database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-09-11 05:52:26 +03:00
Code Activity

MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges

Browse Source 
SUPER privilege used to allow various actions that were alternatively
allowed by one of BINLOG ADMIN, BINLOG MONITOR, BINLOG REPLAY,
CONNECTION ADMIN, FEDERATED ADMIN, REPL MASTER ADMIN, REPL SLAVE ADMIN,
SET USER, SLAVE MONITOR.

Now SUPER no longer does that, one has to grant one of the fine-grained
privileges above to be to perform corresponding actions.

On upgrade from MariaDB versions 10.11 and below all the privileges
above are granted automatically if the user has SUPER.

As a side-effect, such an upgrade will allow SUPER-user to run SHOW
BINLOG EVENTS, SHOW RELAYLOG EVENTS, SHOW SLAVE HOSTS, even if he wasn't
able to do it before the upgrade.
This commit is contained in:
Sergei Golubchik
2022-12-10 12:08:31 +01:00
parent 0ac5132505
commit d6e3d89c80
142 changed files with 551 additions and 2145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
mysql-test/suite/binlog/r/binlog_grant.result
View File

@@ -16,7 +16,7 @@ set session sql_log_bin = 1;
connection plain;
[plain]
set session sql_log_bin = 1;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG ADMIN privilege(s) for this operation
**** Variable BINLOG_FORMAT ****
connection root;
[root]
@@ -25,9 +25,9 @@ set session binlog_format = row;
connection plain;
[plain]
set global binlog_format = row;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG ADMIN privilege(s) for this operation
set session binlog_format = row;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG ADMIN privilege(s) for this operation
**** Clean up ****
disconnect plain;
disconnect root;
@@ -45,7 +45,10 @@ disconnect rpl;
connection default;
DROP USER 'mysqltest_1'@'localhost';
#
# Start of 10.5 test
# End of 10.4 tests
#
#
# Start of 10.5 tests
#
#
# MDEV-21743 Split up SUPER privilege to smaller privileges
@@ -61,29 +64,29 @@ SHOW GRANTS FOR user1@localhost;
Grants for user1@localhost
GRANT USAGE ON *.* TO `user1`@`localhost`
DROP USER user1@localhost;
# Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
# Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
connect user1,localhost,user1,,;
connection user1;
SHOW MASTER LOGS;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
SHOW BINARY LOGS;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
SHOW BINLOG STATUS;
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
disconnect user1;
connection default;
DROP USER user1@localhost;
# Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
# Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
REVOKE BINLOG ADMIN ON *.* FROM user1@localhost;
connect user1,localhost,user1,,;
connection user1;
PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
ERROR 42000: Access denied; you need (at least one of) the BINLOG ADMIN privilege(s) for this operation
disconnect user1;
connection default;
DROP USER user1@localhost;
@@ -96,15 +99,6 @@ PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
disconnect user1;
connection default;
DROP USER user1@localhost;
# Test if PURGE BINLOG is allowed with SUPER
CREATE USER user1@localhost;
GRANT SUPER ON *.* TO user1@localhost;
connect user1,localhost,user1,,"*NO-ONE*";
connection user1;
PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
disconnect user1;
connection default;
DROP USER user1@localhost;
# Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
CREATE USER user1@localhost;
GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
@@ -142,7 +136,7 @@ connect user1,localhost,user1,,;
RENAME TABLE t1 to t2;
connection default;
REVOKE BINLOG REPLAY ON *.* FROM user1@localhost;
call mtr.add_suppression("Access denied; you need (at least one of) the SUPER, BINLOG REPLAY privilege(s) for this operation");
call mtr.add_suppression("Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation");
# Privilege errors are expected now:
connection user1;
connection default;