mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 09:14:17 +01:00
d6e3d89c80
SUPER privilege used to allow various actions that were alternatively allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY, CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN, SET USER, SLAVE MONITOR. Now SUPER no longer does that, one has to grant one of the fine-grained privileges above to be to perform corresponding actions. On upgrade from MariaDB versions 10.11 and below all the privileges above are granted automatically if the user has SUPER. As a side-effect, such an upgrade will allow SUPER-user to run SHOW BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't able to do it before the upgrade.
90 lines
2.9 KiB
Text
90 lines
2.9 KiB
Text
# ==== Purpose ====
|
|
#
|
|
# SLAVE MONITOR privilege is required to execute following commands.
|
|
# SHOW SLAVE STATUS
|
|
# SHOW RELAYLOG EVENTS
|
|
#
|
|
# ==== Implementation ====
|
|
#
|
|
# Step1: GRANT ALL privileges for a new user 'user1' and then REVOKE
|
|
# SLAVE MONITOR privileges.
|
|
# Step2: Execute SHOW SLAVE STAUTS/SHOW RELAYLOG EVENTS commands and expect
|
|
# ER_SPECIFIC_ACCESS_DENIED_ERROR. This also verifies that REPLICATION
|
|
# SLAVE ADMIN privilege is not required for these two commands.
|
|
# Step3: GRANT SLAVE MONITOR privilege and observe that both commands are
|
|
# allowd to execute.
|
|
#
|
|
# ==== References ====
|
|
#
|
|
# MDEV-23610: Slave user can't run "SHOW SLAVE STATUS" anymore after upgrade
|
|
# to 10.5, mysql_upgrade should take of that
|
|
# MDEV-23918: admin privlege required to view contents of relay logs in 10.5
|
|
#
|
|
|
|
--source include/not_embedded.inc
|
|
|
|
CREATE USER user1@localhost IDENTIFIED BY '';
|
|
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
|
|
REVOKE SLAVE MONITOR ON *.* FROM user1@localhost;
|
|
FLUSH PRIVILEGES;
|
|
|
|
--connect(con1,localhost,user1,,)
|
|
--connection con1
|
|
SHOW GRANTS;
|
|
|
|
--echo #
|
|
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW SLAVE STATUS
|
|
--echo # Expected error: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation
|
|
--echo #
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SHOW SLAVE STATUS;
|
|
|
|
--echo #
|
|
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW RELAYLOG EVENTS
|
|
--echo # Expected error: Access denied; you need (at least one of) the REPLICA MONITOR
|
|
--echo # privilege(s) for this operation
|
|
--echo #
|
|
--disable_ps_protocol
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SHOW RELAYLOG EVENTS;
|
|
--enable_ps_protocol
|
|
--disconnect con1
|
|
|
|
--echo #
|
|
--echo # SHOW SLAVE STATUS and SHOW RELAYLOG EVENTS are allowed with SLAVE MONITOR privilege
|
|
--echo #
|
|
|
|
--connection default
|
|
GRANT SLAVE MONITOR ON *.* TO user1@localhost;
|
|
FLUSH PRIVILEGES;
|
|
|
|
--connect(con1,localhost,user1,,)
|
|
--connection con1
|
|
SHOW GRANTS;
|
|
|
|
--disable_result_log
|
|
SHOW SLAVE STATUS;
|
|
--disable_ps_protocol
|
|
SHOW RELAYLOG EVENTS;
|
|
--enable_ps_protocol
|
|
--enable_result_log
|
|
--disconnect con1
|
|
|
|
--connection default
|
|
DROP USER user1@localhost;
|
|
|
|
--echo #
|
|
--echo # MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant
|
|
--echo #
|
|
insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'),
|
|
('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'),
|
|
('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}');
|
|
flush privileges;
|
|
show grants for foo7@bar;
|
|
show grants for foo8@bar;
|
|
show grants for foo9@bar;
|
|
drop user foo7@bar, foo8@bar, foo9@bar;
|
|
|
|
--echo #
|
|
--echo # End of 10.5 tests
|
|
--echo #
|