MDEV-21743 Split up SUPER privilege to smaller privileges

2025-07-30 16:24:05 +03:00 · 2020-02-28 21:59:01 +04:00
parent 91ba789aaf
commit a1e330de5a
82 changed files with 1511 additions and 236 deletions
--- a/mysql-test/main/grant_slave_admin.test
+++ b/mysql-test/main/grant_slave_admin.test
@ -0,0 +1,129 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo #
+--echo # Test that slave admin statements are not allowed without REPLICATION SLAVE ADMIN or SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+START SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+CHANGE MASTER TO MASTER_HOST='127.0.0.1';
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+STOP SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW SLAVE STATUS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+BINLOG '';
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is not allowed without REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN ON *.* FROM user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW RELAYLOG EVENTS;
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--disable_result_log
+SHOW RELAYLOG EVENTS;
+--enable_result_log
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #