From 19e998d20c2b209305057fddb8fddf243d4f0619 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Wed, 25 Mar 2020 00:41:32 +0400
Subject: [PATCH] MDEV-22030 Don't grant REPLICATION MASTER ADMIN automatically
 on upgrade from an older JSON user table

---
 mysql-test/main/system_mysql_db_error_log.result |  4 ++++
 mysql-test/main/system_mysql_db_error_log.test   |  4 ++++
 sql/sql_acl.cc                                   | 11 ++++++++---
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/mysql-test/main/system_mysql_db_error_log.result b/mysql-test/main/system_mysql_db_error_log.result
index d600116b2a2..0dcbab572ea 100644
--- a/mysql-test/main/system_mysql_db_error_log.result
+++ b/mysql-test/main/system_mysql_db_error_log.result
@@ -90,6 +90,10 @@ host='localhost' and user='good_version_id_100400';
 FLUSH PRIVILEGES;
 SHOW GRANTS FOR good_version_id_100400@localhost;
 Grants for good_version_id_100400@localhost
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
+GRANT REPLICATION MASTER ADMIN ON *.* TO good_version_id_100400@localhost;
+SHOW GRANTS FOR good_version_id_100400@localhost;
+Grants for good_version_id_100400@localhost
 GRANT ALL PRIVILEGES ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
 DROP USER good_version_id_100400@localhost;
 CREATE USER good_version_id_100500@localhost;
diff --git a/mysql-test/main/system_mysql_db_error_log.test b/mysql-test/main/system_mysql_db_error_log.test
index 07e281a5507..17c04a9cc14 100644
--- a/mysql-test/main/system_mysql_db_error_log.test
+++ b/mysql-test/main/system_mysql_db_error_log.test
@@ -81,6 +81,10 @@ WHERE
   host='localhost' and user='good_version_id_100400';
 FLUSH PRIVILEGES;
 SHOW GRANTS FOR good_version_id_100400@localhost;
+# Testing that it's missing only "REPLICATION MASTER ADMIN".
+# Should report ALL PRIVILEGES after GRANT REPLICATION MASTER ADMIN:
+GRANT REPLICATION MASTER ADMIN ON *.* TO good_version_id_100400@localhost;
+SHOW GRANTS FOR good_version_id_100400@localhost;
 DROP USER good_version_id_100400@localhost;
 
 
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 7b392f9b1e7..ecb3aa97339 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1033,6 +1033,14 @@ class User_table_tabular: public User_table
     if (access & SUPER_ACL)
       access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
 
+    /*
+      The SHOW SLAVE HOSTS statement :
+      - required REPLICATION SLAVE privilege prior to 10.5.2
+      - requires REPLICATION MASTER ADMIN privilege since 10.5.2
+      There is no a way to GRANT MASTER ADMIN with User_table_tabular.
+      So let's automatically add REPLICATION MASTER ADMIN for all users
+      that had REPLICATION SLAVE. This will allow to do SHOW SLAVE HOSTS.
+    */
     if (access & REPL_SLAVE_ACL)
       access|= REPL_MASTER_ADMIN_ACL;
 
@@ -1519,9 +1527,6 @@ class User_table_json: public User_table
     {
       if (access & SUPER_ACL)
         access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
-
-      if (access & REPL_SLAVE_ACL)
-        access|= REPL_MASTER_ADMIN_ACL;
     }
 
     if (orig_access & ~mask)