mariadb/mysql-test/suite/binlog/t/binlog_grant.test

# Test grants for various objects (especially variables) related to
# the binary log

source include/have_log_bin.inc;

connection default;
--disable_warnings
reset master;
--enable_warnings

set @saved_binlog_format = @@global.binlog_format;
create user mysqltest_1@localhost;
GRANT SELECT on test.* to mysqltest_1@localhost;
show grants for mysqltest_1@localhost;

connect (plain,localhost,mysqltest_1,,test);
connect (root,localhost,root,,test);

# Testing setting session SQL_LOG_BIN variable both as
# root and as plain user.

--echo **** Variable SQL_LOG_BIN ****

connection root;
--echo [root]
set session sql_log_bin = 1;

connection plain;
--echo [plain]
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set session sql_log_bin = 1;

# Testing setting both session and global BINLOG_FORMAT variable both
# as root and as plain user.

--echo **** Variable BINLOG_FORMAT ****

connection root;
--echo [root]
set global binlog_format = row;
set session binlog_format = row;

connection plain;
--echo [plain]
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set global binlog_format = row;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
set session binlog_format = row;

--echo **** Clean up ****
disconnect plain;
disconnect root;

connection default;
set global binlog_format = @saved_binlog_format;
--disable_warnings
drop user mysqltest_1@localhost;
--enable_warnings

# Testing if REPLICATION CLIENT privilege is enough to execute
# SHOW MASTER LOGS and SHOW BINARY.
CREATE USER 'mysqltest_1'@'localhost';
GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
--connect(rpl,localhost,mysqltest_1,,"*NO-ONE*")

--connection rpl
# We are only interested if the following commands succeed and not on
# their output.
--disable_result_log
SHOW MASTER LOGS;
SHOW BINARY LOGS;
SHOW BINLOG STATUS;
--enable_result_log 

# clean up
--disconnect rpl
connection default;
--disable_warnings
DROP USER 'mysqltest_1'@'localhost';
--enable_warnings

--echo #
--echo # End of 10.4 tests
--echo #

--echo #
--echo # Start of 10.5 tests
--echo #

--echo #
--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
--echo #

--echo # Test that REPLICATION CLIENT is an alias for BINLOG MONITOR

CREATE USER user1@localhost;
GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
SHOW GRANTS FOR user1@localhost;
REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
SHOW GRANTS FOR user1@localhost;
DROP USER user1@localhost;

--echo # Test if SHOW BINARY LOGS and SHOW BINLOG STATUS are not allowed without REPLICATION CLIENT
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
--connect(user1,localhost,user1,,)
--connection user1
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
SHOW MASTER LOGS;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
SHOW BINARY LOGS;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
SHOW BINLOG STATUS;
--disconnect user1
--connection default
--disable_warnings
DROP USER user1@localhost;
--enable_warnings

--echo # Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE BINLOG ADMIN ON *.* FROM user1@localhost;
--connect(user1,localhost,user1,,)
--connection user1
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
--disconnect user1
--connection default
--disable_warnings
DROP USER user1@localhost;
--enable_warnings

--echo # Test if PURGE BINLOG is allowed with BINLOG ADMIN
CREATE USER user1@localhost;
GRANT BINLOG ADMIN ON *.* TO user1@localhost;
--connect(user1,localhost,user1,,"*NO-ONE*")
--connection user1
PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
--disconnect user1
connection default;
--disable_warnings
DROP USER user1@localhost;
--enable_warnings

--echo # Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
--connect(user1,localhost,user1,,)
--connection user1
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
SHOW BINLOG EVENTS;
--disconnect user1
--connection default
--disable_warnings
DROP USER user1@localhost;
--enable_warnings

--echo # Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
CREATE USER user1@localhost;
GRANT BINLOG MONITOR ON *.* TO user1@localhost;
--connect(user1,localhost,user1,,"*NO-ONE*")
--connection user1
--disable_result_log
SHOW BINLOG EVENTS;
--enable_result_log
--disconnect user1
connection default;
--disable_warnings
DROP USER user1@localhost;
--enable_warnings

--echo #
--echo # MDEV-21975 Add BINLOG REPLAY privilege and bind new privileges to
--echo #             gtid_seq_no, preudo_thread_id, server_id, gtid_domain_id
--echo #
--echo # Test combinations of BINLOG REPLAY guarded features which typically
--echo # arise in mysqlbinlog output replay on server.
--echo #

CREATE USER user1@localhost;
GRANT BINLOG REPLAY ON *.* TO user1@localhost;
GRANT ALL ON test.* TO user1@localhost;
RESET MASTER;
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2),(3);
--connect(user1,localhost,user1,,)
# Genuine mysqlbinlog output
--exec $MYSQL_BINLOG --read-from-remote-server --user=root --host=127.0.0.1 --port=$MASTER_MYPORT master-bin.000001 > $MYSQLTEST_VARDIR/tmp/mysqlbinlog.sql
RENAME TABLE t1 to t2;

--exec $MYSQL --user=user1 test < $MYSQLTEST_VARDIR/tmp/mysqlbinlog.sql

--connection default
REVOKE BINLOG REPLAY ON *.* FROM user1@localhost;
call mtr.add_suppression("Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation");
--echo # Privilege errors are expected now:
--connection user1
--error 1
--exec $MYSQL --user=user1 test < $MYSQLTEST_VARDIR/tmp/mysqlbinlog.sql

--connection default
--let $diff_tables=t1,t2
--source include/diff_tables.inc

--echo #  Test cleanup
--remove_file $MYSQLTEST_VARDIR/tmp/mysqlbinlog.sql
DROP TABLE t2,t1;
DROP USER user1@localhost;

--echo #
--echo # End of 10.5 test
--echo #