MDEV-22012 Allow SET TIMESTAMP for users with GRANT BINLOG REPLAY when --secure-timestamp=replication

mysql-test/suite/sys_vars/inc/secure_timestamp_func.inc

@@ -7,13 +7,40 @@ source include/master-slave.inc;
 connection slave;
 select @@secure_timestamp;
 
-### SUPER
+--echo ### ALL PRIVILEGES
+disable_abort_on_error;
+set timestamp=1234567890.101112;
+enable_abort_on_error;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
+set timestamp=default;
+
+--echo ### SUPER
+create user foo@127.0.0.1;
+grant super on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 disable_abort_on_error;
 set timestamp=1234567890.101112;
 enable_abort_on_error;
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
 
-### non-privileged user
+--echo ### BINLOG REPLAY
+create user foo@127.0.0.1;
+grant binlog replay on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+disable_abort_on_error;
+set timestamp=1234567890.101112;
+enable_abort_on_error;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+
+--echo ### non-privileged user
 create user foo@127.0.0.1;
 connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 disable_abort_on_error;
@@ -23,6 +50,7 @@ select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged';
 disconnect con2;
 connection slave;
 drop user foo@127.0.0.1;
+set timestamp=default;
 
 ### replication
 connection master;

mysql-test/suite/sys_vars/r/secure_timestamp_no.result

@@ -4,10 +4,37 @@ connection slave;
 select @@secure_timestamp;
 @@secure_timestamp
 NO
+### ALL PRIVILEGES
+set timestamp=1234567890.101112;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
+ALL PRIVILEGES
+EDITABLE
+set timestamp=default;
+### SUPER
+create user foo@127.0.0.1;
+grant super on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
 SUPER
 EDITABLE
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### BINLOG REPLAY
+create user foo@127.0.0.1;
+grant binlog replay on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+set timestamp=1234567890.101112;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
+BINLOG REPLAY
+EDITABLE
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### non-privileged user
 create user foo@127.0.0.1;
 connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
@@ -17,6 +44,7 @@ EDITABLE
 disconnect con2;
 connection slave;
 drop user foo@127.0.0.1;
+set timestamp=default;
 connection master;
 set time_zone='+00:00';
 set timestamp=1234567890.101112;

mysql-test/suite/sys_vars/r/secure_timestamp_rpl.result

@@ -4,21 +4,49 @@ connection slave;
 select @@secure_timestamp;
 @@secure_timestamp
 REPLICATION
+### ALL PRIVILEGES
 set timestamp=1234567890.101112;
-ERROR HY000: The MariaDB server is running with the --secure-timestamp=REPLICATION option so it cannot execute this statement
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
+ALL PRIVILEGES
+EDITABLE
+set timestamp=default;
+### SUPER
+create user foo@127.0.0.1;
+grant super on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+set timestamp=1234567890.101112;
+ERROR 42000: Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
 SUPER
 READONLY
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### BINLOG REPLAY
+create user foo@127.0.0.1;
+grant binlog replay on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+set timestamp=1234567890.101112;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
+BINLOG REPLAY
+EDITABLE
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### non-privileged user
 create user foo@127.0.0.1;
 connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
-ERROR HY000: The MariaDB server is running with the --secure-timestamp=REPLICATION option so it cannot execute this statement
+ERROR 42000: Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged';
 non-privileged
 READONLY
 disconnect con2;
 connection slave;
 drop user foo@127.0.0.1;
+set timestamp=default;
 connection master;
 set time_zone='+00:00';
 set timestamp=1234567890.101112;

mysql-test/suite/sys_vars/r/secure_timestamp_super.result

@@ -4,10 +4,37 @@ connection slave;
 select @@secure_timestamp;
 @@secure_timestamp
 SUPER
+### ALL PRIVILEGES
+set timestamp=1234567890.101112;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
+ALL PRIVILEGES
+EDITABLE
+set timestamp=default;
+### SUPER
+create user foo@127.0.0.1;
+grant super on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
 SUPER
 EDITABLE
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### BINLOG REPLAY
+create user foo@127.0.0.1;
+grant binlog replay on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+set timestamp=1234567890.101112;
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
+BINLOG REPLAY
+EDITABLE
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### non-privileged user
 create user foo@127.0.0.1;
 connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
@@ -18,6 +45,7 @@ READONLY
 disconnect con2;
 connection slave;
 drop user foo@127.0.0.1;
+set timestamp=default;
 connection master;
 set time_zone='+00:00';
 set timestamp=1234567890.101112;

mysql-test/suite/sys_vars/r/secure_timestamp_yes.result

@@ -4,11 +4,40 @@ connection slave;
 select @@secure_timestamp;
 @@secure_timestamp
 YES
+### ALL PRIVILEGES
+set timestamp=1234567890.101112;
+ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
+ALL PRIVILEGES
+READONLY
+set timestamp=default;
+### SUPER
+create user foo@127.0.0.1;
+grant super on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
 ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
 select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
 SUPER
 READONLY
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### BINLOG REPLAY
+create user foo@127.0.0.1;
+grant binlog replay on *.* TO `foo`@`127.0.0.1`;
+connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
+set timestamp=1234567890.101112;
+ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
+select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
+BINLOG REPLAY
+READONLY
+disconnect con2;
+connection slave;
+drop user foo@127.0.0.1;
+set timestamp=default;
+### non-privileged user
 create user foo@127.0.0.1;
 connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
 set timestamp=1234567890.101112;
@@ -19,6 +48,7 @@ READONLY
 disconnect con2;
 connection slave;
 drop user foo@127.0.0.1;
+set timestamp=default;
 connection master;
 set time_zone='+00:00';
 set timestamp=1234567890.101112;

sql/sys_vars.cc

@@ -4598,10 +4598,7 @@ bool Sys_var_timestamp::on_check_access_session(THD *thd) const
   case SECTIME_SUPER:
     return check_global_access(thd, SUPER_ACL | BINLOG_REPLAY_ACL);
   case SECTIME_REPL:
-  /*
-    Perhaps we eventually should do this here:
-      return check_global_access(thd, BINLOG_REPLAY_ACL);
-  */
+    return check_global_access(thd, BINLOG_REPLAY_ACL);
   case SECTIME_YES:
     break;
   }