mirror of
https://github.com/MariaDB/server.git
synced 2025-01-31 11:01:52 +01:00
6da68049b5
Add a new privilege "SLAVE MONITOR" which will grant user the permission to execute "SHOW SLAVE STATUS" and "SHOW RELAYLOG EVENTS" commands. SHOW SLAVE STATUS requires either SLAVE MONITOR/SUPER SHOW RELAYLOG EVENTS requires SLAVE MONITOR privilege.
101 lines
2.8 KiB
Text
101 lines
2.8 KiB
Text
# ==== Purpose ====
|
|
#
|
|
# SLAVE MONITOR privilege is required to execute following commands.
|
|
# SHOW SLAVE STATUS
|
|
# SHOW RELAYLOG EVENTS
|
|
#
|
|
# ==== Implementation ====
|
|
#
|
|
# Step1: GRANT ALL privileges for a new user 'user1' and then REVOKE
|
|
# SLAVE MONITOR and SUPER privileges.
|
|
# Step2: Execute SHOW SLAVE STAUTS/SHOW RELAYLOG EVENTS commands and expect
|
|
# ER_SPECIFIC_ACCESS_DENIED_ERROR. This also verifies that REPLICATION
|
|
# SLAVE ADMIN privilege is not required for these two commands.
|
|
# Step3: GRANT SLAVE MONITOR privilege and observe that both commands are
|
|
# allowd to execute.
|
|
# Step4: GRANT SUPER privilege and observe that only SHOW SLAVE STATUS command
|
|
# is allowed.
|
|
#
|
|
# ==== References ====
|
|
#
|
|
# MDEV-23610: Slave user can't run "SHOW SLAVE STATUS" anymore after upgrade
|
|
# to 10.5, mysql_upgrade should take of that
|
|
# MDEV-23918: admin privlege required to view contents of relay logs in 10.5
|
|
#
|
|
|
|
--source include/not_embedded.inc
|
|
|
|
CREATE USER user1@localhost IDENTIFIED BY '';
|
|
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
|
|
REVOKE SLAVE MONITOR, SUPER ON *.* FROM user1@localhost;
|
|
FLUSH PRIVILEGES;
|
|
|
|
--connect(con1,localhost,user1,,)
|
|
--connection con1
|
|
SHOW GRANTS;
|
|
|
|
--echo #
|
|
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW SLAVE STATUS
|
|
--echo # Expected error: Access denied; you need (at least one of) the SUPER, SLAVE
|
|
--echo # MONITOR privilege(s) for this operation
|
|
--echo #
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SHOW SLAVE STATUS;
|
|
|
|
--echo #
|
|
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW RELAYLOG EVENTS
|
|
--echo # Expected error: Access denied; you need (at least one of) the REPLICA MONITOR
|
|
--echo # privilege(s) for this operation
|
|
--echo #
|
|
--disable_ps_protocol
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SHOW RELAYLOG EVENTS;
|
|
--enable_ps_protocol
|
|
--disconnect con1
|
|
|
|
--echo #
|
|
--echo # SHOW SLAVE STATUS and SHOW RELAYLOG EVENTS are allowed with SLAVE MONITOR privilege
|
|
--echo #
|
|
|
|
--connection default
|
|
GRANT SLAVE MONITOR ON *.* TO user1@localhost;
|
|
FLUSH PRIVILEGES;
|
|
|
|
--connect(con1,localhost,user1,,)
|
|
--connection con1
|
|
SHOW GRANTS;
|
|
|
|
--disable_result_log
|
|
SHOW SLAVE STATUS;
|
|
--disable_ps_protocol
|
|
SHOW RELAYLOG EVENTS;
|
|
--enable_ps_protocol
|
|
--enable_result_log
|
|
--disconnect con1
|
|
|
|
--connection default
|
|
DROP USER user1@localhost;
|
|
|
|
--echo #
|
|
--echo # SHOW SLAVE STATUS command is allowed with SUPER privilege
|
|
--echo #
|
|
CREATE USER user1@localhost IDENTIFIED BY '';
|
|
GRANT SUPER ON *.* TO user1@localhost;
|
|
|
|
--connect(con1,localhost,user1,,)
|
|
--disable_result_log
|
|
SHOW SLAVE STATUS;
|
|
--enable_result_log
|
|
|
|
--echo #
|
|
--echo # SHOW RELAYLOG EVENTS is not allowed with SUPER privilege, it requires SLAVE MONITOR
|
|
--echo #
|
|
|
|
--disable_ps_protocol
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SHOW RELAYLOG EVENTS;
|
|
--enable_ps_protocol
|
|
--disconnect con1
|
|
|
|
--connection default
|
|
DROP USER user1@localhost;
|