From f991c41670623d89542e10bc30fd2f78e213a375 Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Fri, 27 Mar 2020 11:32:41 +0400 Subject: [PATCH] MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade --- .../main/mysql_upgrade_to_100502.result | 57 +++++++++++++++++ mysql-test/main/mysql_upgrade_to_100502.test | 62 +++++++++++++++++++ .../main/system_mysql_db_error_log.result | 2 +- sql/sql_acl.cc | 18 ++++++ 4 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 mysql-test/main/mysql_upgrade_to_100502.result create mode 100644 mysql-test/main/mysql_upgrade_to_100502.test diff --git a/mysql-test/main/mysql_upgrade_to_100502.result b/mysql-test/main/mysql_upgrade_to_100502.result new file mode 100644 index 00000000000..0fd5568774d --- /dev/null +++ b/mysql-test/main/mysql_upgrade_to_100502.result @@ -0,0 +1,57 @@ +# +# MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade +# +DROP VIEW mysql.user_bak; +FLUSH PRIVILEGES; +CREATE USER user_all@localhost; +GRANT ALL PRIVILEGES ON *.* TO user_all@localhost WITH GRANT OPTION; +SHOW GRANTS FOR user_all@localhost; +Grants for user_all@localhost +GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION +CREATE USER user_super@localhost; +GRANT SUPER ON *.* TO user_super@localhost; +SHOW GRANTS FOR user_super@localhost; +Grants for user_super@localhost +GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super`@`localhost` +CREATE USER user_super_replslave@localhost; +GRANT SUPER, REPLICATION SLAVE ON *.* TO user_super_replslave@localhost; +SHOW GRANTS FOR user_super_replslave@localhost; +Grants for user_super_replslave@localhost +GRANT SUPER, REPLICATION SLAVE, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super_replslave`@`localhost` +# mysql_upgrade --force --silent 2>&1 +FLUSH PRIVILEGES; +# +# Should get ALL PRIVILEGES WITH GRANT OPTION +# +SHOW GRANTS FOR user_all@localhost; +Grants for user_all@localhost +GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION +# +# Should automatically get all new 10.5.2 priveleges that were splitted from SUPER +# +SHOW GRANTS FOR user_super@localhost; +Grants for user_super@localhost +GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super`@`localhost` +# +# Should automatically get all new 10.5.2 priveleges that were splitted from SUPER, plus REPLICATION MASTER ADMIN +# +SHOW GRANTS FOR user_super_replslave@localhost; +Grants for user_super_replslave@localhost +GRANT SUPER, REPLICATION SLAVE, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super_replslave`@`localhost` +SELECT +json_value(Priv, '$.version_id'), +json_value(Priv, '$.access'), +user +FROM +mysql.global_priv +WHERE +host='localhost' +AND +user LIKE 'user_%'; +json_value(Priv, '$.version_id') json_value(Priv, '$.access') user +NULL 1073741823 user_all +NULL 32768 user_super +NULL 557056 user_super_replslave +DROP TABLE mysql.global_priv; +RENAME TABLE mysql.global_priv_bak TO mysql.global_priv; +FLUSH PRIVILEGES; diff --git a/mysql-test/main/mysql_upgrade_to_100502.test b/mysql-test/main/mysql_upgrade_to_100502.test new file mode 100644 index 00000000000..b03fb14fe08 --- /dev/null +++ b/mysql-test/main/mysql_upgrade_to_100502.test @@ -0,0 +1,62 @@ +-- source include/mysql_upgrade_preparation.inc +-- source include/have_working_dns.inc +-- source include/have_innodb.inc +-- source include/have_partition.inc +let $MYSQLD_DATADIR= `select @@datadir`; + + +--echo # +--echo # MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade +--echo # + +--source include/switch_to_mysql_user.inc +DROP VIEW mysql.user_bak; +FLUSH PRIVILEGES; + +CREATE USER user_all@localhost; +GRANT ALL PRIVILEGES ON *.* TO user_all@localhost WITH GRANT OPTION; +SHOW GRANTS FOR user_all@localhost; + +CREATE USER user_super@localhost; +GRANT SUPER ON *.* TO user_super@localhost; +SHOW GRANTS FOR user_super@localhost; + +CREATE USER user_super_replslave@localhost; +GRANT SUPER, REPLICATION SLAVE ON *.* TO user_super_replslave@localhost; +SHOW GRANTS FOR user_super_replslave@localhost; + + +--echo # mysql_upgrade --force --silent 2>&1 +--exec $MYSQL_UPGRADE --force --silent 2>&1 +--remove_file $MYSQLD_DATADIR/mysql_upgrade_info +FLUSH PRIVILEGES; + +--echo # +--echo # Should get ALL PRIVILEGES WITH GRANT OPTION +--echo # +SHOW GRANTS FOR user_all@localhost; + +--echo # +--echo # Should automatically get all new 10.5.2 priveleges that were splitted from SUPER +--echo # +SHOW GRANTS FOR user_super@localhost; + +--echo # +--echo # Should automatically get all new 10.5.2 priveleges that were splitted from SUPER, plus REPLICATION MASTER ADMIN +--echo # +SHOW GRANTS FOR user_super_replslave@localhost; + +SELECT + json_value(Priv, '$.version_id'), + json_value(Priv, '$.access'), + user +FROM + mysql.global_priv +WHERE + host='localhost' +AND + user LIKE 'user_%'; + +DROP TABLE mysql.global_priv; +RENAME TABLE mysql.global_priv_bak TO mysql.global_priv; +FLUSH PRIVILEGES; diff --git a/mysql-test/main/system_mysql_db_error_log.result b/mysql-test/main/system_mysql_db_error_log.result index 0dcbab572ea..da4297b55b3 100644 --- a/mysql-test/main/system_mysql_db_error_log.result +++ b/mysql-test/main/system_mysql_db_error_log.result @@ -90,7 +90,7 @@ host='localhost' and user='good_version_id_100400'; FLUSH PRIVILEGES; SHOW GRANTS FOR good_version_id_100400@localhost; Grants for good_version_id_100400@localhost -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION +GRANT ALL PRIVILEGES ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION GRANT REPLICATION MASTER ADMIN ON *.* TO good_version_id_100400@localhost; SHOW GRANTS FOR good_version_id_100400@localhost; Grants for good_version_id_100400@localhost diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index ecb3aa97339..71d527c6e43 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1525,8 +1525,26 @@ class User_table_json: public User_table } else // 100501 or earlier { + /* + Address changes in SUPER and REPLICATION SLAVE made in 10.5.2. + This also covers a special case: if the user had ALL PRIVILEGES before + the upgrade, it gets ALL PRIVILEGES after the upgrade. + */ if (access & SUPER_ACL) + { + if (access & REPL_SLAVE_ACL) + { + /* + The user could do both before the upgrade: + - set global variables (because of SUPER_ACL) + - execute "SHOW SLAVE HOSTS" (because of REPL_SLAVE_ACL) + Grant all new privileges that were splitted from SUPER (in 10.5.2), + and REPLICATION MASTER ADMIN, so it still can do "SHOW SLAVE HOSTS". + */ + access|= REPL_MASTER_ADMIN_ACL; + } access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS; + } } if (orig_access & ~mask)