mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-10-31 10:56:12 +01:00
Code Issues Projects Releases Packages Wiki Activity
mariadb/mysql-test/suite/sys_vars/r/read_only_grant.result
Sergei Golubchik d6e3d89c80 MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges 
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.

Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.

On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.

As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
2023-02-06 14:31:48 +01:00

40 lines
1.7 KiB
Text
Raw Permalink Blame History

#
# MDEV-21960 Bind READ_ONLY ADMIN to @@read_only
#
# Test that "SET read_only" is not allowed without READ_ONLY ADMIN
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE READ_ONLY ADMIN ON *.* FROM user1@localhost;
connect user1,localhost,user1,,;
connection user1;
SET GLOBAL read_only=0;
ERROR 42000: Access denied; you need (at least one of) the READ_ONLY ADMIN privilege(s) for this operation
SET read_only=0;
ERROR HY000: Variable 'read_only' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION read_only=0;
ERROR HY000: Variable 'read_only' is a GLOBAL variable and should be set with SET GLOBAL
disconnect user1;
connection default;
DROP USER user1@localhost;
# Test that "SET read_only" is allowed with READ_ONLY ADMIN
CREATE USER user1@localhost;
GRANT READ_ONLY ADMIN ON *.* TO user1@localhost;
connect user1,localhost,user1,,;
connection user1;
SET GLOBAL read_only=0;
SET read_only=0;
ERROR HY000: Variable 'read_only' is a GLOBAL variable and should be set with SET GLOBAL
SET SESSION read_only=0;
ERROR HY000: Variable 'read_only' is a GLOBAL variable and should be set with SET GLOBAL
disconnect user1;
connection default;
DROP USER user1@localhost;
#
# MDEV-29632 SUPER users created before 10.11 should retain READ_ONLY ADMIN privilege upon upgrade
#
insert mysql.global_priv values ('bar', 'foo', '{"access":32768,"version_id":101000,"plugin":"mysql_native_password","authentication_string":""}');
flush privileges;
show grants for foo@bar;
Grants for foo@bar
GRANT SUPER, BINLOG MONITOR, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo`@`bar`
drop user foo@bar;
Reference in a new issue View git blame Copy permalink