {"show_grants",          STMT_STATUS(SQLCOM_SHOW_GRANTS)},
  {"show_keys",            STMT_STATUS(SQLCOM_SHOW_KEYS)},
-  {"show_master_status",   STMT_STATUS(SQLCOM_SHOW_MASTER_STAT)},
+  {"show_binlog_status",   STMT_STATUS(SQLCOM_SHOW_BINLOG_STAT)},
  {"show_open_tables",     STMT_STATUS(SQLCOM_SHOW_OPEN_TABLES)},
  {"show_package_status",  STMT_STATUS(SQLCOM_SHOW_STATUS_PACKAGE)},
 #ifndef DBUG_OFF
--- a/sql/partition_info.cc
+++ b/sql/partition_info.cc
@ -30,7 +30,6 @@
                                           // NOT_A_PARTITION_ID
 #include "partition_info.h"
 #include "sql_parse.h"
-#include "sql_acl.h"                          // *_ACL
 #include "sql_base.h"                         // fill_record
 #include "lock.h"
 #include "table.h"
--- a/sql/privilege.h
+++ b/sql/privilege.h
@ -49,7 +49,7 @@ enum privilege_t: unsigned long long
  LOCK_TABLES_ACL       = (1UL << 17),
  EXECUTE_ACL           = (1UL << 18),
  REPL_SLAVE_ACL        = (1UL << 19),
-  REPL_CLIENT_ACL       = (1UL << 20),
+  BINLOG_MONITOR_ACL    = (1UL << 20), // Was REPL_CLIENT_ACL prior to 10.5.2
  CREATE_VIEW_ACL       = (1UL << 21),
  SHOW_VIEW_ACL         = (1UL << 22),
  CREATE_PROC_ACL       = (1UL << 23),
@ -59,24 +59,63 @@ enum privilege_t: unsigned long long
  TRIGGER_ACL           = (1UL << 27),
  CREATE_TABLESPACE_ACL = (1UL << 28),
  DELETE_HISTORY_ACL    = (1UL << 29),  // Added in 10.3.4
+  SET_USER_ACL          = (1UL << 30),  // Added in 10.5.2
+  FEDERATED_ADMIN_ACL   = (1UL << 31),  // Added in 10.5.2
+  CONNECTION_ADMIN_ACL  = (1ULL << 32), // Added in 10.5.2
+  READ_ONLY_ADMIN_ACL   = (1ULL << 33), // Added in 10.5.2
+  REPL_SLAVE_ADMIN_ACL  = (1ULL << 34), // Added in 10.5.2
+  REPL_MASTER_ADMIN_ACL = (1ULL << 35), // Added in 10.5.2
+  BINLOG_ADMIN_ACL      = (1ULL << 36)  // Added in 10.5.2
  /*
-    don't forget to update
-    1. static struct show_privileges_st sys_privileges[]
-    2. static const char *command_array[] and static uint command_lengths[]
-    3. mysql_system_tables.sql and mysql_system_tables_fix.sql
-    4. acl_init() or whatever - to define behaviour for old privilege tables
-    5. sql_yacc.yy - for GRANT/REVOKE to work
-    6. Add a new ALL_KNOWN_ACL_VERSION
-    7. Change ALL_KNOWN_ACL to ALL_KNOWN_ACL_VERSION
-    8. Update User_table_json::get_access()
-  */
+    When adding new privilege bits, don't forget to update:
+    In this file:
+    - Add a new LAST_version_ACL
+    - Add a new ALL_KNOWN_ACL_version
+    - Change ALL_KNOWN_ACL to ALL_KNOWN_ACL_version
+    - Change GLOBAL_ACLS if needed
+    - Change SUPER_ADDED_SINCE_USER_TABLE_ACL if needed

-  // A combination of all bits defined in 10.3.4 (and earlier)
-  ALL_KNOWN_ACL_100304 = (1UL << 30) - 1
+    In other files:
+    - static struct show_privileges_st sys_privileges[]
+    - static const char *command_array[] and static uint command_lengths[]
+    - mysql_system_tables.sql and mysql_system_tables_fix.sql
+    - acl_init() or whatever - to define behaviour for old privilege tables
+    - Update User_table_json::get_access()
+    - sql_yacc.yy - for GRANT/REVOKE to work
+
+    Important: the enum should contain only single-bit values.
+    In this case, debuggers print bit combinations in the readable form:
+     (gdb) p (privilege_t) (15)
+     $8 = (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL)
+
+    Bit-OR combinations of the above values should be declared outside!
+  */
 };


-constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_ACL_100304;
+// Version markers
+constexpr privilege_t LAST_100304_ACL= DELETE_HISTORY_ACL;
+constexpr privilege_t LAST_100502_ACL= BINLOG_ADMIN_ACL;
+
+// Current version markers
+constexpr privilege_t LAST_CURRENT_ACL= LAST_100502_ACL;
+constexpr uint PRIVILEGE_T_MAX_BIT=
+              my_bit_log2_uint64((ulonglong) LAST_CURRENT_ACL);
+
+static_assert((privilege_t)(1ULL << PRIVILEGE_T_MAX_BIT) == LAST_CURRENT_ACL,
+              "Something went fatally badly: "
+              "LAST_CURRENT_ACL and PRIVILEGE_T_MAX_BIT do not match");
+
+// A combination of all bits defined in 10.3.4 (and earlier)
+constexpr privilege_t ALL_KNOWN_ACL_100304 =
+  (privilege_t) ((LAST_100304_ACL << 1) - 1);
+
+// A combination of all bits defined in 10.5.2
+constexpr privilege_t ALL_KNOWN_ACL_100502=
+  (privilege_t) ((LAST_100502_ACL << 1) - 1);
+
+// A combination of all bits defined as of the current version
+constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_ACL_100502;


 // Unary operators
@ -175,6 +214,19 @@ static inline privilege_t& operator|=(privilege_t &a, privilege_t b)
 }


+/*
+  A combination of all SUPER privileges added since the old user table format.
+  These privileges are automatically added when upgrading from the
+  old format mysql.user table if a user has the SUPER privilege.
+*/
+constexpr privilege_t  GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS=
+  SET_USER_ACL |
+  FEDERATED_ADMIN_ACL |
+  CONNECTION_ADMIN_ACL |
+  READ_ONLY_ADMIN_ACL |
+  REPL_SLAVE_ADMIN_ACL |
+  BINLOG_ADMIN_ACL;
+

 constexpr privilege_t COL_DML_ACLS=
  SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL;
@ -213,7 +265,9 @@ constexpr privilege_t GLOBAL_ACLS=
  DB_ACLS | SHOW_DB_ACL |
  CREATE_USER_ACL | CREATE_TABLESPACE_ACL |
  SUPER_ACL | RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL |
-  REPL_SLAVE_ACL | REPL_CLIENT_ACL;
+  REPL_SLAVE_ACL | BINLOG_MONITOR_ACL |
+  GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS |
+  REPL_MASTER_ADMIN_ACL;

 constexpr privilege_t DEFAULT_CREATE_PROC_ACLS=
  ALTER_PROC_ACL | EXECUTE_ACL;
@ -229,6 +283,124 @@ constexpr privilege_t SHOW_CREATE_TABLE_ACLS=
 constexpr privilege_t TMP_TABLE_ACLS=
  COL_DML_ACLS | ALL_TABLE_DDL_ACLS;

+
+
+/*
+  Allow to set an object definer:
+    CREATE DEFINER=xxx {TRIGGER|VIEW|FUNCTION|PROCEDURE}
+  Was SUPER prior to 10.5.2
+*/
+constexpr privilege_t PRIV_DEFINER_CLAUSE= SET_USER_ACL | SUPER_ACL;
+/*
+  If a VIEW has a `definer=invoker@host` clause and
+  the specified definer does not exists, then
+  - The invoker with REVEAL_MISSING_DEFINER_ACL gets:
+    ERROR: The user specified as a definer ('definer1'@'localhost') doesn't exist
+  - The invoker without MISSING_DEFINER_ACL gets a generic access error,
+    without revealing details that the definer does not exists.
+
+  TODO: we should eventually test the same privilege when processing
+  other objects that have the DEFINER clause (e.g. routines, triggers).
+  Currently the missing definer is revealed for non-privileged invokers
+  in case of routines, triggers, etc.
+
+  Was SUPER prior to 10.5.2
+*/
+constexpr privilege_t PRIV_REVEAL_MISSING_DEFINER= SET_USER_ACL | SUPER_ACL;
+
+/* Actions that require only the SUPER privilege */
+constexpr privilege_t PRIV_DES_DECRYPT_ONE_ARG= SUPER_ACL;
+constexpr privilege_t PRIV_LOG_BIN_TRUSTED_SP_CREATOR= SUPER_ACL;
+constexpr privilege_t PRIV_DEBUG= SUPER_ACL;
+constexpr privilege_t PRIV_SET_GLOBAL_SYSTEM_VARIABLE= SUPER_ACL;
+constexpr privilege_t PRIV_SET_RESTRICTED_SESSION_SYSTEM_VARIABLE= SUPER_ACL;
+
+/* Privileges related to --read-only */
+constexpr privilege_t PRIV_IGNORE_READ_ONLY= READ_ONLY_ADMIN_ACL | SUPER_ACL;
+
+/*
+  Privileges related to connection handling.
+*/
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_INIT_CONNECT= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_USER_CONNECTIONS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_CONNECTIONS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_PASSWORD_ERRORS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_KILL_OTHER_USER_PROCESS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+
+
+/*
+  Binary log related privileges that are checked regardless
+  of active replication running.
+*/
+
+/*
+  This command was renamed from "SHOW MASTER STATUS"
+  to "SHOW BINLOG STATUS" in 10.5.2.
+  Was SUPER_ACL | REPL_CLIENT_ACL prior to 10.5.2
+  REPL_CLIENT_ACL was renamed to BINLOG_MONITOR_ACL.
+*/
+constexpr privilege_t PRIV_STMT_SHOW_BINLOG_STATUS= BINLOG_MONITOR_ACL | SUPER_ACL;
+
+/*
+  Was SUPER_ACL | REPL_CLIENT_ACL prior to 10.5.2
+  REPL_CLIENT_ACL was renamed to BINLOG_MONITOR_ACL.
+*/
+constexpr privilege_t PRIV_STMT_SHOW_BINARY_LOGS= BINLOG_MONITOR_ACL | SUPER_ACL;
+
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_PURGE_BINLOG= BINLOG_ADMIN_ACL | SUPER_ACL;
+
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_BINLOG_EVENTS= BINLOG_MONITOR_ACL;
+
+
+/*
+  Privileges for replication related statements and commands
+  that are executed on the master.
+*/
+constexpr privilege_t PRIV_COM_REGISTER_SLAVE= REPL_SLAVE_ACL;
+constexpr privilege_t PRIV_COM_BINLOG_DUMP= REPL_SLAVE_ACL;
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_SLAVE_HOSTS= REPL_MASTER_ADMIN_ACL;
+
+
+/* Privileges for statements that are executed on the slave */
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_START_SLAVE= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_STOP_SLAVE= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_CHANGE_MASTER= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was (SUPER_ACL | REPL_CLIENT_ACL) prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_SLAVE_STATUS= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_BINLOG= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_RELAYLOG_EVENTS= REPL_SLAVE_ADMIN_ACL;
+
+
+/* Privileges for federated database related statements */
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_CREATE_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_ALTER_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_DROP_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+
+
+/* Privileges related to processes */
+constexpr privilege_t PRIV_COM_PROCESS_INFO= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_EXPLAIN= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_ENGINE_STATUS= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_ENGINE_MUTEX= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_PROCESSLIST= PROCESS_ACL;
+
+
 /*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
--- a/sql/repl_failsafe.cc
+++ b/sql/repl_failsafe.cc
@ -122,7 +122,7 @@ int THD::register_slave(uchar *packet, size_t packet_length)
  uchar *p= packet, *p_end= packet + packet_length;
  const char *errmsg= "Wrong parameters to function register_slave";

-  if (check_access(this, REPL_SLAVE_ACL, any_db, NULL, NULL, 0, 0))
+  if (check_access(this, PRIV_COM_REGISTER_SLAVE, any_db, NULL, NULL, 0, 0))
    return 1;
  if (!(si= (Slave_info*)my_malloc(key_memory_SLAVE_INFO, sizeof(Slave_info),
                                   MYF(MY_WME))))
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@ -33,7 +33,6 @@
                        // date_time_format_make
 #include "derror.h"
 #include "tztime.h"     // my_tz_find, my_tz_SYSTEM, struct Time_zone
-#include "sql_acl.h"    // SUPER_ACL
 #include "sql_select.h" // free_underlaid_joins
 #include "sql_i_s.h"
 #include "sql_view.h"   // updatable_views_with_limit_typelib
@ -788,7 +787,8 @@ int set_var::check(THD *thd)
    my_error(err, MYF(0), var->name.str);
    return -1;
  }
-  if ((type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL)))
+  if (type == OPT_GLOBAL &&
+      check_global_access(thd, PRIV_SET_GLOBAL_SYSTEM_VARIABLE))
    return 1;
  /* value is a NULL pointer if we are using SET ... = DEFAULT */
  if (!value)
@ -825,7 +825,8 @@ int set_var::light_check(THD *thd)
    my_error(err, MYF(0), var->name.str);
    return -1;
  }
-  if (type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL))
+  if (type == OPT_GLOBAL &&
+      check_global_access(thd, PRIV_SET_GLOBAL_SYSTEM_VARIABLE))
    return 1;

  if (value && value->fix_fields_if_needed_for_scalar(thd, &value))
--- a/sql/slave.cc
+++ b/sql/slave.cc
@ -1665,7 +1665,7 @@ bool Sql_cmd_show_slave_status::execute(THD *thd)
  bool res= true;

  /* Accept one of two privileges */
-  if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+  if (check_global_access(thd, PRIV_STMT_SHOW_SLAVE_STATUS))
    goto error;
  if (is_show_all_slaves_stat())
  {
--- a/sql/sp.cc
+++ b/sql/sp.cc
@ -28,7 +28,6 @@
                    // mysql_change_db, check_db_dir_existence,
                    // load_db_opt_by_name
 #include "sql_table.h"                          // write_bin_log
-#include "sql_acl.h"                       // SUPER_ACL
 #include "sp_head.h"
 #include "sp_cache.h"
 #include "lock.h"                               // lock_object_name
@ -1398,7 +1397,7 @@ Sp_handler::sp_create_routine(THD *thd, const sp_head *sp) const
 	  goto done;
 	}
      }
-      if (!(thd->security_ctx->master_access & SUPER_ACL))
+      if (!(thd->security_ctx->master_access & PRIV_LOG_BIN_TRUSTED_SP_CREATOR))
      {
        my_error(ER_BINLOG_CREATE_ROUTINE_NEED_SUPER,MYF(0));
 	goto done;
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@ -23,7 +23,6 @@
 #include "probes_mysql.h"
 #include "sql_show.h"                           // append_identifier
 #include "sql_db.h"            // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h"           // *_ACL
 #include "sql_array.h"         // Dynamic_array
 #include "log_event.h"         // Query_log_event
 #include "sql_derived.h"       // mysql_handle_derived
@ -231,7 +230,7 @@ sp_get_flags_for_command(LEX *lex)
  case SQLCOM_SHOW_ENGINE_MUTEX:
  case SQLCOM_SHOW_EVENTS:
  case SQLCOM_SHOW_KEYS:
-  case SQLCOM_SHOW_MASTER_STAT:
+  case SQLCOM_SHOW_BINLOG_STAT:
  case SQLCOM_SHOW_OPEN_TABLES:
  case SQLCOM_SHOW_PRIVILEGES:
  case SQLCOM_SHOW_PROCESSLIST:
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -1001,7 +1001,7 @@ class User_table_tabular: public User_table
    {
      access|= LOCK_TABLES_ACL | CREATE_TMP_ACL | SHOW_DB_ACL;
      if (access & FILE_ACL)
-        access|= REPL_CLIENT_ACL | REPL_SLAVE_ACL;
+        access|= BINLOG_MONITOR_ACL | REPL_SLAVE_ACL | BINLOG_ADMIN_ACL ;
      if (access & PROCESS_ACL)
        access|= SUPER_ACL | EXECUTE_ACL;
    }
@ -1029,6 +1029,12 @@ class User_table_tabular: public User_table
    if (num_fields() <= 46 && (access & DELETE_ACL))
      access|= DELETE_HISTORY_ACL;

+    if (access & SUPER_ACL)
+      access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
+
+    if (access & REPL_SLAVE_ACL)
+      access|= REPL_MASTER_ADMIN_ACL;
+
    return access & GLOBAL_ACLS;
  }

@ -1503,12 +1509,26 @@ class User_table_json: public User_table
  privilege_t adjust_access(ulonglong version_id, ulonglong access) const
  {
    privilege_t mask= ALL_KNOWN_ACL_100304;
-    if (access & ~mask)
+    ulonglong orig_access= access;
+    if (version_id >= 100502)
    {
-      print_warning_bad_access(version_id, mask, access);
+      mask= ALL_KNOWN_ACL_100502;
+    }
+    else // 100501 or earlier
+    {
+      if (access & SUPER_ACL)
+        access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
+
+      if (access & REPL_SLAVE_ACL)
+        access|= REPL_MASTER_ADMIN_ACL;
+    }
+
+    if (orig_access & ~mask)
+    {
+      print_warning_bad_access(version_id, mask, orig_access);
      return NO_ACL;
    }
-    return access & mask;
+    return access & ALL_KNOWN_ACL;
  }

  privilege_t get_access() const
@ -8857,19 +8877,32 @@ static const char *command_array[]=
  "SELECT", "INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "RELOAD",
  "SHUTDOWN", "PROCESS","FILE", "GRANT", "REFERENCES", "INDEX",
  "ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES",
-  "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT",
+  "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "BINLOG MONITOR",
  "CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE",
-  "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE",
-  "DELETE HISTORY"
+  "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE", "DELETE HISTORY",
+  "SET USER", "FEDERATED ADMIN", "CONNECTION ADMIN", "READ_ONLY ADMIN",
+  "REPLICATION SLAVE ADMIN", "REPLICATION MASTER ADMIN", "BINLOG ADMIN"
 };

 static uint command_lengths[]=
 {
-  6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9,
-  14, 13, 11, 5, 7, 17, 14,
+  6, 6, 6, 6, 6, 4, 6,
+  8, 7, 4, 5, 10, 5,
+  5, 14, 5, 23,
+  11, 7, 17, 14,
+  11, 9, 14, 13,
+  11, 5, 7, 17, 14,
+  8, 15, 16, 15,
+  23, 24, 12
 };


+static_assert(array_elements(command_array) == PRIVILEGE_T_MAX_BIT + 1,
+              "The definition of command_array does not match privilege_t");
+static_assert(array_elements(command_lengths) == PRIVILEGE_T_MAX_BIT + 1,
+              "The definition of command_lengths does not match privilege_t");
+
+
 static bool print_grants_for_role(THD *thd, ACL_ROLE * role)
 {
  char buff[1024];
@ -12993,7 +13026,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
 static bool ignore_max_password_errors(const ACL_USER *acl_user)
 {
 const char *host= acl_user->host.hostname;
- return (acl_user->access & SUPER_ACL)
+ return (acl_user->access & PRIV_IGNORE_MAX_PASSWORD_ERRORS)
   && (!strcasecmp(host, "localhost") ||
       !strcmp(host, "127.0.0.1") ||
       !strcmp(host, "::1"));
@ -14191,7 +14224,7 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
              (longlong) sctx->master_access, mpvio.db.str));

  if (command == COM_CONNECT &&
-      !(thd->main_security_ctx.master_access & SUPER_ACL))
+      !(thd->main_security_ctx.master_access & PRIV_IGNORE_MAX_CONNECTIONS))
  {
    if (*thd->scheduler->connection_count > *thd->scheduler->max_connections)
    {                                         // too many connections
--- a/sql/sql_admin.cc
+++ b/sql/sql_admin.cc
@ -26,7 +26,6 @@
 #include "sql_view.h"                        // view_checksum
 #include "sql_table.h"                       // mysql_recreate_table
 #include "debug_sync.h"                      // DEBUG_SYNC
-#include "sql_acl.h"                         // *_ACL
 #include "sp.h"                              // Sroutine_hash_entry
 #include "sql_parse.h"                       // check_table_access
 #include "strfunc.h"
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@ -30,9 +30,6 @@
 #include "sql_view.h"    // mysql_make_view, VIEW_ANY_ACL
 #include "sql_parse.h"   // check_table_access
 #include "sql_insert.h"  // kill_delayed_threads
-#include "sql_acl.h"     // *_ACL, check_grant_all_columns,
-                         // check_column_grant_in_table_ref,
-                         // get_column_grant
 #include "sql_partition.h"               // ALTER_PARTITION_PARAM_TYPE
 #include "sql_derived.h" // mysql_derived_prepare,
                         // mysql_handle_derived,
--- a/sql/sql_binlog.cc
+++ b/sql/sql_binlog.cc
@ -189,7 +189,7 @@ void mysql_client_binlog_statement(THD* thd)
                            thd->lex->comment.length : 2048),
                     thd->lex->comment.str));

-  if (check_global_access(thd, SUPER_ACL))
+  if (check_global_access(thd, PRIV_STMT_BINLOG))
    DBUG_VOID_RETURN;

  /*
--- a/sql/sql_cmd.h
+++ b/sql/sql_cmd.h
@ -38,7 +38,7 @@ enum enum_sql_command {
  SQLCOM_SHOW_DATABASES, SQLCOM_SHOW_TABLES, SQLCOM_SHOW_FIELDS,
  SQLCOM_SHOW_KEYS, SQLCOM_SHOW_VARIABLES, SQLCOM_SHOW_STATUS,
  SQLCOM_SHOW_ENGINE_LOGS, SQLCOM_SHOW_ENGINE_STATUS, SQLCOM_SHOW_ENGINE_MUTEX,
-  SQLCOM_SHOW_PROCESSLIST, SQLCOM_SHOW_MASTER_STAT, SQLCOM_SHOW_SLAVE_STAT,
+  SQLCOM_SHOW_PROCESSLIST, SQLCOM_SHOW_BINLOG_STAT, SQLCOM_SHOW_SLAVE_STAT,
  SQLCOM_SHOW_GRANTS, SQLCOM_SHOW_CREATE, SQLCOM_SHOW_CHARSETS,
  SQLCOM_SHOW_COLLATIONS, SQLCOM_SHOW_CREATE_DB, SQLCOM_SHOW_TABLE_STATUS,
  SQLCOM_SHOW_TRIGGERS,
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@ -35,7 +35,6 @@
 #include "sql_db.h"                             // mysql_change_db
 #include "hostname.h" // inc_host_errors, ip_to_hostname,
                      // reset_host_errors
-#include "privilege.h"  // acl_getroot, SUPER_ACL
 #include "sql_callback.h"

 #ifdef WITH_WSREP
@ -140,7 +139,7 @@ int check_for_max_user_connections(THD *thd, USER_CONN *uc)
  if (global_system_variables.max_user_connections &&
      !uc->user_resources.user_conn &&
      global_system_variables.max_user_connections < uc->connections &&
-      !(thd->security_ctx->master_access & SUPER_ACL))
+      !(thd->security_ctx->master_access & PRIV_IGNORE_MAX_USER_CONNECTIONS))
  {
    my_error(ER_TOO_MANY_USER_CONNECTIONS, MYF(0), uc->user);
    error=1;
@ -1246,7 +1245,8 @@ void prepare_new_connection_state(THD* thd)
  thd->set_command(COM_SLEEP);
  thd->init_for_queries();

-  if (opt_init_connect.length && !(sctx->master_access & SUPER_ACL))
+  if (opt_init_connect.length &&
+      !(sctx->master_access & PRIV_IGNORE_INIT_CONNECT))
  {
    execute_init_command(thd, &opt_init_connect, &LOCK_sys_init_connect);
    if (unlikely(thd->is_error()))
--- a/sql/sql_delete.cc
+++ b/sql/sql_delete.cc
@ -30,7 +30,6 @@
 #include "lock.h"                              // unlock_table_name
 #include "sql_view.h"             // check_key_in_view, mysql_frm_type
 #include "sql_parse.h"            // mysql_init_select
-#include "sql_acl.h"              // *_ACL
 #include "filesort.h"             // filesort
 #include "sql_handler.h"          // mysql_ha_rm_tables
 #include "sql_select.h"
--- a/sql/sql_insert.cc
+++ b/sql/sql_insert.cc
@ -67,7 +67,6 @@
 #include "sp_head.h"
 #include "sql_view.h"         // check_key_in_view, insert_view_fields
 #include "sql_table.h"        // mysql_create_table_no_lock
-#include "sql_acl.h"          // *_ACL, check_grant_all_columns
 #include "sql_trigger.h"
 #include "sql_select.h"
 #include "sql_show.h"
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -56,13 +56,6 @@
 #include "sql_rename.h"       // mysql_rename_tables
 #include "sql_tablespace.h"   // mysql_alter_tablespace
 #include "hostname.h"         // hostname_cache_refresh
-#include "sql_acl.h"          // *_ACL, check_grant, is_acl_user,
-                              // has_any_table_level_privileges,
-                              // mysql_drop_user, mysql_rename_user,
-                              // check_grant_routine,
-                              // mysql_routine_grant,
-                              // mysql_show_grants,
-                              // sp_grant_privileges, ...
 #include "sql_test.h"         // mysql_print_status
 #include "sql_select.h"       // handle_select, mysql_select,
                              // mysql_explain_union
@ -680,7 +673,7 @@ void init_update_queries(void)
  sql_command_flags[SQLCOM_SHOW_CREATE_USER]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE_DB]=   CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE]=  CF_STATUS_COMMAND;
-  sql_command_flags[SQLCOM_SHOW_MASTER_STAT]= CF_STATUS_COMMAND;
+  sql_command_flags[SQLCOM_SHOW_BINLOG_STAT]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_SLAVE_STAT]=  CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE_PROC]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE_FUNC]= CF_STATUS_COMMAND;
@ -1406,7 +1399,7 @@ static bool deny_updates_if_read_only_option(THD *thd, TABLE_LIST *all_tables)
  LEX *lex= thd->lex;

  /* Super user is allowed to do changes */
-  if ((thd->security_ctx->master_access & SUPER_ACL) == SUPER_ACL)
+  if ((thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) != NO_ACL)
    DBUG_RETURN(FALSE);

  /* Check if command doesn't update anything */
@ -1446,10 +1439,10 @@ static bool deny_updates_if_read_only_option(THD *thd, TABLE_LIST *all_tables)
 static my_bool wsrep_read_only_option(THD *thd, TABLE_LIST *all_tables)
 {
  int opt_readonly_saved = opt_readonly;
-  privilege_t flag_saved= thd->security_ctx->master_access & SUPER_ACL;
+  privilege_t flag_saved= thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY;

  opt_readonly = 0;
-  thd->security_ctx->master_access &= ~SUPER_ACL;
+  thd->security_ctx->master_access &= ~PRIV_IGNORE_READ_ONLY;

  my_bool ret = !deny_updates_if_read_only_option(thd, all_tables);

@ -2093,7 +2086,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
      status_var_increment(thd->status_var.com_other);

      thd->query_plan_flags|= QPLAN_ADMIN;
-      if (check_global_access(thd, REPL_SLAVE_ACL))
+      if (check_global_access(thd, PRIV_COM_BINLOG_DUMP))
 	break;

      /* TODO: The following has to be changed to an 8 byte integer */
@ -2249,12 +2242,12 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
  case COM_PROCESS_INFO:
    status_var_increment(thd->status_var.com_stat[SQLCOM_SHOW_PROCESSLIST]);
    if (!thd->security_ctx->priv_user[0] &&
-        check_global_access(thd, PROCESS_ACL))
+        check_global_access(thd, PRIV_COM_PROCESS_INFO))
      break;
    general_log_print(thd, command, NullS);
    mysqld_list_processes(thd,
-			  thd->security_ctx->master_access & PROCESS_ACL ? 
-			  NullS : thd->security_ctx->priv_user, 0);
+                     thd->security_ctx->master_access & PRIV_COM_PROCESS_INFO ?
+                     NullS : thd->security_ctx->priv_user, 0);
    break;
  case COM_PROCESS_KILL:
  {
@ -2286,7 +2279,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
  }
  case COM_DEBUG:
    status_var_increment(thd->status_var.com_other);
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_DEBUG))
      break;					/* purecov: inspected */
    mysql_print_status();
    general_log_print(thd, command, NullS);
@ -2840,7 +2833,7 @@ bool sp_process_definer(THD *thd)
                  !my_strcasecmp(system_charset_info, d->host.str,
                                 thd->security_ctx->priv_host);
    if (!curuserhost && !currole &&
-        check_global_access(thd, SUPER_ACL, false))
+        check_global_access(thd, PRIV_DEFINER_CLAUSE, false))
      DBUG_RETURN(TRUE);
  }

@ -3828,7 +3821,7 @@ mysql_execute_command(THD *thd)
  case SQLCOM_SHOW_EXPLAIN:
  {
    if (!thd->security_ctx->priv_user[0] &&
-        check_global_access(thd,PROCESS_ACL))
+        check_global_access(thd, PRIV_STMT_SHOW_EXPLAIN))
      break;

    /*
@ -3946,7 +3939,7 @@ mysql_execute_command(THD *thd)
 #ifndef EMBEDDED_LIBRARY
  case SQLCOM_PURGE:
  {
-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_PURGE_BINLOG))
      goto error;
    /* PURGE MASTER LOGS TO 'file' */
    res = purge_master_logs(thd, lex->to_log);
@ -3956,7 +3949,7 @@ mysql_execute_command(THD *thd)
  {
    Item *it;

-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_PURGE_BINLOG))
      goto error;
    /* PURGE MASTER LOGS BEFORE 'data' */
    it= (Item *)lex->value_list.head();
@ -4003,16 +3996,23 @@ mysql_execute_command(THD *thd)
 #ifdef HAVE_REPLICATION
  case SQLCOM_SHOW_SLAVE_HOSTS:
  {
-    if (check_global_access(thd, REPL_SLAVE_ACL))
+    if (check_global_access(thd, PRIV_STMT_SHOW_SLAVE_HOSTS))
      goto error;
    res = show_slave_hosts(thd);
    break;
  }
-  case SQLCOM_SHOW_RELAYLOG_EVENTS: /* fall through */
+  case SQLCOM_SHOW_RELAYLOG_EVENTS:
+  {
+    WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
+    if (check_global_access(thd, PRIV_STMT_SHOW_RELAYLOG_EVENTS))
+      goto error;
+    res = mysql_show_binlog_events(thd);
+    break;
+  }
  case SQLCOM_SHOW_BINLOG_EVENTS:
  {
    WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
-    if (check_global_access(thd, REPL_SLAVE_ACL))
+    if (check_global_access(thd, PRIV_STMT_SHOW_BINLOG_EVENTS))
      goto error;
    res = mysql_show_binlog_events(thd);
    break;
@ -4049,7 +4049,7 @@ mysql_execute_command(THD *thd)
    bool new_master= 0;
    bool master_info_added;

-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_CHANGE_MASTER))
      goto error;
    /*
      In this code it's ok to use LOCK_active_mi as we are adding new things
@ -4104,10 +4104,10 @@ mysql_execute_command(THD *thd)
    break;
  }

-  case SQLCOM_SHOW_MASTER_STAT:
+  case SQLCOM_SHOW_BINLOG_STAT:
  {
    /* Accept one of two privileges */
-    if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+    if (check_global_access(thd, PRIV_STMT_SHOW_BINLOG_STATUS))
      goto error;
    res = show_binlog_info(thd);
    break;
@ -4116,14 +4116,14 @@ mysql_execute_command(THD *thd)
 #endif /* HAVE_REPLICATION */
  case SQLCOM_SHOW_ENGINE_STATUS:
    {
-      if (check_global_access(thd, PROCESS_ACL))
+      if (check_global_access(thd, PRIV_STMT_SHOW_ENGINE_STATUS))
        goto error;
      res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_STATUS);
      break;
    }
  case SQLCOM_SHOW_ENGINE_MUTEX:
    {
-      if (check_global_access(thd, PROCESS_ACL))
+      if (check_global_access(thd, PRIV_STMT_SHOW_ENGINE_MUTEX))
        goto error;
      res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_MUTEX);
      break;
@ -4284,7 +4284,7 @@ mysql_execute_command(THD *thd)
    goto error;
 #else
    {
-      if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+      if (check_global_access(thd, PRIV_STMT_SHOW_BINARY_LOGS))
 	goto error;
      WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
      res = show_binlogs(thd);
@ -4416,7 +4416,7 @@ mysql_execute_command(THD *thd)
      if (res)
        break;
      if (opt_readonly &&
-	  !(thd->security_ctx->master_access & SUPER_ACL) &&
+	  !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
 	  some_non_temp_table_to_be_updated(thd, all_tables))
      {
 	my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
@ -4892,13 +4892,13 @@ mysql_execute_command(THD *thd)
  }
  case SQLCOM_SHOW_PROCESSLIST:
    if (!thd->security_ctx->priv_user[0] &&
-        check_global_access(thd,PROCESS_ACL))
+        check_global_access(thd, PRIV_STMT_SHOW_PROCESSLIST))
      break;
    mysqld_list_processes(thd,
-			  (thd->security_ctx->master_access & PROCESS_ACL ?
-                           NullS :
-                           thd->security_ctx->priv_user),
-                          lex->verbose);
+                (thd->security_ctx->master_access & PRIV_STMT_SHOW_PROCESSLIST ?
+                 NullS :
+                 thd->security_ctx->priv_user),
+                lex->verbose);
    break;
  case SQLCOM_SHOW_AUTHORS:
    res= mysqld_show_authors(thd);
@ -5810,7 +5810,7 @@ mysql_execute_command(THD *thd)
  {
    DBUG_PRINT("info", ("case SQLCOM_CREATE_SERVER"));

-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_CREATE_SERVER))
      break;

    WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@ -5823,7 +5823,7 @@ mysql_execute_command(THD *thd)
    int error;
    DBUG_PRINT("info", ("case SQLCOM_ALTER_SERVER"));

-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_ALTER_SERVER))
      break;

    WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@ -5843,7 +5843,7 @@ mysql_execute_command(THD *thd)
    int err_code;
    DBUG_PRINT("info", ("case SQLCOM_DROP_SERVER"));

-    if (check_global_access(thd, SUPER_ACL))
+    if (check_global_access(thd, PRIV_STMT_DROP_SERVER))
      break;

    WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@ -7146,10 +7146,8 @@ bool check_some_access(THD *thd, privilege_t want_access, TABLE_LIST *table)
  @param want_access		Use should have any of these global rights

  @warning
-    One gets access right if one has ANY of the rights in want_access.
-    This is useful as one in most cases only need one global right,
-    but in some case we want to check if the user has SUPER or
-    REPL_CLIENT_ACL rights.
+    Starting from 10.5.2 only one bit is allowed in want_access.
+    Access denied error is returned if want_access has multiple bits set.

  @retval
    0	ok
@ -7161,7 +7159,7 @@ bool check_global_access(THD *thd, privilege_t want_access, bool no_errors)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
  char command[128];
-  if ((thd->security_ctx->master_access & want_access))
+  if (thd->security_ctx->master_access & want_access)
    return 0;
  if (unlikely(!no_errors))
  {
@ -9099,11 +9097,11 @@ kill_one_thread(THD *thd, longlong id, killed_state kill_signal, killed_type typ
    */

 #ifdef WITH_WSREP
-    if (((thd->security_ctx->master_access & SUPER_ACL) ||
+    if (((thd->security_ctx->master_access & PRIV_KILL_OTHER_USER_PROCESS) ||
        thd->security_ctx->user_matches(tmp->security_ctx)) &&
        !wsrep_thd_is_BF(tmp, false) && !tmp->wsrep_applier)
 #else
-    if ((thd->security_ctx->master_access & SUPER_ACL) ||
+    if ((thd->security_ctx->master_access & PRIV_KILL_OTHER_USER_PROCESS) ||
        thd->security_ctx->user_matches(tmp->security_ctx))
 #endif /* WITH_WSREP */
    {
@ -9156,7 +9154,8 @@ static my_bool kill_threads_callback(THD *thd, kill_threads_callback_arg *arg)
         !strcmp(thd->security_ctx->host_or_ip, arg->user->host.str)) &&
        !strcmp(thd->security_ctx->user, arg->user->user.str))
    {
-      if (!(arg->thd->security_ctx->master_access & SUPER_ACL) &&
+      if (!(arg->thd->security_ctx->master_access &
+            PRIV_KILL_OTHER_USER_PROCESS) &&
          !arg->thd->security_ctx->user_matches(thd->security_ctx))
        return 1;
      if (!arg->threads_to_kill.push_back(thd, arg->thd->mem_root))
--- a/sql/sql_plugin.cc
+++ b/sql/sql_plugin.cc
@ -28,7 +28,6 @@
 #include "sql_table.h"
 #include "sql_show.h"           // remove_status_vars, add_status_vars
 #include "strfunc.h"            // find_set
-#include "sql_acl.h"                       // *_ACL
 #include "records.h"          // init_read_record, end_read_record
 #include <my_pthread.h>
 #include <my_getopt.h>
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@ -99,7 +99,6 @@ When one supplies long data for a placeholder:
 #include "sql_insert.h" // upgrade_lock_type_for_insert, mysql_prepare_insert
 #include "sql_update.h" // mysql_prepare_update
 #include "sql_db.h"     // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h"    // *_ACL
 #include "sql_derived.h" // mysql_derived_prepare,
                         // mysql_handle_derived
 #include "sql_cte.h"
@ -1949,7 +1948,7 @@ static int mysql_test_show_slave_status(Prepared_statement *stmt,


 /**
-  Validate and prepare for execution SHOW MASTER STATUS statement.
+  Validate and prepare for execution SHOW BINLOG STATUS statement.

  @param stmt               prepared statement

@ -1959,9 +1958,9 @@ static int mysql_test_show_slave_status(Prepared_statement *stmt,
    TRUE              error, error message is set in THD
 */

-static int mysql_test_show_master_status(Prepared_statement *stmt)
+static int mysql_test_show_binlog_status(Prepared_statement *stmt)
 {
-  DBUG_ENTER("mysql_test_show_master_status");
+  DBUG_ENTER("mysql_test_show_binlog_status");
  THD *thd= stmt->thd;
  List<Item> fields;

@ -2410,8 +2409,8 @@ static bool check_prepared_statement(Prepared_statement *stmt)
      }
      break;
    }
-  case SQLCOM_SHOW_MASTER_STAT:
-    if ((res= mysql_test_show_master_status(stmt)) == 2)
+  case SQLCOM_SHOW_BINLOG_STAT:
+    if ((res= mysql_test_show_binlog_status(stmt)) == 2)
    {
      /* Statement and field info has already been sent */
      DBUG_RETURN(FALSE);
--- a/sql/sql_repl.cc
+++ b/sql/sql_repl.cc
@ -24,7 +24,6 @@
 #include "rpl_mi.h"
 #include "rpl_rli.h"
 #include "sql_repl.h"
-#include "sql_acl.h"                            // SUPER_ACL
 #include "log_event.h"
 #include "rpl_filter.h"
 #include <my_dir.h>
@ -3081,7 +3080,7 @@ int start_slave(THD* thd , Master_info* mi,  bool net_report)
  char relay_log_info_file_tmp[FN_REFLEN];
  DBUG_ENTER("start_slave");

-  if (check_access(thd, SUPER_ACL, any_db, NULL, NULL, 0, 0))
+  if (check_global_access(thd, PRIV_STMT_START_SLAVE))
    DBUG_RETURN(-1);

  create_logfile_name_with_suffix(master_info_file_tmp,
@ -3284,7 +3283,7 @@ int stop_slave(THD* thd, Master_info* mi, bool net_report )
  DBUG_ENTER("stop_slave");
  DBUG_PRINT("enter",("Connection: %s", mi->connection_name.str));

-  if (check_access(thd, SUPER_ACL, any_db, NULL, NULL, 0, 0))
+  if (check_global_access(thd, PRIV_STMT_STOP_SLAVE))
    DBUG_RETURN(-1);
  THD_STAGE_INFO(thd, stage_killing_slave);
  int thread_mask;
@ -4217,7 +4216,7 @@ void show_binlog_info_get_fields(THD *thd, List<Item> *field_list)


 /**
-  Execute a SHOW MASTER STATUS statement.
+  Execute a SHOW BINLOG STATUS statement.

  @param thd Pointer to THD object for the client thread executing the
  statement.
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@ -43,7 +43,6 @@
 #include "sql_base.h"            // setup_wild, setup_fields, fill_record
 #include "sql_parse.h"                          // check_stack_overrun
 #include "sql_partition.h"       // make_used_partitions_str
-#include "sql_acl.h"             // *_ACL
 #include "sql_test.h"            // print_where, print_keyuse_array,
                                 // print_sjm, print_plan, TEST_join
 #include "records.h"             // init_read_record, end_read_record
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@ -480,7 +480,10 @@ static struct show_privileges_st sys_privileges[]=
  {"Proxy", "Server Admin", "To make proxy user possible"},
  {"References", "Databases,Tables", "To have references on tables"},
  {"Reload", "Server Admin", "To reload or refresh tables, logs and privileges"},
-  {"Replication client","Server Admin","To ask where the slave or master servers are"},
+  {"Binlog admin", "Server", "To purge binary logs"},
+  {"Binlog monitor", "Server", "To use SHOW BINLOG STATUS and SHOW BINARY LOG"},
+  {"Replication master admin", "Server", "To monitor connected slaves"},
+  {"Replication slave admin", "Server", "To start/monitor/stop slave and apply binlog events"},
  {"Replication slave","Server Admin","To read binary log events from the master"},
  {"Select", "Tables",  "To retrieve rows from table"},
  {"Show databases","Server Admin","To see all databases with SHOW DATABASES"},
@ -490,6 +493,10 @@ static struct show_privileges_st sys_privileges[]=
  {"Trigger","Tables", "To use triggers"},
  {"Create tablespace", "Server Admin", "To create/alter/drop tablespaces"},
  {"Update", "Tables",  "To update existing rows"},
+  {"Set user","Server", "To create views and stored routines with a different definer"},
+  {"Federated admin", "Server", "To execute the CREATE SERVER, ALTER SERVER, DROP SERVER statements"},
+  {"Connection admin", "Server", "To bypass connection limits and kill other users' connections"},
+  {"Read_only admin", "Server", "To perform write operations even if @@read_only=ON"},
  {"Usage","Server Admin","No privileges - allow connect only"},
  {NullS, NullS, NullS}
 };
@ -3053,8 +3060,8 @@ int fill_show_explain(THD *thd, TABLE_LIST *table, COND *cond)

  DBUG_ASSERT(cond==NULL);
  thread_id= thd->lex->value_list.head()->val_int();
-  calling_user= (thd->security_ctx->master_access & PROCESS_ACL) ?  NullS :
-                 thd->security_ctx->priv_user;
+  calling_user= (thd->security_ctx->master_access & PRIV_STMT_SHOW_EXPLAIN) ?
+                 NullS : thd->security_ctx->priv_user;

  if ((tmp= find_thread_by_id(thread_id)))
  {
@ -3171,8 +3178,9 @@ static my_bool processlist_callback(THD *tmp, processlist_callback_arg *arg)
  const char *val;
  ulonglong max_counter;
  bool got_thd_data;
-  char *user= arg->thd->security_ctx->master_access & PROCESS_ACL ?
-              NullS : arg->thd->security_ctx->priv_user;
+  char *user=
+          arg->thd->security_ctx->master_access & PRIV_STMT_SHOW_PROCESSLIST ?
+          NullS : arg->thd->security_ctx->priv_user;

  if ((!tmp->vio_ok() && !tmp->system_thread) ||
      (user && (tmp->system_thread || !tmp_sctx->user ||
--- a/sql/sql_trigger.cc
+++ b/sql/sql_trigger.cc
@ -30,7 +30,6 @@
 #include "sql_table.h"                        // build_table_filename,
                                              // check_n_cut_mysql50_prefix
 #include "sql_db.h"                        // get_default_db_collation
-#include "sql_acl.h"                       // *_ACL
 #include "sql_handler.h"                        // mysql_ha_rm_tables
 #include "sp_cache.h"                     // sp_invalidate_cache
 #include <mysys_err.h>
@ -441,7 +440,7 @@ bool mysql_create_or_drop_trigger(THD *thd, TABLE_LIST *tables, bool create)
  */
  if (!trust_function_creators                               &&
      (WSREP_EMULATE_BINLOG(thd) || mysql_bin_log.is_open()) &&
-      !(thd->security_ctx->master_access & SUPER_ACL))
+      !(thd->security_ctx->master_access & PRIV_LOG_BIN_TRUSTED_SP_CREATOR))
  {
    my_error(ER_BINLOG_CREATE_ROUTINE_NEED_SUPER, MYF(0));
    DBUG_RETURN(TRUE);
@ -464,7 +463,8 @@ bool mysql_create_or_drop_trigger(THD *thd, TABLE_LIST *tables, bool create)
    */
    thd->lex->sql_command= backup.sql_command;

-    if (opt_readonly && !(thd->security_ctx->master_access & SUPER_ACL) &&
+    if (opt_readonly &&
+        !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
        !thd->slave_thread)
    {
      my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@ -35,7 +35,6 @@
 #include "probes_mysql.h"
 #include "debug_sync.h"
 #include "key.h"                                // is_key_used
-#include "sql_acl.h"                            // *_ACL, check_grant
 #include "records.h"                            // init_read_record,
                                                // end_read_record
 #include "filesort.h"                           // filesort
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@ -27,7 +27,6 @@
 #include "sql_show.h"    // append_identifier
 #include "sql_table.h"                         // build_table_filename
 #include "sql_db.h"            // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h"           // *_ACL, check_grant
 #include "sql_select.h"
 #include "parse_file.h"
 #include "sp_head.h"
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@ -38,7 +38,6 @@
 #include "sql_parse.h"                        /* comp_*_creator */
 #include "sql_table.h"                        /* primary_key_name */
 #include "sql_partition.h"  /* partition_info, HASH_PARTITION */
-#include "sql_acl.h"                          /* *_ACL */
 #include "sql_class.h"      /* Key_part_spec, enum_filetype, Diag_condition_item_name */
 #include "slave.h"
 #include "lex_symbol.h"
@ -835,6 +834,7 @@ End SQL_MODE_ORACLE_SPECIFIC */
 %token  <kwd>  EXTENT_SIZE_SYM
 %token  <kwd>  FAST_SYM
 %token  <kwd>  FAULTS_SYM
+%token  <kwd>  FEDERATED_SYM                 /* MariaDB privilege */
 %token  <kwd>  FILE_SYM
 %token  <kwd>  FIRST_SYM                     /* SQL-2003-N */
 %token  <kwd>  FIXED_SYM
@ -931,6 +931,7 @@ End SQL_MODE_ORACLE_SPECIFIC */
 %token  <kwd>  MIN_ROWS
 %token  <kwd>  MODE_SYM
 %token  <kwd>  MODIFY_SYM
+%token  <kwd>  MONITOR_SYM                   /* MariaDB privilege */
 %token  <kwd>  MONTH_SYM                     /* SQL-2003-R */
 %token  <kwd>  MUTEX_SYM
 %token  <kwd>  MYSQL_SYM
@ -13620,9 +13621,13 @@ show_param:
              MYSQL_YYABORT;
            lex->table_type= TABLE_TYPE_SEQUENCE;
          }
+        | BINLOG_SYM STATUS_SYM
+          {
+            Lex->sql_command = SQLCOM_SHOW_BINLOG_STAT;
+          }
        | MASTER_SYM STATUS_SYM
          {
-            Lex->sql_command = SQLCOM_SHOW_MASTER_STAT;
+            Lex->sql_command = SQLCOM_SHOW_BINLOG_STAT;
          }
        | ALL SLAVES STATUS_SYM
          {
@ -15512,6 +15517,7 @@ keyword_sp_var_and_label:
        | FAST_SYM
        | FOUND_SYM
        | ENABLE_SYM
+        | FEDERATED_SYM
        | FULL
        | FILE_SYM
        | FIRST_SYM
@ -15590,6 +15596,7 @@ keyword_sp_var_and_label:
        | MIN_ROWS
        | MODIFY_SYM
        | MODE_SYM
+        | MONITOR_SYM
        | MONTH_SYM
        | MUTEX_SYM
        | MYSQL_SYM
@ -16898,7 +16905,7 @@ object_privilege:
        | CREATE TEMPORARY TABLES { $$= CREATE_TMP_ACL;}
        | LOCK_SYM TABLES         { $$= LOCK_TABLES_ACL; }
        | REPLICATION SLAVE       { $$= REPL_SLAVE_ACL; }
-        | REPLICATION CLIENT_SYM  { $$= REPL_CLIENT_ACL; }
+        | REPLICATION CLIENT_SYM  { $$= BINLOG_MONITOR_ACL; /*Compatibility*/ }
        | CREATE VIEW_SYM         { $$= CREATE_VIEW_ACL; }
        | SHOW VIEW_SYM           { $$= SHOW_VIEW_ACL; }
        | CREATE ROUTINE_SYM      { $$= CREATE_PROC_ACL; }
@ -16908,6 +16915,15 @@ object_privilege:
        | TRIGGER_SYM             { $$= TRIGGER_ACL; }
        | CREATE TABLESPACE       { $$= CREATE_TABLESPACE_ACL; }
        | DELETE_SYM HISTORY_SYM  { $$= DELETE_HISTORY_ACL; }
+        | SET USER_SYM            { $$= SET_USER_ACL; }
+        | FEDERATED_SYM ADMIN_SYM { $$= FEDERATED_ADMIN_ACL; }
+        | CONNECTION_SYM ADMIN_SYM         { $$= CONNECTION_ADMIN_ACL; }
+        | READ_SYM ONLY_SYM ADMIN_SYM      { $$= READ_ONLY_ADMIN_ACL; }
+        | READ_ONLY_SYM ADMIN_SYM          { $$= READ_ONLY_ADMIN_ACL; }
+        | BINLOG_SYM MONITOR_SYM           { $$= BINLOG_MONITOR_ACL; }
+        | BINLOG_SYM ADMIN_SYM             { $$= BINLOG_ADMIN_ACL; }
+        | REPLICATION MASTER_SYM ADMIN_SYM { $$= REPL_MASTER_ADMIN_ACL; }
+        | REPLICATION SLAVE ADMIN_SYM      { $$= REPL_SLAVE_ADMIN_ACL; }
        ;

 opt_and:
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@ -45,8 +45,7 @@
 #include "mysqld.h"
 #include "lock.h"
 #include "sql_time.h"                       // known_date_time_formats
-#include "sql_acl.h" // SUPER_ACL,
-                     // mysql_user_table_is_in_short_password_format
+#include "sql_acl.h" // mysql_user_table_is_in_short_password_format
 #include "derror.h"  // read_texts
 #include "sql_base.h"                           // close_cached_tables
 #include "hostname.h"                           // host_cache_size
@ -585,7 +584,8 @@ bool check_has_super(sys_var *self, THD *thd, set_var *var)
 {
  DBUG_ASSERT(self->scope() != sys_var::GLOBAL);// don't abuse check_has_super()
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  if (!(thd->security_ctx->master_access & SUPER_ACL))
+  if (!(thd->security_ctx->master_access &
+        PRIV_SET_RESTRICTED_SESSION_SYSTEM_VARIABLE))
  {
    my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "SUPER");
    return true;
--- a/sql/table.cc
+++ b/sql/table.cc
@ -27,7 +27,6 @@
 #include "strfunc.h"                            // unhex_type2
 #include "sql_partition.h"       // mysql_unpack_partition,
                                 // fix_partition_func, partition_info
-#include "sql_acl.h"             // *_ACL, acl_getroot_no_password
 #include "sql_base.h"
 #include "create_options.h"
 #include "sql_trigger.h"
@ -6209,7 +6208,7 @@ bool TABLE_LIST::prepare_view_security_context(THD *thd)
      }
      else
      {
-        if (thd->security_ctx->master_access & SUPER_ACL)
+        if (thd->security_ctx->master_access & PRIV_REVEAL_MISSING_DEFINER)
        {
          my_error(ER_NO_SUCH_USER, MYF(0), definer.user.str, definer.host.str);

--- a/sql/transaction.cc
+++ b/sql/transaction.cc
@ -163,7 +163,7 @@ bool trans_begin(THD *thd, uint flags)
      compatibility.
    */
    const bool user_is_super=
-      MY_TEST(thd->security_ctx->master_access & SUPER_ACL);
+      MY_TEST(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY);
    if (opt_readonly && !user_is_super)
    {
      my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
--- a/storage/maria/ma_pagecache.c
+++ b/storage/maria/ma_pagecache.c
@ -801,7 +801,7 @@ size_t init_pagecache(PAGECACHE *pagecache, size_t use_mem,

  pagecache->mem_size= use_mem;
  pagecache->block_size= block_size;
-  pagecache->shift= my_bit_log2(block_size);
+  pagecache->shift= my_bit_log2_uint64(block_size);
  pagecache->readwrite_flags= my_readwrite_flags | MY_NABP | MY_WAIT_IF_FULL;
  pagecache->org_readwrite_flags= pagecache->readwrite_flags;
  DBUG_PRINT("info", ("block_size: %u", block_size));
--- a/storage/myisam/ha_myisam.cc
+++ b/storage/myisam/ha_myisam.cc
@ -2520,7 +2520,7 @@ static int myisam_init(void *p)
  else
    myisam_recover_options= HA_RECOVER_OFF;

-  myisam_block_size=(uint) 1 << my_bit_log2(opt_myisam_block_size);
+  myisam_block_size=(uint) 1 << my_bit_log2_uint64(opt_myisam_block_size);

  hton= (handlerton *)p;
  hton->db_type= DB_TYPE_MYISAM;
--- a/storage/myisam/myisamchk.c
+++ b/storage/myisam/myisamchk.c
@ -797,7 +797,7 @@ static void get_options(register int *argc,register char ***argv)
                                             MYF(MY_WME))))
      exit(1);

-  myisam_block_size=(uint) 1 << my_bit_log2(opt_myisam_block_size);
+  myisam_block_size=(uint) 1 << my_bit_log2_uint64(opt_myisam_block_size);
  return;
 } /* get options */

--- a/storage/rocksdb/rdb_datadic.cc
+++ b/storage/rocksdb/rdb_datadic.cc
@ -3121,7 +3121,7 @@ static const Rdb_collation_codec *rdb_init_collation_mapping(
          for (uint idx = 0; idx < p.second.size(); idx++) {
            uchar src = p.second[idx];
            uchar bits =
-                my_bit_log2(my_round_up_to_next_power(p.second.size()));
+                my_bit_log2_uint32(my_round_up_to_next_power(p.second.size()));
            cur->m_enc_idx[src] = idx;
            cur->m_enc_size[src] = bits;
            cur->m_dec_size[dst] = bits;
--- a/storage/spider/ha_spider.cc
+++ b/storage/spider/ha_spider.cc
@ -13594,7 +13594,7 @@ void ha_spider::set_error_mode()
    case SQLCOM_SHOW_ENGINE_STATUS:
    case SQLCOM_SHOW_ENGINE_MUTEX:
    case SQLCOM_SHOW_PROCESSLIST:
-    case SQLCOM_SHOW_MASTER_STAT:
+    case SQLCOM_SHOW_BINLOG_STAT:
    case SQLCOM_SHOW_SLAVE_STAT:
    case SQLCOM_SHOW_GRANTS:
    case SQLCOM_SHOW_CREATE: