MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges

SUPER privilege used to allow various actions that were alternatively allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY, CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN, SET USER, SLAVE MONITOR. Now SUPER no longer does that, one has to grant one of the fine-grained privileges above to be to perform corresponding actions. On upgrade from MariaDB versions 10.11 and below all the privileges above are granted automatically if the user has SUPER. As a side-effect, such an upgrade will allow SUPER-user to run SHOW BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't able to do it before the upgrade.
2025-07-27 18:02:13 +03:00 · 2022-12-10 12:08:31 +01:00
parent 0ac5132505
commit d6e3d89c80
142 changed files with 551 additions and 2145 deletions
--- a/mysql-test/main/system_mysql_db_error_log.result
+++ b/mysql-test/main/system_mysql_db_error_log.result
@ -110,7 +110,7 @@ host='localhost' and user='good_version_id_100500';
 FLUSH PRIVILEGES;
 SHOW GRANTS FOR good_version_id_100500@localhost;
 Grants for good_version_id_100500@localhost
-GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `good_version_id_100500`@`localhost`
+GRANT SUPER, BINLOG MONITOR, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `good_version_id_100500`@`localhost`
 DROP USER good_version_id_100500@localhost;
 FOUND 1 /Warning.*'user' entry 'bad_access1@localhost' has a wrong 'access' value.*version_id=/ in system_mysql_db_error_log.err
 FOUND 1 /Warning.*'user' entry 'bad_version_id_1000000@localhost' has a wrong 'version_id' value 1000000/ in system_mysql_db_error_log.err