MDEV-21743 Split up SUPER privilege to smaller privileges

2026-01-06 05:22:24 +03:00 · 2020-02-28 21:59:01 +04:00
parent 91ba789aaf
commit a1e330de5a
82 changed files with 1511 additions and 236 deletions
--- a/mysql-test/suite/binlog/r/binlog_grant.result
+++ b/mysql-test/suite/binlog/r/binlog_grant.result
@@ -38,6 +38,91 @@ connect rpl,localhost,mysqltest_1,,;
 connection rpl;
 SHOW MASTER LOGS;
 SHOW BINARY LOGS;
+SHOW BINLOG STATUS;
 disconnect rpl;
 connection default;
 DROP USER 'mysqltest_1'@'localhost';
+#
+# Start of 10.5 test
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges 
+#
+# Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT BINLOG MONITOR ON *.* TO `user1`@`localhost`
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT USAGE ON *.* TO `user1`@`localhost`
+DROP USER user1@localhost;
+# Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW MASTER LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINARY LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINLOG STATUS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 test
+#
--- a/mysql-test/suite/binlog/t/binlog_grant.test
+++ b/mysql-test/suite/binlog/t/binlog_grant.test
@@ -68,9 +68,110 @@ GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
 --disable_result_log
 SHOW MASTER LOGS;
 SHOW BINARY LOGS;
--enable_result_log
+SHOW BINLOG STATUS;
+--enable_result_log 

 # clean up
 --disconnect rpl
 connection default;
 DROP USER 'mysqltest_1'@'localhost';
+
+
+--echo #
+--echo # Start of 10.5 test
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges 
+--echo #
+
+--echo # Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW MASTER LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINARY LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG STATUS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG EVENTS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--disable_result_log
+SHOW BINLOG EVENTS;
+--enable_result_log
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # End of 10.5 test
+--echo #