summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Barkov <bar@mariadb.com>2020-02-28 21:59:01 +0400
committerAlexander Barkov <bar@mariadb.com>2020-03-10 23:49:47 +0400
commita1e330de5a37f88339f4a5b46231a41eb60f43d2 (patch)
treea1ce4b2187f728dcf94478562c8ea272608cb911
parent91ba789aaf8feffb9ad377c740759b2359c5a094 (diff)
downloadmariadb-git-a1e330de5a37f88339f4a5b46231a41eb60f43d2.tar.gz
MDEV-21743 Split up SUPER privilege to smaller privileges
Diffstat
-rw-r--r--include/my_bit.h48
-rw-r--r--include/my_compiler.h8
-rw-r--r--mysql-test/main/alter_user.result38
-rw-r--r--mysql-test/main/alter_user.test29
-rw-r--r--mysql-test/main/events_bugs.result4
-rw-r--r--mysql-test/main/grant.result11
-rw-r--r--mysql-test/main/grant_kill.result76
-rw-r--r--mysql-test/main/grant_kill.test88
-rw-r--r--mysql-test/main/grant_master_admin.result36
-rw-r--r--mysql-test/main/grant_master_admin.test47
-rw-r--r--mysql-test/main/grant_read_only.result73
-rw-r--r--mysql-test/main/grant_read_only.test83
-rw-r--r--mysql-test/main/grant_server.result61
-rw-r--r--mysql-test/main/grant_server.test75
-rw-r--r--mysql-test/main/grant_slave_admin.result96
-rw-r--r--mysql-test/main/grant_slave_admin.test129
-rw-r--r--mysql-test/main/information_schema_db.result2
-rw-r--r--mysql-test/main/sp-security.result6
-rw-r--r--mysql-test/main/sp-security.test2
-rw-r--r--mysql-test/main/system_mysql_db_error_log.result9
-rw-r--r--mysql-test/main/system_mysql_db_error_log.test6
-rw-r--r--mysql-test/main/trigger_notembedded.result4
-rw-r--r--mysql-test/main/trigger_notembedded.test2
-rw-r--r--mysql-test/main/view_grant.result31
-rw-r--r--mysql-test/main/view_grant.test19
-rw-r--r--mysql-test/suite/binlog/r/binlog_grant.result85
-rw-r--r--mysql-test/suite/binlog/t/binlog_grant.test103
-rw-r--r--mysql-test/suite/funcs_1/r/innodb_trig_03.result10
-rw-r--r--mysql-test/suite/funcs_1/r/innodb_trig_03e.result8
-rw-r--r--mysql-test/suite/funcs_1/r/memory_trig_03.result10
-rw-r--r--mysql-test/suite/funcs_1/r/memory_trig_03e.result8
-rw-r--r--mysql-test/suite/funcs_1/r/myisam_trig_03.result10
-rw-r--r--mysql-test/suite/funcs_1/r/myisam_trig_03e.result8
-rw-r--r--mysql-test/suite/perfschema/r/read_only.result4
-rw-r--r--mysql-test/suite/perfschema/t/read_only.test2
-rw-r--r--mysql-test/suite/roles/admin.result4
-rw-r--r--mysql-test/suite/roles/definer.result2
-rw-r--r--plugin/userstat/client_stats.cc2
-rw-r--r--plugin/userstat/user_stats.cc2
-rw-r--r--sql/event_data_objects.cc3
-rw-r--r--sql/event_db_repository.cc3
-rw-r--r--sql/event_scheduler.cc4
-rw-r--r--sql/events.cc2
-rw-r--r--sql/handler.cc3
-rw-r--r--sql/item_strfunc.cc3
-rw-r--r--sql/lex.h2
-rw-r--r--sql/lock.cc8
-rw-r--r--sql/log.cc3
-rw-r--r--sql/mysqld.cc2
-rw-r--r--sql/partition_info.cc1
-rw-r--r--sql/privilege.h202
-rw-r--r--sql/repl_failsafe.cc2
-rw-r--r--sql/set_var.cc7
-rw-r--r--sql/slave.cc2
-rw-r--r--sql/sp.cc3
-rw-r--r--sql/sp_head.cc3
-rw-r--r--sql/sql_acl.cc55
-rw-r--r--sql/sql_admin.cc1
-rw-r--r--sql/sql_base.cc3
-rw-r--r--sql/sql_binlog.cc2
-rw-r--r--sql/sql_cmd.h2
-rw-r--r--sql/sql_connect.cc6
-rw-r--r--sql/sql_delete.cc1
-rw-r--r--sql/sql_insert.cc1
-rw-r--r--sql/sql_parse.cc91
-rw-r--r--sql/sql_plugin.cc1
-rw-r--r--sql/sql_prepare.cc11
-rw-r--r--sql/sql_repl.cc7
-rw-r--r--sql/sql_select.cc1
-rw-r--r--sql/sql_show.cc18
-rw-r--r--sql/sql_trigger.cc6
-rw-r--r--sql/sql_update.cc1
-rw-r--r--sql/sql_view.cc1
-rw-r--r--sql/sql_yacc.yy22
-rw-r--r--sql/sys_vars.cc6
-rw-r--r--sql/table.cc3
-rw-r--r--sql/transaction.cc2
-rw-r--r--storage/maria/ma_pagecache.c2
-rw-r--r--storage/myisam/ha_myisam.cc2
-rw-r--r--storage/myisam/myisamchk.c2
-rw-r--r--storage/rocksdb/rdb_datadic.cc2
-rw-r--r--storage/spider/ha_spider.cc2
82 files changed, 1510 insertions, 235 deletions
diff --git a/include/my_bit.h b/include/my_bit.h
index ccdf5a069e1..ca51c9825b6 100644
--- a/include/my_bit.h
+++ b/include/my_bit.h
@@ -25,16 +25,50 @@ C_MODE_START
extern const uchar _my_bits_reverse_table[256];
+
/*
- Find smallest X in 2^X >= value
- This can be used to divide a number with value by doing a shift instead
-*/
+ my_bit_log2_xxx()
+
+ In the given value, find the highest bit set,
+ which is the smallest X that satisfies the condition: (2^X >= value).
+ Can be used as a reverse operation for (1<<X), to find X.
+
+ Examples:
+ - returns 0 for (1<<0)
+ - returns 1 for (1<<1)
+ - returns 2 for (1<<2)
+ - returns 2 for 3, which has (1<<2) as the highest bit set.
-static inline uint my_bit_log2(ulong value)
+ Note, the behaviour of log2(0) is not defined.
+ Let's return 0 for the input 0, for the code simplicity.
+ See the 000x branch. It covers both (1<<0) and 0.
+*/
+static inline CONSTEXPR uint my_bit_log2_hex_digit(uint8 value)
{
- uint bit;
- for (bit=0 ; value > 1 ; value>>=1, bit++) ;
- return bit;
+ return value & 0x0C ? /*1100*/ (value & 0x08 ? /*1000*/ 3 : /*0100*/ 2) :
+ /*0010*/ (value & 0x02 ? /*0010*/ 1 : /*000x*/ 0);
+}
+static inline CONSTEXPR uint my_bit_log2_uint8(uint8 value)
+{
+ return value & 0xF0 ? my_bit_log2_hex_digit(value >> 4) + 4:
+ my_bit_log2_hex_digit(value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint16(uint16 value)
+{
+ return value & 0xFF00 ? my_bit_log2_uint8((uint8) (value >> 8)) + 8 :
+ my_bit_log2_uint8((uint8) value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint32(uint32 value)
+{
+ return value & 0xFFFF0000UL ?
+ my_bit_log2_uint16((uint16) (value >> 16)) + 16 :
+ my_bit_log2_uint16((uint16) value);
+}
+static inline CONSTEXPR uint my_bit_log2_uint64(ulonglong value)
+{
+ return value & 0xFFFFFFFF00000000ULL ?
+ my_bit_log2_uint32((uint32) (value >> 32)) + 32 :
+ my_bit_log2_uint32((uint32) value);
}
diff --git a/include/my_compiler.h b/include/my_compiler.h
index 902ef6992a2..8e37f8bcd19 100644
--- a/include/my_compiler.h
+++ b/include/my_compiler.h
@@ -28,6 +28,14 @@
Compiler-dependent internal convenience macros.
*/
+/* C vs C++ */
+#ifdef __cplusplus
+#define CONSTEXPR constexpr
+#else
+#define CONSTEXPR
+#endif /* __cplusplus */
+
+
/* GNU C/C++ */
#if defined __GNUC__
/* Convenience macro to test the minimum required GCC version. */
diff --git a/mysql-test/main/alter_user.result b/mysql-test/main/alter_user.result
index cae864fa437..a2ff642c073 100644
--- a/mysql-test/main/alter_user.result
+++ b/mysql-test/main/alter_user.result
@@ -21,26 +21,30 @@ alter user foo;
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
% foo N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 0 0 0 0 mysql_native_password N N 0.000000
-# Test super privilege works correctly with a read only database.
+#
+# Test READ_ONLY privilege works correctly with a read only database.
+#
SET @start_read_only = @@global.read_only;
SET GLOBAL read_only=1;
grant create user on *.* to foo;
-# Currently no super privileges.
+# Currently no READ_ONLY ADMIN privileges.
connect a, localhost, foo;
select @@global.read_only;
@@global.read_only
1
alter user foo;
ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
-# Grant super privilege to the user.
+# Grant READ_ONLY ADMIN privilege to the user.
connection default;
-grant super on *.* to foo;
-# We now have super privilege. We should be able to run alter user.
+grant READ_ONLY ADMIN on *.* to foo;
+# We now have READ_ONLY ADMIN privilege. We should be able to run alter user.
connect b, localhost, foo;
alter user foo;
connection default;
SET GLOBAL read_only = @start_read_only;
+#
# Test inexistant user.
+#
alter user boo;
ERROR HY000: Operation ALTER USER failed for 'boo'
#--warning ER_CANNOT_USER
@@ -48,19 +52,21 @@ alter if exists user boo;
Warnings:
Error 1133 Can't find any matching row in the user table
Note 1396 Operation ALTER USER failed for 'boo'
+#
# Test password related altering.
+#
alter user foo identified by 'something';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
alter user foo identified by 'something2';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *9CD58369E930E28C8996A89DB18B63294E6DC10C N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *9CD58369E930E28C8996A89DB18B63294E6DC10C N N 0.000000
+% foo *9CD58369E930E28C8996A89DB18B63294E6DC10C N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *9CD58369E930E28C8996A89DB18B63294E6DC10C N N 0.000000
alter user foo identified by password '*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
alter user foo identified with 'somecoolplugin';
ERROR HY000: Operation ALTER USER failed for 'foo'@'%'
show warnings;
@@ -70,32 +76,36 @@ Error 1396 Operation ALTER USER failed for 'foo'@'%'
alter user foo identified with 'mysql_old_password';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password N N 0.000000
+% foo N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password N N 0.000000
alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo 0123456789ABCDEF N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password 0123456789ABCDEF N N 0.000000
+% foo 0123456789ABCDEF N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password 0123456789ABCDEF N N 0.000000
+#
# Test ssl related altering.
+#
alter user foo identified by 'something' require SSL;
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N ANY 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N ANY 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
alter user foo identified by 'something' require X509;
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N X509 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N X509 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
alter user foo identified by 'something'
require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+#
# Test resource limits altering.
+#
alter user foo with MAX_QUERIES_PER_HOUR 10
MAX_UPDATES_PER_HOUR 20
MAX_CONNECTIONS_PER_HOUR 30
MAX_USER_CONNECTIONS 40;
select * from mysql.user where user = 'foo';
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
-% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 10 20 30 40 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
+% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 10 20 30 40 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
drop user foo;
update mysql.global_priv set priv=@root_priv where user='root' and host='localhost';
diff --git a/mysql-test/main/alter_user.test b/mysql-test/main/alter_user.test
index 9ea98615272..a18076930b6 100644
--- a/mysql-test/main/alter_user.test
+++ b/mysql-test/main/alter_user.test
@@ -16,36 +16,47 @@ select * from mysql.user where user = 'foo';
alter user foo;
select * from mysql.user where user = 'foo';
---echo # Test super privilege works correctly with a read only database.
+--echo #
+--echo # Test READ_ONLY privilege works correctly with a read only database.
+--echo #
+
SET @start_read_only = @@global.read_only;
SET GLOBAL read_only=1;
grant create user on *.* to foo;
---echo # Currently no super privileges.
+--echo # Currently no READ_ONLY ADMIN privileges.
connect (a, localhost, foo);
select @@global.read_only;
--error ER_OPTION_PREVENTS_STATEMENT
alter user foo;
---echo # Grant super privilege to the user.
+--echo # Grant READ_ONLY ADMIN privilege to the user.
connection default;
-grant super on *.* to foo;
+grant READ_ONLY ADMIN on *.* to foo;
---echo # We now have super privilege. We should be able to run alter user.
+--echo # We now have READ_ONLY ADMIN privilege. We should be able to run alter user.
connect (b, localhost, foo);
alter user foo;
connection default;
SET GLOBAL read_only = @start_read_only;
+
+--echo #
--echo # Test inexistant user.
+--echo #
+
--error ER_CANNOT_USER
alter user boo;
--echo #--warning ER_CANNOT_USER
alter if exists user boo;
+
+--echo #
--echo # Test password related altering.
+--echo #
+
alter user foo identified by 'something';
select * from mysql.user where user = 'foo';
@@ -65,7 +76,11 @@ select * from mysql.user where user = 'foo';
alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
select * from mysql.user where user = 'foo';
+
+--echo #
--echo # Test ssl related altering.
+--echo #
+
alter user foo identified by 'something' require SSL;
select * from mysql.user where user = 'foo';
@@ -76,7 +91,11 @@ alter user foo identified by 'something'
require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
select * from mysql.user where user = 'foo';
+
+--echo #
--echo # Test resource limits altering.
+--echo #
+
alter user foo with MAX_QUERIES_PER_HOUR 10
MAX_UPDATES_PER_HOUR 20
MAX_CONNECTIONS_PER_HOUR 30
diff --git a/mysql-test/main/events_bugs.result b/mysql-test/main/events_bugs.result
index 666361188b9..e3984bcd67a 100644
--- a/mysql-test/main/events_bugs.result
+++ b/mysql-test/main/events_bugs.result
@@ -405,7 +405,7 @@ SELECT event_name, definer FROM INFORMATION_SCHEMA.EVENTS;
event_name definer
e1 mysqltest_u1@localhost
ALTER DEFINER=root@localhost EVENT e1 ON SCHEDULE EVERY 1 HOUR;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
SELECT event_name, definer FROM INFORMATION_SCHEMA.EVENTS;
event_name definer
e1 mysqltest_u1@localhost
@@ -418,7 +418,7 @@ event_name definer
e1 mysqltest_u1@localhost
DROP EVENT e1;
CREATE DEFINER=root@localhost EVENT e1 ON SCHEDULE EVERY 1 DAY DO SELECT 1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
DROP EVENT e1;
ERROR HY000: Unknown event 'e1'
disconnect conn1;
diff --git a/mysql-test/main/grant.result b/mysql-test/main/grant.result
index e83083be4ed..8ce99075e6d 100644
--- a/mysql-test/main/grant.result
+++ b/mysql-test/main/grant.result
@@ -621,7 +621,10 @@ Process Server Admin To view the plain text of currently executing queries
Proxy Server Admin To make proxy user possible
References Databases,Tables To have references on tables
Reload Server Admin To reload or refresh tables, logs and privileges
-Replication client Server Admin To ask where the slave or master servers are
+Binlog admin Server To purge binary logs
+Binlog monitor Server To use SHOW BINLOG STATUS and SHOW BINARY LOG
+Replication master admin Server To monitor connected slaves
+Replication slave admin Server To start/monitor/stop slave and apply binlog events
Replication slave Server Admin To read binary log events from the master
Select Tables To retrieve rows from table
Show databases Server Admin To see all databases with SHOW DATABASES
@@ -631,6 +634,10 @@ Super Server Admin To use KILL thread, SET GLOBAL, CHANGE MASTER, etc.
Trigger Tables To use triggers
Create tablespace Server Admin To create/alter/drop tablespaces
Update Tables To update existing rows
+Set user Server To create views and stored routines with a different definer
+Federated admin Server To execute the CREATE SERVER, ALTER SERVER, DROP SERVER statements
+Connection admin Server To bypass connection limits and kill other users' connections
+Read_only admin Server To perform write operations even if @@read_only=ON
Usage Server Admin No privileges - allow connect only
connect root,localhost,root,,test,$MASTER_MYPORT,$MASTER_MYSOCK;
connection root;
@@ -1958,7 +1965,7 @@ GRANT USAGE ON *.* TO mysqltest_u1@localhost;
SHOW GRANTS FOR mysqltest_u1@localhost;
Grants for mysqltest_u1@localhost
-GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER ON *.* TO `mysqltest_u1`@`localhost`
+GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, REPLICATION SLAVE, BINLOG MONITOR, CREATE USER ON *.* TO `mysqltest_u1`@`localhost`
GRANT CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE, EVENT ON `mysqltest_db1`.* TO `mysqltest_u1`@`localhost`
connect con1,localhost,mysqltest_u1,,mysqltest_db1;
connection con1;
diff --git a/mysql-test/main/grant_kill.result b/mysql-test/main/grant_kill.result
new file mode 100644
index 00000000000..34a4d36b889
--- /dev/null
+++ b/mysql-test/main/grant_kill.result
@@ -0,0 +1,76 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges
+#
+#
+# Test that KILL is not allowed without CONNECTION ADMIN or SUPER
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT ALL PRIVILEGES ON *.* TO bar@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM bar@localhost;
+connect foo,localhost,foo,,;
+connect bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+ERROR HY000: You are not owner of thread ID
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# Test that KILL is allowed with CONNECTION ADMIN
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, CONNECTION ADMIN ON *.* TO bar@localhost;
+connect foo,localhost,foo,,;
+connect bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+connection default;
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# Test that KILL is allowed with SUPER
+#
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, SUPER ON *.* TO bar@localhost;
+connect foo,localhost,foo,,;
+connect bar,localhost,bar,,;
+connection bar;
+SELECT user FROM information_schema.processlist ORDER BY user;
+user
+bar
+foo
+root
+KILL ID;
+connection default;
+disconnect foo;
+disconnect bar;
+connection default;
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+#
+# End of 10.5 tests
+#
diff --git a/mysql-test/main/grant_kill.test b/mysql-test/main/grant_kill.test
new file mode 100644
index 00000000000..216adb83bb8
--- /dev/null
+++ b/mysql-test/main/grant_kill.test
@@ -0,0 +1,88 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges
+--echo #
+
+--echo #
+--echo # Test that KILL is not allowed without CONNECTION ADMIN or SUPER
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT ALL PRIVILEGES ON *.* TO bar@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--error ER_KILL_DENIED_ERROR
+--eval KILL $id
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # Test that KILL is allowed with CONNECTION ADMIN
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, CONNECTION ADMIN ON *.* TO bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--eval KILL $id
+--connection default
+let $wait_condition=
+ select count(*) = 0 from information_schema.processlist
+ where user = "foo";
+--source include/wait_condition.inc
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # Test that KILL is allowed with SUPER
+--echo #
+
+CREATE USER foo@localhost;
+GRANT SELECT ON *.* TO foo@localhost;
+CREATE USER bar@localhost;
+GRANT PROCESS, SUPER ON *.* TO bar@localhost;
+--connect (foo,localhost,foo,,)
+let $id=`(SELECT id FROM INFORMATION_SCHEMA.PROCESSLIST WHERE user='foo')`;
+--connect (bar,localhost,bar,,)
+--connection bar
+SELECT user FROM information_schema.processlist ORDER BY user;
+--replace_result $id ID
+--eval KILL $id
+--connection default
+let $wait_condition=
+ select count(*) = 0 from information_schema.processlist
+ where user = "foo";
+--source include/wait_condition.inc
+--disconnect foo
+--disconnect bar
+--connection default
+DROP USER foo@localhost;
+DROP USER bar@localhost;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
diff --git a/mysql-test/main/grant_master_admin.result b/mysql-test/main/grant_master_admin.result
new file mode 100644
index 00000000000..bd08ade940c
--- /dev/null
+++ b/mysql-test/main/grant_master_admin.result
@@ -0,0 +1,36 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges
+#
+#
+# Test that master admin statements are not allowed without REPLICATION MASTER ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION MASTER ADMIN ON *.* FROM user1@localhost;
+connect con1,localhost,user1,,;
+connection con1;
+SHOW SLAVE HOSTS;
+ERROR 42000: Access denied; you need (at least one of) the REPLICATION MASTER ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that master admin statements are allowed with REPLICATION MASTER ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION MASTER ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT REPLICATION MASTER ADMIN ON *.* TO `user1`@`localhost`
+connect con1,localhost,user1,,;
+connection con1;
+SHOW SLAVE HOSTS;
+Server_id Host Port Master_id
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
diff --git a/mysql-test/main/grant_master_admin.test b/mysql-test/main/grant_master_admin.test
new file mode 100644
index 00000000000..c98c374f7e9
--- /dev/null
+++ b/mysql-test/main/grant_master_admin.test
@@ -0,0 +1,47 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges
+--echo #
+
+--echo #
+--echo # Test that master admin statements are not allowed without REPLICATION MASTER ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION MASTER ADMIN ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW SLAVE HOSTS;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that master admin statements are allowed with REPLICATION MASTER ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION MASTER ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SHOW SLAVE HOSTS;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
diff --git a/mysql-test/main/grant_read_only.result b/mysql-test/main/grant_read_only.result
new file mode 100644
index 00000000000..185325f03a6
--- /dev/null
+++ b/mysql-test/main/grant_read_only.result
@@ -0,0 +1,73 @@
+#
+# Start of 10.5 tests
+#
+#
+# Test that @@read_only is not ignored without READ_ONLY ADMIN or SUPER
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE READ_ONLY ADMIN, SUPER ON *.* FROM user1@localhost;
+SET @@GLOBAL.read_only=1;
+connect con1,localhost,user1,,;
+connection con1;
+UPDATE t1 SET a=11 WHERE a=10;
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+DELETE FROM t1 WHERE a=11;
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+INSERT INTO t1 VALUES (20);
+ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# Test that @@read_only is ignored with READ_ONLY ADMIN
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO `user1`@`localhost`
+SET @@GLOBAL.read_only=1;
+connect con1,localhost,user1,,;
+connection con1;
+SELECT @@read_only;
+@@read_only
+1
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# Test that @@read_only is ignored with SUPER
+#
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO `user1`@`localhost`
+SET @@GLOBAL.read_only=1;
+connect con1,localhost,user1,,;
+connection con1;
+SELECT @@read_only;
+@@read_only
+1
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+#
+# End of 10.5 tests
+#
diff --git a/mysql-test/main/grant_read_only.test b/mysql-test/main/grant_read_only.test
new file mode 100644
index 00000000000..25ffa3767ba
--- /dev/null
+++ b/mysql-test/main/grant_read_only.test
@@ -0,0 +1,83 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # Test that @@read_only is not ignored without READ_ONLY ADMIN or SUPER
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE READ_ONLY ADMIN, SUPER ON *.* FROM user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_OPTION_PREVENTS_STATEMENT
+UPDATE t1 SET a=11 WHERE a=10;
+--error ER_OPTION_PREVENTS_STATEMENT
+DELETE FROM t1 WHERE a=11;
+--error ER_OPTION_PREVENTS_STATEMENT
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+--echo #
+--echo # Test that @@read_only is ignored with READ_ONLY ADMIN
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+## TODO: it works even without INSERT/UPDATE/DELETE: file a bug report!
+GRANT INSERT, UPDATE, DELETE, READ_ONLY ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SELECT @@read_only;
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+
+--echo #
+--echo # Test that @@read_only is ignored with SUPER
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE USER user1@localhost IDENTIFIED BY '';
+## TODO: it works even without INSERT/UPDATE/DELETE: file a bug report!
+GRANT INSERT, UPDATE, DELETE, SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+SET @@GLOBAL.read_only=1;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SELECT @@read_only;
+UPDATE t1 SET a=11 WHERE a=10;
+DELETE FROM t1 WHERE a=11;
+INSERT INTO t1 VALUES (20);
+disconnect con1;
+
+connection default;
+SET @@GLOBAL.read_only=0;
+DROP USER user1@localhost;
+DROP TABLE t1;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
diff --git a/mysql-test/main/grant_server.result b/mysql-test/main/grant_server.result
new file mode 100644
index 00000000000..37b5f67ba4b
--- /dev/null
+++ b/mysql-test/main/grant_server.result
@@ -0,0 +1,61 @@
+#
+# Start of 10.5 tests
+#
+#
+# Test that SERVER DDL statements are not allowed without FEDERATED ADMIN or SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+connect con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+DROP SERVER server_1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, FEDERATED ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SERVER DDL statements are allowed with FEDERATED ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT FEDERATED ADMIN ON *.* TO `user1`@`localhost`
+connect con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SERVER DDL statements are allowed with SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT SUPER ON *.* TO `user1`@`localhost`
+connect con1,localhost,user1,,;
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
diff --git a/mysql-test/main/grant_server.test b/mysql-test/main/grant_server.test
new file mode 100644
index 00000000000..58c6b4e9ab6
--- /dev/null
+++ b/mysql-test/main/grant_server.test
@@ -0,0 +1,75 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # Test that SERVER DDL statements are not allowed without FEDERATED ADMIN or SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+CREATE SERVER IF NOT EXISTS server_1
+ FOREIGN DATA WRAPPER mysql
+ OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that SERVER DDL statements are allowed with FEDERATED ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+ FOREIGN DATA WRAPPER mysql
+ OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that SERVER DDL statements are allowed with SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+CREATE SERVER IF NOT EXISTS server_1
+ FOREIGN DATA WRAPPER mysql
+ OPTIONS (USER 'mysqltest_1', HOST 'localhost', DATABASE 'test2');
+ALTER SERVER server_1 OPTIONS(HOST 'Server.Example.Org');
+DROP SERVER server_1;
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
diff --git a/mysql-test/main/grant_slave_admin.result b/mysql-test/main/grant_slave_admin.result
new file mode 100644
index 00000000000..6f067f6421d
--- /dev/null
+++ b/mysql-test/main/grant_slave_admin.result
@@ -0,0 +1,96 @@
+#
+# Start of 10.5 tests
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges
+#
+#
+# Test that slave admin statements are not allowed without REPLICATION SLAVE ADMIN or SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost;
+connect con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+CHANGE MASTER TO MASTER_HOST='127.0.0.1';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+STOP SLAVE;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+SHOW SLAVE STATUS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+BINLOG '';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that slave admin statements are allowed with REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT REPLICATION SLAVE ADMIN ON *.* TO `user1`@`localhost`
+connect con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR HY000: Misconfigured slave: MASTER_HOST was not set; Fix in config file or with CHANGE MASTER TO
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+Warnings:
+Note 1255 Slave already has been stopped
+SHOW SLAVE STATUS;
+BINLOG '';
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that slave admin statements are allowed with SUPER
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT SUPER ON *.* TO `user1`@`localhost`
+connect con1,localhost,user1,,;
+connection con1;
+START SLAVE;
+ERROR HY000: Misconfigured slave: MASTER_HOST was not set; Fix in config file or with CHANGE MASTER TO
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+Warnings:
+Note 1255 Slave already has been stopped
+SHOW SLAVE STATUS;
+BINLOG '';
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SHOW RELAYLOG EVENTS is not allowed without REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN ON *.* FROM user1@localhost;
+connect con1,localhost,user1,,;
+connection con1;
+SHOW RELAYLOG EVENTS;
+ERROR 42000: Access denied; you need (at least one of) the REPLICATION SLAVE ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# Test that SHOW RELAYLOG EVENTS is allowed with REPLICATION SLAVE ADMIN
+#
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+connect con1,localhost,user1,,;
+connection con1;
+SHOW RELAYLOG EVENTS;
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 tests
+#
diff --git a/mysql-test/main/grant_slave_admin.test b/mysql-test/main/grant_slave_admin.test
new file mode 100644
index 00000000000..9bb561f51d1
--- /dev/null
+++ b/mysql-test/main/grant_slave_admin.test
@@ -0,0 +1,129 @@
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Start of 10.5 tests
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges
+--echo #
+
+--echo #
+--echo # Test that slave admin statements are not allowed without REPLICATION SLAVE ADMIN or SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+START SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+CHANGE MASTER TO MASTER_HOST='127.0.0.1';
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+STOP SLAVE;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW SLAVE STATUS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+BINLOG '';
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # Test that slave admin statements are allowed with SUPER
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT SUPER ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_BAD_SLAVE
+START SLAVE;
+CHANGE MASTER TO MASTER_USER='root';
+STOP SLAVE;
+--disable_result_log
+SHOW SLAVE STATUS;
+# The below fails with a syntax error.
+# This is fine. It's only important that it does not fail on "access denied".
+--error ER_SYNTAX_ERROR
+BINLOG '';
+--enable_result_log
+disconnect con1;
+
+connection default;
+DROP USER user1@localhost;
+
+
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is not allowed without REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION SLAVE ADMIN ON *.* FROM user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW RELAYLOG EVENTS;
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # Test that SHOW RELAYLOG EVENTS is allowed with REPLICATION SLAVE ADMIN
+--echo #
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost;
+connect (con1,localhost,user1,,);
+connection con1;
+--disable_ps_protocol
+--disable_result_log
+SHOW RELAYLOG EVENTS;
+--enable_result_log
+--enable_ps_protocol
+disconnect con1;
+connection default;
+DROP USER user1@localhost;
+
+
+--echo #
+--echo # End of 10.5 tests
+--echo #
diff --git a/mysql-test/main/information_schema_db.result b/mysql-test/main/information_schema_db.result
index bf665da4542..b8a18179e75 100644
--- a/mysql-test/main/information_schema_db.result
+++ b/mysql-test/main/information_schema_db.result
@@ -101,7 +101,7 @@ grant insert on v1 to testdb_2@localhost;
create view v5 as select f1 from t1;
grant select, show view on v5 to testdb_2@localhost;
create definer=`no_such_user`@`no_such_host` view v6 as select f1 from t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection default;
use testdb_1;
create view v6 as select f1 from t1;
diff --git a/mysql-test/main/sp-security.result b/mysql-test/main/sp-security.result
index 5050955c806..7d2098f62be 100644
--- a/mysql-test/main/sp-security.result
+++ b/mysql-test/main/sp-security.result
@@ -417,7 +417,7 @@ CREATE DATABASE mysqltest;
CREATE USER mysqltest_1@localhost;
GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_1@localhost;
CREATE USER mysqltest_2@localhost;
-GRANT SUPER ON *.* TO mysqltest_2@localhost;
+GRANT SET USER ON *.* TO mysqltest_2@localhost;
GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_2@localhost;
connect mysqltest_2_con,localhost,mysqltest_2,,mysqltest;
connect mysqltest_1_con,localhost,mysqltest_1,,mysqltest;
@@ -428,9 +428,9 @@ CREATE FUNCTION wl2897_f1() RETURNS INT RETURN 1;
connection mysqltest_1_con;
USE mysqltest;
CREATE DEFINER=root@localhost PROCEDURE wl2897_p2() SELECT 2;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
CREATE DEFINER=root@localhost FUNCTION wl2897_f2() RETURNS INT RETURN 2;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection mysqltest_2_con;
use mysqltest;
CREATE DEFINER='a @ b @ c'@localhost PROCEDURE wl2897_p3() SELECT 3;
diff --git a/mysql-test/main/sp-security.test b/mysql-test/main/sp-security.test
index acc05cafa21..c375815b29a 100644
--- a/mysql-test/main/sp-security.test
+++ b/mysql-test/main/sp-security.test
@@ -594,7 +594,7 @@ CREATE USER mysqltest_1@localhost;
GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_1@localhost;
CREATE USER mysqltest_2@localhost;
-GRANT SUPER ON *.* TO mysqltest_2@localhost;
+GRANT SET USER ON *.* TO mysqltest_2@localhost;
GRANT ALL PRIVILEGES ON mysqltest.* TO mysqltest_2@localhost;
--connect (mysqltest_2_con,localhost,mysqltest_2,,mysqltest)
diff --git a/mysql-test/main/system_mysql_db_error_log.result b/mysql-test/main/system_mysql_db_error_log.result
index dc0a75b6f91..7ae82ba19de 100644
--- a/mysql-test/main/system_mysql_db_error_log.result
+++ b/mysql-test/main/system_mysql_db_error_log.result
@@ -9,10 +9,13 @@ SET @all_known_privileges_100500= (1 << 30) - 1;
SELECT HEX(@all_known_privileges_100500);
HEX(@all_known_privileges_100500)
3FFFFFFF
-SET @all_known_privileges_current= (1 << 30) - 1;
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost WITH GRANT OPTION;
+SET @all_known_privileges_current=(SELECT CAST(json_value(Priv, '$.access') AS UNSIGNED) FROM mysql.global_priv WHERE host='localhost' and user='user1');
+DROP USER user1@localhost;
SELECT HEX(@all_known_privileges_current);
HEX(@all_known_privileges_current)
-3FFFFFFF
+1FFFFFFFFF
CREATE USER bad_access1@localhost;
UPDATE
mysql.global_priv
@@ -103,7 +106,7 @@ host='localhost' and user='good_version_id_100500';
FLUSH PRIVILEGES;
SHOW GRANTS FOR good_version_id_100500@localhost;
Grants for good_version_id_100500@localhost
-GRANT SUPER ON *.* TO `good_version_id_100500`@`localhost`
+GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN ON *.* TO `good_version_id_100500`@`localhost`
DROP USER good_version_id_100500@localhost;
FOUND 1 /Warning.*'user' entry 'bad_access1@localhost' has a wrong 'access' value.*version_id=/ in system_mysql_db_error_log.err
FOUND 1 /Warning.*'user' entry 'bad_version_id_1000000@localhost' has a wrong 'version_id' value 1000000/ in system_mysql_db_error_log.err
diff --git a/mysql-test/main/system_mysql_db_error_log.test b/mysql-test/main/system_mysql_db_error_log.test
index 6ec75e0d5e2..07e281a5507 100644
--- a/mysql-test/main/system_mysql_db_error_log.test
+++ b/mysql-test/main/system_mysql_db_error_log.test
@@ -10,9 +10,13 @@ SELECT HEX(@super_acl_100500);
SET @all_known_privileges_100500= (1 << 30) - 1;
SELECT HEX(@all_known_privileges_100500);
-SET @all_known_privileges_current= (1 << 30) - 1;
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost WITH GRANT OPTION;
+SET @all_known_privileges_current=(SELECT CAST(json_value(Priv, '$.access') AS UNSIGNED) FROM mysql.global_priv WHERE host='localhost' and user='user1');
+DROP USER user1@localhost;
SELECT HEX(@all_known_privileges_current);
+
CREATE USER bad_access1@localhost;
UPDATE
mysql.global_priv
diff --git a/mysql-test/main/trigger_notembedded.result b/mysql-test/main/trigger_notembedded.result
index 94e651b1340..e276ddd1e48 100644
--- a/mysql-test/main/trigger_notembedded.result
+++ b/mysql-test/main/trigger_notembedded.result
@@ -112,10 +112,10 @@ CREATE DEFINER='mysqltest_inv'@'localhost'
TRIGGER trg1 BEFORE INSERT ON t1
FOR EACH ROW
SET @new_sum = 0;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection default;
use mysqltest_db1;
-GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
+GRANT SET USER ON *.* TO mysqltest_dfn@localhost;
disconnect wl2818_definer_con;
connect wl2818_definer_con,localhost,mysqltest_dfn,,mysqltest_db1;
connection wl2818_definer_con;
diff --git a/mysql-test/main/trigger_notembedded.test b/mysql-test/main/trigger_notembedded.test
index 9f89e66bbfe..313faea982c 100644
--- a/mysql-test/main/trigger_notembedded.test
+++ b/mysql-test/main/trigger_notembedded.test
@@ -255,7 +255,7 @@ CREATE DEFINER='mysqltest_inv'@'localhost'
use mysqltest_db1;
-GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
+GRANT SET USER ON *.* TO mysqltest_dfn@localhost;
--disconnect wl2818_definer_con
--connect (wl2818_definer_con,localhost,mysqltest_dfn,,mysqltest_db1)
diff --git a/mysql-test/main/view_grant.result b/mysql-test/main/view_grant.result
index 8af27de141f..2651bc64f19 100644
--- a/mysql-test/main/view_grant.result
+++ b/mysql-test/main/view_grant.result
@@ -22,7 +22,7 @@ grant create view,select on test.* to mysqltest_1@localhost;
connect user1,localhost,mysqltest_1,,test;
connection user1;
create definer=root@localhost view v1 as select * from mysqltest.t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create view v1 as select * from mysqltest.t1;
alter view v1 as select * from mysqltest.t1;
ERROR 42000: DROP command denied to user 'mysqltest_1'@'localhost' for table 'v1'
@@ -833,12 +833,30 @@ connect def,localhost,def_17254,,db17254;
connection def;
CREATE VIEW v1 AS SELECT * FROM t1;
connection root;
+GRANT SELECT ON db17254.v1 TO inv_17254@localhost;
DROP USER def_17254@localhost;
connect inv,localhost,inv_17254,,db17254;
connection inv;
-for a user
+for a user without SET USER
SELECT * FROM v1;
-ERROR 42000: SELECT command denied to user 'inv_17254'@'localhost' for table 'v1'
+ERROR 28000: Access denied for user 'inv_17254'@'localhost' (using password: NO)
+disconnect inv;
+connection root;
+GRANT SET USER ON *.* TO inv_17254@localhost;
+connect inv2,localhost,inv_17254,,db17254;
+connection inv2;
+SHOW GRANTS;
+Grants for inv_17254@localhost
+GRANT SET USER ON *.* TO `inv_17254`@`localhost`
+GRANT SELECT ON `db17254`.`t1` TO `inv_17254`@`localhost`
+GRANT SELECT ON `db17254`.`v1` TO `inv_17254`@`localhost`
+SELECT CURRENT_USER, SYSTEM_USER(), USER();
+CURRENT_USER SYSTEM_USER() USER()
+inv_17254@localhost inv_17254@localhost inv_17254@localhost
+for a user with SET USER
+SELECT * FROM v1;
+ERROR HY000: The user specified as a definer ('def_17254'@'localhost') does not exist
+disconnect inv2;
connection root;
for a superuser
SELECT * FROM v1;
@@ -846,7 +864,6 @@ ERROR HY000: The user specified as a definer ('def_17254'@'localhost') does not
DROP USER inv_17254@localhost;
DROP DATABASE db17254;
disconnect def;
-disconnect inv;
DROP DATABASE IF EXISTS mysqltest_db1;
DROP DATABASE IF EXISTS mysqltest_db2;
DROP USER mysqltest_u1;
@@ -915,7 +932,7 @@ ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table '
ALTER VIEW v2 AS SELECT f2 FROM t1;
ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2'
ALTER VIEW v3 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection root;
SHOW CREATE VIEW v3;
View Create View character_set_client collation_connection
@@ -943,9 +960,9 @@ GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@loc
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
connect u2,localhost,u29908_2,,mysqltest_29908;
ALTER VIEW v1 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
ALTER VIEW v2 AS SELECT f2 FROM t1;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
SHOW CREATE VIEW v2;
View Create View character_set_client collation_connection
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1` latin1 latin1_swedish_ci
diff --git a/mysql-test/main/view_grant.test b/mysql-test/main/view_grant.test
index cc17cae58d1..c9bb9569145 100644
--- a/mysql-test/main/view_grant.test
+++ b/mysql-test/main/view_grant.test
@@ -987,13 +987,27 @@ connection def;
CREATE VIEW v1 AS SELECT * FROM t1;
connection root;
+GRANT SELECT ON db17254.v1 TO inv_17254@localhost;
DROP USER def_17254@localhost;
connect (inv,localhost,inv_17254,,db17254);
connection inv;
---echo for a user
---error ER_TABLEACCESS_DENIED_ERROR
+--echo for a user without SET USER
+--error ER_ACCESS_DENIED_ERROR
+SELECT * FROM v1;
+disconnect inv;
+
+connection root;
+GRANT SET USER ON *.* TO inv_17254@localhost;
+
+connect (inv2,localhost,inv_17254,,db17254);
+connection inv2;
+SHOW GRANTS;
+SELECT CURRENT_USER, SYSTEM_USER(), USER();
+--echo for a user with SET USER
+--error ER_NO_SUCH_USER
SELECT * FROM v1;
+disconnect inv2;
connection root;
--echo for a superuser
@@ -1002,7 +1016,6 @@ SELECT * FROM v1;
DROP USER inv_17254@localhost;
DROP DATABASE db17254;
disconnect def;
-disconnect inv;
#
diff --git a/mysql-test/suite/binlog/r/binlog_grant.result b/mysql-test/suite/binlog/r/binlog_grant.result
index e077182fe8b..c3de2c0d981 100644
--- a/mysql-test/suite/binlog/r/binlog_grant.result
+++ b/mysql-test/suite/binlog/r/binlog_grant.result
@@ -38,6 +38,91 @@ connect rpl,localhost,mysqltest_1,,;
connection rpl;
SHOW MASTER LOGS;
SHOW BINARY LOGS;
+SHOW BINLOG STATUS;
disconnect rpl;
connection default;
DROP USER 'mysqltest_1'@'localhost';
+#
+# Start of 10.5 test
+#
+#
+# MDEV-21743 Split up SUPER privilege to smaller privileges
+#
+# Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT BINLOG MONITOR ON *.* TO `user1`@`localhost`
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+Grants for user1@localhost
+GRANT USAGE ON *.* TO `user1`@`localhost`
+DROP USER user1@localhost;
+# Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW MASTER LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINARY LOGS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+SHOW BINLOG STATUS;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+ERROR 42000: Access denied; you need (at least one of) the BINLOG MONITOR privilege(s) for this operation
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SHOW BINLOG EVENTS;
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+#
+# End of 10.5 test
+#
diff --git a/mysql-test/suite/binlog/t/binlog_grant.test b/mysql-test/suite/binlog/t/binlog_grant.test
index 8a76b11e707..72a94a5273b 100644
--- a/mysql-test/suite/binlog/t/binlog_grant.test
+++ b/mysql-test/suite/binlog/t/binlog_grant.test
@@ -68,9 +68,110 @@ GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
--disable_result_log
SHOW MASTER LOGS;
SHOW BINARY LOGS;
---enable_result_log
+SHOW BINLOG STATUS;
+--enable_result_log
# clean up
--disconnect rpl
connection default;
DROP USER 'mysqltest_1'@'localhost';
+
+
+--echo #
+--echo # Start of 10.5 test
+--echo #
+
+--echo #
+--echo # MDEV-21743 Split up SUPER privilege to smaller privileges
+--echo #
+
+--echo # Test that REPLICATION CLIENT is an alias for BINLOG MONITOR
+
+CREATE USER user1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+REVOKE REPLICATION CLIENT ON *.* FROM user1@localhost;
+SHOW GRANTS FOR user1@localhost;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINARY LOGS and SHOW BINGLOG STATUS are not allowed without REPLICATION CLIENT or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE REPLICATION CLIENT, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW MASTER LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINARY LOGS;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG STATUS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINARY LOGS is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if PURGE BINLOG is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+PURGE BINARY LOGS BEFORE '2001-01-01 00:00:00';
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is not allowed without BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG MONITOR ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW BINLOG EVENTS;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+
+--echo # Test if SHOW BINLOG EVENTS is allowed with BINLOG MONITOR
+CREATE USER user1@localhost;
+GRANT BINLOG MONITOR ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--disable_result_log
+SHOW BINLOG EVENTS;
+--enable_result_log
+--disconnect user1
+connection default;
+DROP USER user1@localhost;
+
+--echo #
+--echo # End of 10.5 test
+--echo #
diff --git a/mysql-test/suite/funcs_1/r/innodb_trig_03.result b/mysql-test/suite/funcs_1/r/innodb_trig_03.result
index 9f9bf1ca4de..3c6d18c0085 100644
--- a/mysql-test/suite/funcs_1/r/innodb_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/innodb_trig_03.result
@@ -78,7 +78,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke TRIGGER on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER on *.* to test_yesprivs@localhost;
grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@@ -168,7 +168,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke UPDATE on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -183,7 +183,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
select f1 from t1 order by f1;
f1
insert 3.5.3.2-no
@@ -441,7 +441,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke SELECT on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -457,7 +457,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
create trigger trg5a_1 before INSERT on t1 for each row
set @test_var = new.f1;
connection default;
diff --git a/mysql-test/suite/funcs_1/r/innodb_trig_03e.result b/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
index c869b5cc5bc..863aa9edb4f 100644
--- a/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
@@ -603,7 +603,7 @@ trig 1_1-yes
revoke TRIGGER on *.* from test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
disconnect yes_privs;
connect yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
select current_user;
@@ -656,7 +656,7 @@ root@localhost
grant TRIGGER on priv_db.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`
trigger privilege on db level for create:
@@ -1350,7 +1350,7 @@ drop trigger trg1_0;
create definer=not_ex_user@localhost trigger trg1_0
before INSERT on t1 for each row
set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create definer=current_user trigger trg1_1
before INSERT on t1 for each row
set new.f1 = 'trig 1_1-yes';
@@ -1385,7 +1385,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
create definer=not_ex_user@localhost trigger trg1_3
after UPDATE on t1 for each row
set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection default;
select current_user;
current_user
diff --git a/mysql-test/suite/funcs_1/r/memory_trig_03.result b/mysql-test/suite/funcs_1/r/memory_trig_03.result
index 75286115d86..e2b96e2aacd 100644
--- a/mysql-test/suite/funcs_1/r/memory_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/memory_trig_03.result
@@ -78,7 +78,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke TRIGGER on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER on *.* to test_yesprivs@localhost;
grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@@ -168,7 +168,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke UPDATE on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -183,7 +183,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
select f1 from t1 order by f1;
f1
insert 3.5.3.2-no
@@ -441,7 +441,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke SELECT on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -457,7 +457,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
create trigger trg5a_1 before INSERT on t1 for each row
set @test_var = new.f1;
connection default;
diff --git a/mysql-test/suite/funcs_1/r/memory_trig_03e.result b/mysql-test/suite/funcs_1/r/memory_trig_03e.result
index 72c269cb89a..155244d9299 100644
--- a/mysql-test/suite/funcs_1/r/memory_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/memory_trig_03e.result
@@ -604,7 +604,7 @@ trig 1_1-yes
revoke TRIGGER on *.* from test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
disconnect yes_privs;
connect yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
select current_user;
@@ -657,7 +657,7 @@ root@localhost
grant TRIGGER on priv_db.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`
trigger privilege on db level for create:
@@ -1351,7 +1351,7 @@ drop trigger trg1_0;
create definer=not_ex_user@localhost trigger trg1_0
before INSERT on t1 for each row
set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create definer=current_user trigger trg1_1
before INSERT on t1 for each row
set new.f1 = 'trig 1_1-yes';
@@ -1386,7 +1386,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
create definer=not_ex_user@localhost trigger trg1_3
after UPDATE on t1 for each row
set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection default;
select current_user;
current_user
diff --git a/mysql-test/suite/funcs_1/r/myisam_trig_03.result b/mysql-test/suite/funcs_1/r/myisam_trig_03.result
index 75286115d86..e2b96e2aacd 100644
--- a/mysql-test/suite/funcs_1/r/myisam_trig_03.result
+++ b/mysql-test/suite/funcs_1/r/myisam_trig_03.result
@@ -78,7 +78,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke TRIGGER on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER on *.* to test_yesprivs@localhost;
grant SELECT on priv_db.t1 to test_yesprivs@localhost;
@@ -168,7 +168,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke UPDATE on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, UPDATE on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -183,7 +183,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
select f1 from t1 order by f1;
f1
insert 3.5.3.2-no
@@ -441,7 +441,7 @@ grant ALL on *.* to test_noprivs@localhost;
revoke SELECT on *.* from test_noprivs@localhost;
show grants for test_noprivs@localhost;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
revoke ALL PRIVILEGES, GRANT OPTION FROM test_yesprivs@localhost;
grant TRIGGER, SELECT on *.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
@@ -457,7 +457,7 @@ test_noprivs@localhost
use priv_db;
show grants;
Grants for test_noprivs@localhost
-GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_noprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
create trigger trg5a_1 before INSERT on t1 for each row
set @test_var = new.f1;
connection default;
diff --git a/mysql-test/suite/funcs_1/r/myisam_trig_03e.result b/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
index 8b8df4bd694..9c2740b0c4b 100644
--- a/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
@@ -604,7 +604,7 @@ trig 1_1-yes
revoke TRIGGER on *.* from test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
disconnect yes_privs;
connect yes_privs,localhost,test_yesprivs,PWD,test,$MASTER_MYPORT,$MASTER_MYSOCK;
select current_user;
@@ -657,7 +657,7 @@ root@localhost
grant TRIGGER on priv_db.* to test_yesprivs@localhost;
show grants for test_yesprivs@localhost;
Grants for test_yesprivs@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN ON *.* TO `test_yesprivs`@`localhost` IDENTIFIED BY PASSWORD '*C49735D016A099C0CF104EF9183F374A54CA2576'
GRANT TRIGGER ON `priv_db`.* TO `test_yesprivs`@`localhost`
trigger privilege on db level for create:
@@ -1351,7 +1351,7 @@ drop trigger trg1_0;
create definer=not_ex_user@localhost trigger trg1_0
before INSERT on t1 for each row
set new.f1 = 'trig 1_0-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create definer=current_user trigger trg1_1
before INSERT on t1 for each row
set new.f1 = 'trig 1_1-yes';
@@ -1386,7 +1386,7 @@ GRANT SELECT, INSERT, UPDATE, TRIGGER ON `priv_db`.`t1` TO `test_yesprivs`@`loca
create definer=not_ex_user@localhost trigger trg1_3
after UPDATE on t1 for each row
set @var1 = 'trig 1_3-yes';
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
connection default;
select current_user;
current_user
diff --git a/mysql-test/suite/perfschema/r/read_only.result b/mysql-test/suite/perfschema/r/read_only.result
index b25d542c178..344526bbd63 100644
--- a/mysql-test/suite/perfschema/r/read_only.result
+++ b/mysql-test/suite/perfschema/r/read_only.result
@@ -32,7 +32,7 @@ select * from performance_schema.setup_instruments;
update performance_schema.setup_instruments set enabled='NO';
update performance_schema.setup_instruments set enabled='YES';
connection default;
-grant super on *.* to pfsuser@localhost;
+grant READ_ONLY ADMIN on *.* to pfsuser@localhost;
flush privileges;
disconnect con1;
connect con1, localhost, pfsuser, , test;
@@ -41,7 +41,7 @@ select @@global.read_only;
1
show grants;
Grants for pfsuser@localhost
-GRANT SUPER ON *.* TO `pfsuser`@`localhost`
+GRANT READ_ONLY ADMIN ON *.* TO `pfsuser`@`localhost`
GRANT SELECT, UPDATE ON `performance_schema`.* TO `pfsuser`@`localhost`
select * from performance_schema.setup_instruments;
update performance_schema.setup_instruments set enabled='NO';
diff --git a/mysql-test/suite/perfschema/t/read_only.test b/mysql-test/suite/perfschema/t/read_only.test
index 05665eeb0bb..2d8e41595d1 100644
--- a/mysql-test/suite/perfschema/t/read_only.test
+++ b/mysql-test/suite/perfschema/t/read_only.test
@@ -51,7 +51,7 @@ update performance_schema.setup_instruments set enabled='YES';
connection default;
-grant super on *.* to pfsuser@localhost;
+grant READ_ONLY ADMIN on *.* to pfsuser@localhost;
flush privileges;
disconnect con1;
diff --git a/mysql-test/suite/roles/admin.result b/mysql-test/suite/roles/admin.result
index a7841fd3b57..2ecbfae4516 100644
--- a/mysql-test/suite/roles/admin.result
+++ b/mysql-test/suite/roles/admin.result
@@ -8,9 +8,9 @@ create role role3 with admin role1;
create role role4 with admin root@localhost;
connect c1, localhost, foo,,;
create role role5 with admin root@localhost;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create role role5 with admin role3;
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
create role role5 with admin foo@localhost;
connection default;
call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
diff --git a/mysql-test/suite/roles/definer.result b/mysql-test/suite/roles/definer.result
index 30911265436..ecfa8113220 100644
--- a/mysql-test/suite/roles/definer.result
+++ b/mysql-test/suite/roles/definer.result
@@ -666,7 +666,7 @@ CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
BEGIN
SELECT NOW(), VERSION();
END;//
-ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+ERROR 42000: Access denied; you need (at least one of) the SUPER, SET USER privilege(s) for this operation
set role r1;
CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
BEGIN
diff --git a/plugin/userstat/client_stats.cc b/plugin/userstat/client_stats.cc
index 2adeb23a385..72c71785606 100644
--- a/plugin/userstat/client_stats.cc
+++ b/plugin/userstat/client_stats.cc
@@ -78,7 +78,7 @@ static int send_user_stats(THD* thd, HASH *all_user_stats, TABLE *table)
static int client_stats_fill(THD* thd, TABLE_LIST* tables, COND* cond)
{
- if (check_global_access(thd, SUPER_ACL | PROCESS_ACL, true))
+ if (check_global_access(thd, PROCESS_ACL, true))
return 0;
return send_user_stats(thd, &global_client_stats, tables->table);
diff --git a/plugin/userstat/user_stats.cc b/plugin/userstat/user_stats.cc
index 50809e0442a..de3d4e12fb1 100644
--- a/plugin/userstat/user_stats.cc
+++ b/plugin/userstat/user_stats.cc
@@ -34,7 +34,7 @@ static ST_FIELD_INFO user_stats_fields[]=
static int user_stats_fill(THD* thd, TABLE_LIST* tables, COND* cond)
{
- if (check_global_access(thd, SUPER_ACL | PROCESS_ACL, true))
+ if (check_global_access(thd, PROCESS_ACL, true))
return 0;
return send_user_stats(thd, &global_user_stats, tables->table);
diff --git a/sql/event_data_objects.cc b/sql/event_data_objects.cc
index 7d4afb2e9c5..bd457fba4fa 100644
--- a/sql/event_data_objects.cc
+++ b/sql/event_data_objects.cc
@@ -25,7 +25,6 @@
// date_add_interval,
// calc_time_diff
#include "tztime.h" // my_tz_find, my_tz_OFFSET0, struct Time_zone
-#include "sql_acl.h" // EVENT_ACL, SUPER_ACL
#include "sp.h" // load_charset, load_collation
#include "events.h"
#include "event_data_objects.h"
@@ -1518,7 +1517,7 @@ end:
*/
privilege_t saved_master_access(thd->security_ctx->master_access);
- thd->security_ctx->master_access |= SUPER_ACL;
+ thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
bool save_tx_read_only= thd->tx_read_only;
thd->tx_read_only= false;
diff --git a/sql/event_db_repository.cc b/sql/event_db_repository.cc
index 6783338ab10..af43d92dea7 100644
--- a/sql/event_db_repository.cc
+++ b/sql/event_db_repository.cc
@@ -24,7 +24,6 @@
#include "sql_db.h" // get_default_db_collation
#include "sql_time.h" // interval_type_to_name
#include "tztime.h" // struct Time_zone
-#include "sql_acl.h" // SUPER_ACL, MYSQL_DB_FIELD_COUNT, mysql_db_table_fields
#include "records.h" // init_read_record, end_read_record
#include "sp_head.h"
#include "event_data_objects.h"
@@ -1128,7 +1127,7 @@ update_timing_fields_for_event(THD *thd,
*/
save_binlog_format= thd->set_current_stmt_binlog_format_stmt();
- DBUG_ASSERT(thd->security_ctx->master_access & SUPER_ACL);
+ DBUG_ASSERT(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY);
if (open_event_table(thd, TL_WRITE, &table))
goto end;
diff --git a/sql/event_scheduler.cc b/sql/event_scheduler.cc
index 059bf679ba9..0e8e4826939 100644
--- a/sql/event_scheduler.cc
+++ b/sql/event_scheduler.cc
@@ -22,7 +22,7 @@
#include "event_queue.h"
#include "event_db_repository.h"
#include "sql_connect.h" // init_new_connection_handler_thread
-#include "sql_acl.h" // SUPER_ACL
+#include "sql_class.h"
/**
@addtogroup Event_Scheduler
@@ -417,7 +417,7 @@ Event_scheduler::start(int *err_no)
Same goes for transaction access mode. Set it to read-write for this thd.
*/
- new_thd->security_ctx->master_access |= SUPER_ACL;
+ new_thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
new_thd->variables.tx_read_only= false;
new_thd->tx_read_only= false;
diff --git a/sql/events.cc b/sql/events.cc
index 76a6a31cad9..3bed25e20c3 100644
--- a/sql/events.cc
+++ b/sql/events.cc
@@ -1172,7 +1172,7 @@ Events::load_events_from_db(THD *thd)
*/
privilege_t saved_master_access(thd->security_ctx->master_access);
- thd->security_ctx->master_access |= SUPER_ACL;
+ thd->security_ctx->master_access |= PRIV_IGNORE_READ_ONLY;
bool save_tx_read_only= thd->tx_read_only;
thd->tx_read_only= false;
diff --git a/sql/handler.cc b/sql/handler.cc
index 73bc86d010b..4dd915d8b91 100644
--- a/sql/handler.cc
+++ b/sql/handler.cc
@@ -30,7 +30,6 @@
#include "key.h" // key_copy, key_unpack, key_cmp_if_same, key_cmp
#include "sql_table.h" // build_table_filename
#include "sql_parse.h" // check_stack_overrun
-#include "sql_acl.h" // SUPER_ACL
#include "sql_base.h" // TDC_element
#include "discover.h" // extension_based_table_discovery, etc
#include "log_event.h" // *_rows_log_event
@@ -1563,7 +1562,7 @@ int ha_commit_trans(THD *thd, bool all)
if (rw_trans &&
opt_readonly &&
- !(thd->security_ctx->master_access & SUPER_ACL) &&
+ !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
!thd->slave_thread)
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index bee56a607f7..bcc041ae9c6 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -43,7 +43,6 @@
#include "set_var.h"
#include "sql_base.h"
#include "sql_time.h"
-#include "sql_acl.h" // SUPER_ACL
#include "des_key_file.h" // st_des_keyschedule, st_des_keyblock
#include "password.h" // my_make_scrambled_password,
// my_make_scrambled_password_323
@@ -838,7 +837,7 @@ String *Item_func_des_decrypt::val_str(String *str)
{
uint key_number=(uint) (*res)[0] & 127;
// Check if automatic key and that we have privilege to uncompress using it
- if (!(current_thd->security_ctx->master_access & SUPER_ACL) ||
+ if (!(current_thd->security_ctx->master_access & PRIV_DES_DECRYPT_ONE_ARG) ||
key_number > 9)
goto error;
diff --git a/sql/lex.h b/sql/lex.h
index 1cb7ad5d4c8..f36b8258c93 100644
--- a/sql/lex.h
+++ b/sql/lex.h
@@ -239,6 +239,7 @@ static SYMBOL symbols[] = {
{ "FALSE", SYM(FALSE_SYM)},
{ "FAST", SYM(FAST_SYM)},
{ "FAULTS", SYM(FAULTS_SYM)},
+ { "FEDERATED", SYM(FEDERATED_SYM)},
{ "FETCH", SYM(FETCH_SYM)},
{ "FIELDS", SYM(COLUMNS)},
{ "FILE", SYM(FILE_SYM)},
@@ -405,6 +406,7 @@ static SYMBOL symbols[] = {
{ "MODE", SYM(MODE_SYM)},
{ "MODIFIES", SYM(MODIFIES_SYM)},
{ "MODIFY", SYM(MODIFY_SYM)},
+ { "MONITOR", SYM(MONITOR_SYM)},
{ "MONTH", SYM(MONTH_SYM)},
{ "MUTEX", SYM(MUTEX_SYM)},
{ "MYSQL", SYM(MYSQL_SYM)},
diff --git a/sql/lock.cc b/sql/lock.cc
index db205efd643..7f69946c35e 100644
--- a/sql/lock.cc
+++ b/sql/lock.cc
@@ -76,7 +76,6 @@
#include "lock.h"
#include "sql_base.h" // close_tables_for_reopen
#include "sql_parse.h" // is_log_table_write_query
-#include "sql_acl.h" // SUPER_ACL
#include "sql_handler.h"
#include <hash.h>
#include "wsrep_mysqld.h"
@@ -109,12 +108,13 @@ static int
lock_tables_check(THD *thd, TABLE **tables, uint count, uint flags)
{
uint system_count, i;
- bool is_superuser, log_table_write_query;
+ bool ignore_read_only, log_table_write_query;
DBUG_ENTER("lock_tables_check");
system_count= 0;
- is_superuser= (thd->security_ctx->master_access & SUPER_ACL) != NO_ACL;
+ ignore_read_only=
+ (thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) != NO_ACL;
log_table_write_query= (is_log_table_write_query(thd->lex->sql_command)
|| ((flags & MYSQL_LOCK_LOG_TABLE) != 0));
@@ -179,7 +179,7 @@ lock_tables_check(THD *thd, TABLE **tables, uint count, uint flags)
if (!(flags & MYSQL_LOCK_IGNORE_GLOBAL_READ_ONLY) && !t->s->tmp_table)
{
if (t->reginfo.lock_type >= TL_WRITE_ALLOW_WRITE &&
- !is_superuser && opt_readonly && !thd->slave_thread)
+ !ignore_read_only && opt_readonly && !thd->slave_thread)
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
DBUG_RETURN(1);
diff --git a/sql/log.cc b/sql/log.cc
index 65679ea6685..355118dc701 100644
--- a/sql/log.cc
+++ b/sql/log.cc
@@ -34,7 +34,6 @@
#include "sql_parse.h" // command_name
#include "sql_time.h" // calc_time_from_sec, my_time_compare
#include "tztime.h" // my_tz_OFFSET0, struct Time_zone
-#include "sql_acl.h" // SUPER_ACL
#include "log_event.h" // Query_log_event
#include "rpl_filter.h"
#include "rpl_rli.h"
@@ -10496,7 +10495,7 @@ static struct st_mysql_sys_var *binlog_sys_vars[]=
/*
Copy out the non-directory part of binlog position filename for the
`binlog_snapshot_file' status variable, same way as it is done for
- SHOW MASTER STATUS.
+ SHOW BINLOG STATUS.
*/
static void
set_binlog_snapshot_file(const char *src)
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index 0f54f29e8f6..d9edec9e7df 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -3443,7 +3443,7 @@ SHOW_VAR com_status_vars[]= {
{"show_generic", STMT_STATUS(SQLCOM_SHOW_GENERIC)},
{"show_grants", STMT_STATUS(SQLCOM_SHOW_GRANTS)},
{"show_keys", STMT_STATUS(SQLCOM_SHOW_KEYS)},
- {"show_master_status", STMT_STATUS(SQLCOM_SHOW_MASTER_STAT)},
+ {"show_binlog_status", STMT_STATUS(SQLCOM_SHOW_BINLOG_STAT)},
{"show_open_tables", STMT_STATUS(SQLCOM_SHOW_OPEN_TABLES)},
{"show_package_status", STMT_STATUS(SQLCOM_SHOW_STATUS_PACKAGE)},
#ifndef DBUG_OFF
diff --git a/sql/partition_info.cc b/sql/partition_info.cc
index 1af3153ca87..5e3c19850de 100644
--- a/sql/partition_info.cc
+++ b/sql/partition_info.cc
@@ -30,7 +30,6 @@
// NOT_A_PARTITION_ID
#include "partition_info.h"
#include "sql_parse.h"
-#include "sql_acl.h" // *_ACL
#include "sql_base.h" // fill_record
#include "lock.h"
#include "table.h"
diff --git a/sql/privilege.h b/sql/privilege.h
index 5dbc0b6dbdf..c5c13186743 100644
--- a/sql/privilege.h
+++ b/sql/privilege.h
@@ -49,7 +49,7 @@ enum privilege_t: unsigned long long
LOCK_TABLES_ACL = (1UL << 17),
EXECUTE_ACL = (1UL << 18),
REPL_SLAVE_ACL = (1UL << 19),
- REPL_CLIENT_ACL = (1UL << 20),
+ BINLOG_MONITOR_ACL = (1UL << 20), // Was REPL_CLIENT_ACL prior to 10.5.2
CREATE_VIEW_ACL = (1UL << 21),
SHOW_VIEW_ACL = (1UL << 22),
CREATE_PROC_ACL = (1UL << 23),
@@ -59,24 +59,63 @@ enum privilege_t: unsigned long long
TRIGGER_ACL = (1UL << 27),
CREATE_TABLESPACE_ACL = (1UL << 28),
DELETE_HISTORY_ACL = (1UL << 29), // Added in 10.3.4
+ SET_USER_ACL = (1UL << 30), // Added in 10.5.2
+ FEDERATED_ADMIN_ACL = (1UL << 31), // Added in 10.5.2
+ CONNECTION_ADMIN_ACL = (1ULL << 32), // Added in 10.5.2
+ READ_ONLY_ADMIN_ACL = (1ULL << 33), // Added in 10.5.2
+ REPL_SLAVE_ADMIN_ACL = (1ULL << 34), // Added in 10.5.2
+ REPL_MASTER_ADMIN_ACL = (1ULL << 35), // Added in 10.5.2
+ BINLOG_ADMIN_ACL = (1ULL << 36) // Added in 10.5.2
/*
- don't forget to update
- 1. static struct show_privileges_st sys_privileges[]
- 2. static const char *command_array[] and static uint command_lengths[]
- 3. mysql_system_tables.sql and mysql_system_tables_fix.sql
- 4. acl_init() or whatever - to define behaviour for old privilege tables
- 5. sql_yacc.yy - for GRANT/REVOKE to work
- 6. Add a new ALL_KNOWN_ACL_VERSION
- 7. Change ALL_KNOWN_ACL to ALL_KNOWN_ACL_VERSION
- 8. Update User_table_json::get_access()
+ When adding new privilege bits, don't forget to update:
+ In this file:
+ - Add a new LAST_version_ACL
+ - Add a new ALL_KNOWN_ACL_version
+ - Change ALL_KNOWN_ACL to ALL_KNOWN_ACL_version
+ - Change GLOBAL_ACLS if needed
+ - Change SUPER_ADDED_SINCE_USER_TABLE_ACL if needed
+
+ In other files:
+ - static struct show_privileges_st sys_privileges[]
+ - static const char *command_array[] and static uint command_lengths[]
+ - mysql_system_tables.sql and mysql_system_tables_fix.sql
+ - acl_init() or whatever - to define behaviour for old privilege tables
+ - Update User_table_json::get_access()
+ - sql_yacc.yy - for GRANT/REVOKE to work
+
+ Important: the enum should contain only single-bit values.
+ In this case, debuggers print bit combinations in the readable form:
+ (gdb) p (privilege_t) (15)
+ $8 = (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL)
+
+ Bit-OR combinations of the above values should be declared outside!
*/
-
- // A combination of all bits defined in 10.3.4 (and earlier)
- ALL_KNOWN_ACL_100304 = (1UL << 30) - 1
};
-constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_ACL_100304;
+// Version markers
+constexpr privilege_t LAST_100304_ACL= DELETE_HISTORY_ACL;
+constexpr privilege_t LAST_100502_ACL= BINLOG_ADMIN_ACL;
+
+// Current version markers
+constexpr privilege_t LAST_CURRENT_ACL= LAST_100502_ACL;
+constexpr uint PRIVILEGE_T_MAX_BIT=
+ my_bit_log2_uint64((ulonglong) LAST_CURRENT_ACL);
+
+static_assert((privilege_t)(1ULL << PRIVILEGE_T_MAX_BIT) == LAST_CURRENT_ACL,
+ "Something went fatally badly: "
+ "LAST_CURRENT_ACL and PRIVILEGE_T_MAX_BIT do not match");
+
+// A combination of all bits defined in 10.3.4 (and earlier)
+constexpr privilege_t ALL_KNOWN_ACL_100304 =
+ (privilege_t) ((LAST_100304_ACL << 1) - 1);
+
+// A combination of all bits defined in 10.5.2
+constexpr privilege_t ALL_KNOWN_ACL_100502=
+ (privilege_t) ((LAST_100502_ACL << 1) - 1);
+
+// A combination of all bits defined as of the current version
+constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_ACL_100502;
// Unary operators
@@ -175,6 +214,19 @@ static inline privilege_t& operator|=(privilege_t &a, privilege_t b)
}
+/*
+ A combination of all SUPER privileges added since the old user table format.
+ These privileges are automatically added when upgrading from the
+ old format mysql.user table if a user has the SUPER privilege.
+*/
+constexpr privilege_t GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS=
+ SET_USER_ACL |
+ FEDERATED_ADMIN_ACL |
+ CONNECTION_ADMIN_ACL |
+ READ_ONLY_ADMIN_ACL |
+ REPL_SLAVE_ADMIN_ACL |
+ BINLOG_ADMIN_ACL;
+
constexpr privilege_t COL_DML_ACLS=
SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL;
@@ -213,7 +265,9 @@ constexpr privilege_t GLOBAL_ACLS=
DB_ACLS | SHOW_DB_ACL |
CREATE_USER_ACL | CREATE_TABLESPACE_ACL |
SUPER_ACL | RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL |
- REPL_SLAVE_ACL | REPL_CLIENT_ACL;
+ REPL_SLAVE_ACL | BINLOG_MONITOR_ACL |
+ GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS |
+ REPL_MASTER_ADMIN_ACL;
constexpr privilege_t DEFAULT_CREATE_PROC_ACLS=
ALTER_PROC_ACL | EXECUTE_ACL;
@@ -229,6 +283,124 @@ constexpr privilege_t SHOW_CREATE_TABLE_ACLS=
constexpr privilege_t TMP_TABLE_ACLS=
COL_DML_ACLS | ALL_TABLE_DDL_ACLS;
+
+
+/*
+ Allow to set an object definer:
+ CREATE DEFINER=xxx {TRIGGER|VIEW|FUNCTION|PROCEDURE}
+ Was SUPER prior to 10.5.2
+*/
+constexpr privilege_t PRIV_DEFINER_CLAUSE= SET_USER_ACL | SUPER_ACL;
+/*
+ If a VIEW has a `definer=invoker@host` clause and
+ the specified definer does not exists, then
+ - The invoker with REVEAL_MISSING_DEFINER_ACL gets:
+ ERROR: The user specified as a definer ('definer1'@'localhost') doesn't exist
+ - The invoker without MISSING_DEFINER_ACL gets a generic access error,
+ without revealing details that the definer does not exists.
+
+ TODO: we should eventually test the same privilege when processing
+ other objects that have the DEFINER clause (e.g. routines, triggers).
+ Currently the missing definer is revealed for non-privileged invokers
+ in case of routines, triggers, etc.
+
+ Was SUPER prior to 10.5.2
+*/
+constexpr privilege_t PRIV_REVEAL_MISSING_DEFINER= SET_USER_ACL | SUPER_ACL;
+
+/* Actions that require only the SUPER privilege */
+constexpr privilege_t PRIV_DES_DECRYPT_ONE_ARG= SUPER_ACL;
+constexpr privilege_t PRIV_LOG_BIN_TRUSTED_SP_CREATOR= SUPER_ACL;
+constexpr privilege_t PRIV_DEBUG= SUPER_ACL;
+constexpr privilege_t PRIV_SET_GLOBAL_SYSTEM_VARIABLE= SUPER_ACL;
+constexpr privilege_t PRIV_SET_RESTRICTED_SESSION_SYSTEM_VARIABLE= SUPER_ACL;
+
+/* Privileges related to --read-only */
+constexpr privilege_t PRIV_IGNORE_READ_ONLY= READ_ONLY_ADMIN_ACL | SUPER_ACL;
+
+/*
+ Privileges related to connection handling.
+*/
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_INIT_CONNECT= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_USER_CONNECTIONS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_CONNECTIONS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_IGNORE_MAX_PASSWORD_ERRORS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_KILL_OTHER_USER_PROCESS= CONNECTION_ADMIN_ACL | SUPER_ACL;
+
+
+/*
+ Binary log related privileges that are checked regardless
+ of active replication running.
+*/
+
+/*
+ This command was renamed from "SHOW MASTER STATUS"
+ to "SHOW BINLOG STATUS" in 10.5.2.
+ Was SUPER_ACL | REPL_CLIENT_ACL prior to 10.5.2
+ REPL_CLIENT_ACL was renamed to BINLOG_MONITOR_ACL.
+*/
+constexpr privilege_t PRIV_STMT_SHOW_BINLOG_STATUS= BINLOG_MONITOR_ACL | SUPER_ACL;
+
+/*
+ Was SUPER_ACL | REPL_CLIENT_ACL prior to 10.5.2
+ REPL_CLIENT_ACL was renamed to BINLOG_MONITOR_ACL.
+*/
+constexpr privilege_t PRIV_STMT_SHOW_BINARY_LOGS= BINLOG_MONITOR_ACL | SUPER_ACL;
+
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_PURGE_BINLOG= BINLOG_ADMIN_ACL | SUPER_ACL;
+
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_BINLOG_EVENTS= BINLOG_MONITOR_ACL;
+
+
+/*
+ Privileges for replication related statements and commands
+ that are executed on the master.
+*/
+constexpr privilege_t PRIV_COM_REGISTER_SLAVE= REPL_SLAVE_ACL;
+constexpr privilege_t PRIV_COM_BINLOG_DUMP= REPL_SLAVE_ACL;
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_SLAVE_HOSTS= REPL_MASTER_ADMIN_ACL;
+
+
+/* Privileges for statements that are executed on the slave */
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_START_SLAVE= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_STOP_SLAVE= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_CHANGE_MASTER= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was (SUPER_ACL | REPL_CLIENT_ACL) prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_SLAVE_STATUS= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_BINLOG= REPL_SLAVE_ADMIN_ACL | SUPER_ACL;
+// Was REPL_SLAVE_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_SHOW_RELAYLOG_EVENTS= REPL_SLAVE_ADMIN_ACL;
+
+
+/* Privileges for federated database related statements */
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_CREATE_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_ALTER_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_STMT_DROP_SERVER= FEDERATED_ADMIN_ACL | SUPER_ACL;
+
+
+/* Privileges related to processes */
+constexpr privilege_t PRIV_COM_PROCESS_INFO= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_EXPLAIN= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_ENGINE_STATUS= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_ENGINE_MUTEX= PROCESS_ACL;
+constexpr privilege_t PRIV_STMT_SHOW_PROCESSLIST= PROCESS_ACL;
+
+
/*
Defines to change the above bits to how things are stored in tables
This is needed as the 'host' and 'db' table is missing a few privileges
diff --git a/sql/repl_failsafe.cc b/sql/repl_failsafe.cc
index 09b3269371e..1df85759a9c 100644
--- a/sql/repl_failsafe.cc
+++ b/sql/repl_failsafe.cc
@@ -122,7 +122,7 @@ int THD::register_slave(uchar *packet, size_t packet_length)
uchar *p= packet, *p_end= packet + packet_length;
const char *errmsg= "Wrong parameters to function register_slave";
- if (check_access(this, REPL_SLAVE_ACL, any_db, NULL, NULL, 0, 0))
+ if (check_access(this, PRIV_COM_REGISTER_SLAVE, any_db, NULL, NULL, 0, 0))
return 1;
if (!(si= (Slave_info*)my_malloc(key_memory_SLAVE_INFO, sizeof(Slave_info),
MYF(MY_WME))))
diff --git a/sql/set_var.cc b/sql/set_var.cc
index df52d42f54a..551b92012d1 100644
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -33,7 +33,6 @@
// date_time_format_make
#include "derror.h"
#include "tztime.h" // my_tz_find, my_tz_SYSTEM, struct Time_zone
-#include "sql_acl.h" // SUPER_ACL
#include "sql_select.h" // free_underlaid_joins
#include "sql_i_s.h"
#include "sql_view.h" // updatable_views_with_limit_typelib
@@ -788,7 +787,8 @@ int set_var::check(THD *thd)
my_error(err, MYF(0), var->name.str);
return -1;
}
- if ((type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL)))
+ if (type == OPT_GLOBAL &&
+ check_global_access(thd, PRIV_SET_GLOBAL_SYSTEM_VARIABLE))
return 1;
/* value is a NULL pointer if we are using SET ... = DEFAULT */
if (!value)
@@ -825,7 +825,8 @@ int set_var::light_check(THD *thd)
my_error(err, MYF(0), var->name.str);
return -1;
}
- if (type == OPT_GLOBAL && check_global_access(thd, SUPER_ACL))
+ if (type == OPT_GLOBAL &&
+ check_global_access(thd, PRIV_SET_GLOBAL_SYSTEM_VARIABLE))
return 1;
if (value && value->fix_fields_if_needed_for_scalar(thd, &value))
diff --git a/sql/slave.cc b/sql/slave.cc
index f57015169a7..aba10b8bd6e 100644
--- a/sql/slave.cc
+++ b/sql/slave.cc
@@ -1665,7 +1665,7 @@ bool Sql_cmd_show_slave_status::execute(THD *thd)
bool res= true;
/* Accept one of two privileges */
- if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_SLAVE_STATUS))
goto error;
if (is_show_all_slaves_stat())
{
diff --git a/sql/sp.cc b/sql/sp.cc
index 584ec0b520b..157ddeb63c6 100644
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -28,7 +28,6 @@
// mysql_change_db, check_db_dir_existence,
// load_db_opt_by_name
#include "sql_table.h" // write_bin_log
-#include "sql_acl.h" // SUPER_ACL
#include "sp_head.h"
#include "sp_cache.h"
#include "lock.h" // lock_object_name
@@ -1398,7 +1397,7 @@ Sp_handler::sp_create_routine(THD *thd, const sp_head *sp) const
goto done;
}
}
- if (!(thd->security_ctx->master_access & SUPER_ACL))
+ if (!(thd->security_ctx->master_access & PRIV_LOG_BIN_TRUSTED_SP_CREATOR))
{
my_error(ER_BINLOG_CREATE_ROUTINE_NEED_SUPER,MYF(0));
goto done;
diff --git a/sql/sp_head.cc b/sql/sp_head.cc
index 9b378cc66f7..b63cf79dd7e 100644
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -23,7 +23,6 @@
#include "probes_mysql.h"
#include "sql_show.h" // append_identifier
#include "sql_db.h" // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h" // *_ACL
#include "sql_array.h" // Dynamic_array
#include "log_event.h" // Query_log_event
#include "sql_derived.h" // mysql_handle_derived
@@ -231,7 +230,7 @@ sp_get_flags_for_command(LEX *lex)
case SQLCOM_SHOW_ENGINE_MUTEX:
case SQLCOM_SHOW_EVENTS:
case SQLCOM_SHOW_KEYS:
- case SQLCOM_SHOW_MASTER_STAT:
+ case SQLCOM_SHOW_BINLOG_STAT:
case SQLCOM_SHOW_OPEN_TABLES:
case SQLCOM_SHOW_PRIVILEGES:
case SQLCOM_SHOW_PROCESSLIST:
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 4da88a9e82c..df7b4930568 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1001,7 +1001,7 @@ class User_table_tabular: public User_table
{
access|= LOCK_TABLES_ACL | CREATE_TMP_ACL | SHOW_DB_ACL;
if (access & FILE_ACL)
- access|= REPL_CLIENT_ACL | REPL_SLAVE_ACL;
+ access|= BINLOG_MONITOR_ACL | REPL_SLAVE_ACL | BINLOG_ADMIN_ACL ;
if (access & PROCESS_ACL)
access|= SUPER_ACL | EXECUTE_ACL;
}
@@ -1029,6 +1029,12 @@ class User_table_tabular: public User_table
if (num_fields() <= 46 && (access & DELETE_ACL))
access|= DELETE_HISTORY_ACL;
+ if (access & SUPER_ACL)
+ access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
+
+ if (access & REPL_SLAVE_ACL)
+ access|= REPL_MASTER_ADMIN_ACL;
+
return access & GLOBAL_ACLS;
}
@@ -1503,12 +1509,26 @@ class User_table_json: public User_table
privilege_t adjust_access(ulonglong version_id, ulonglong access) const
{
privilege_t mask= ALL_KNOWN_ACL_100304;
- if (access & ~mask)
+ ulonglong orig_access= access;
+ if (version_id >= 100502)
+ {
+ mask= ALL_KNOWN_ACL_100502;
+ }
+ else // 100501 or earlier
+ {
+ if (access & SUPER_ACL)
+ access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
+
+ if (access & REPL_SLAVE_ACL)
+ access|= REPL_MASTER_ADMIN_ACL;
+ }
+
+ if (orig_access & ~mask)
{
- print_warning_bad_access(version_id, mask, access);
+ print_warning_bad_access(version_id, mask, orig_access);
return NO_ACL;
}
- return access & mask;
+ return access & ALL_KNOWN_ACL;
}
privilege_t get_access() const
@@ -8857,19 +8877,32 @@ static const char *command_array[]=
"SELECT", "INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "RELOAD",
"SHUTDOWN", "PROCESS","FILE", "GRANT", "REFERENCES", "INDEX",
"ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES",
- "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT",
+ "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "BINLOG MONITOR",
"CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE",
- "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE",
- "DELETE HISTORY"
+ "CREATE USER", "EVENT", "TRIGGER", "CREATE TABLESPACE", "DELETE HISTORY",
+ "SET USER", "FEDERATED ADMIN", "CONNECTION ADMIN", "READ_ONLY ADMIN",
+ "REPLICATION SLAVE ADMIN", "REPLICATION MASTER ADMIN", "BINLOG ADMIN"
};
static uint command_lengths[]=
{
- 6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9,
- 14, 13, 11, 5, 7, 17, 14,
+ 6, 6, 6, 6, 6, 4, 6,
+ 8, 7, 4, 5, 10, 5,
+ 5, 14, 5, 23,
+ 11, 7, 17, 14,
+ 11, 9, 14, 13,
+ 11, 5, 7, 17, 14,
+ 8, 15, 16, 15,
+ 23, 24, 12
};
+static_assert(array_elements(command_array) == PRIVILEGE_T_MAX_BIT + 1,
+ "The definition of command_array does not match privilege_t");
+static_assert(array_elements(command_lengths) == PRIVILEGE_T_MAX_BIT + 1,
+ "The definition of command_lengths does not match privilege_t");
+
+
static bool print_grants_for_role(THD *thd, ACL_ROLE * role)
{
char buff[1024];
@@ -12993,7 +13026,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
static bool ignore_max_password_errors(const ACL_USER *acl_user)
{
const char *host= acl_user->host.hostname;
- return (acl_user->access & SUPER_ACL)
+ return (acl_user->access & PRIV_IGNORE_MAX_PASSWORD_ERRORS)
&& (!strcasecmp(host, "localhost") ||
!strcmp(host, "127.0.0.1") ||
!strcmp(host, "::1"));
@@ -14191,7 +14224,7 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
(longlong) sctx->master_access, mpvio.db.str));
if (command == COM_CONNECT &&
- !(thd->main_security_ctx.master_access & SUPER_ACL))
+ !(thd->main_security_ctx.master_access & PRIV_IGNORE_MAX_CONNECTIONS))
{
if (*thd->scheduler->connection_count > *thd->scheduler->max_connections)
{ // too many connections
diff --git a/sql/sql_admin.cc b/sql/sql_admin.cc
index 3982f453bd2..cfc48c82b4d 100644
--- a/sql/sql_admin.cc
+++ b/sql/sql_admin.cc
@@ -26,7 +26,6 @@
#include "sql_view.h" // view_checksum
#include "sql_table.h" // mysql_recreate_table
#include "debug_sync.h" // DEBUG_SYNC
-#include "sql_acl.h" // *_ACL
#include "sp.h" // Sroutine_hash_entry
#include "sql_parse.h" // check_table_access
#include "strfunc.h"
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
index 4f0cf9babf4..c41e08e4b8c 100644
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -30,9 +30,6 @@
#include "sql_view.h" // mysql_make_view, VIEW_ANY_ACL
#include "sql_parse.h" // check_table_access
#include "sql_insert.h" // kill_delayed_threads
-#include "sql_acl.h" // *_ACL, check_grant_all_columns,
- // check_column_grant_in_table_ref,
- // get_column_grant
#include "sql_partition.h" // ALTER_PARTITION_PARAM_TYPE
#include "sql_derived.h" // mysql_derived_prepare,
// mysql_handle_derived,
diff --git a/sql/sql_binlog.cc b/sql/sql_binlog.cc
index b98792bb43c..ea91f68f360 100644
--- a/sql/sql_binlog.cc
+++ b/sql/sql_binlog.cc
@@ -189,7 +189,7 @@ void mysql_client_binlog_statement(THD* thd)
thd->lex->comment.length : 2048),
thd->lex->comment.str));
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_BINLOG))
DBUG_VOID_RETURN;
/*
diff --git a/sql/sql_cmd.h b/sql/sql_cmd.h
index 1f8f2dcabc9..ce34852117f 100644
--- a/sql/sql_cmd.h
+++ b/sql/sql_cmd.h
@@ -38,7 +38,7 @@ enum enum_sql_command {
SQLCOM_SHOW_DATABASES, SQLCOM_SHOW_TABLES, SQLCOM_SHOW_FIELDS,
SQLCOM_SHOW_KEYS, SQLCOM_SHOW_VARIABLES, SQLCOM_SHOW_STATUS,
SQLCOM_SHOW_ENGINE_LOGS, SQLCOM_SHOW_ENGINE_STATUS, SQLCOM_SHOW_ENGINE_MUTEX,
- SQLCOM_SHOW_PROCESSLIST, SQLCOM_SHOW_MASTER_STAT, SQLCOM_SHOW_SLAVE_STAT,
+ SQLCOM_SHOW_PROCESSLIST, SQLCOM_SHOW_BINLOG_STAT, SQLCOM_SHOW_SLAVE_STAT,
SQLCOM_SHOW_GRANTS, SQLCOM_SHOW_CREATE, SQLCOM_SHOW_CHARSETS,
SQLCOM_SHOW_COLLATIONS, SQLCOM_SHOW_CREATE_DB, SQLCOM_SHOW_TABLE_STATUS,
SQLCOM_SHOW_TRIGGERS,
diff --git a/sql/sql_connect.cc b/sql/sql_connect.cc
index d095697eb09..d5a90089da4 100644
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@@ -35,7 +35,6 @@
#include "sql_db.h" // mysql_change_db
#include "hostname.h" // inc_host_errors, ip_to_hostname,
// reset_host_errors
-#include "privilege.h" // acl_getroot, SUPER_ACL
#include "sql_callback.h"
#ifdef WITH_WSREP
@@ -140,7 +139,7 @@ int check_for_max_user_connections(THD *thd, USER_CONN *uc)
if (global_system_variables.max_user_connections &&
!uc->user_resources.user_conn &&
global_system_variables.max_user_connections < uc->connections &&
- !(thd->security_ctx->master_access & SUPER_ACL))
+ !(thd->security_ctx->master_access & PRIV_IGNORE_MAX_USER_CONNECTIONS))
{
my_error(ER_TOO_MANY_USER_CONNECTIONS, MYF(0), uc->user);
error=1;
@@ -1246,7 +1245,8 @@ void prepare_new_connection_state(THD* thd)
thd->set_command(COM_SLEEP);
thd->init_for_queries();
- if (opt_init_connect.length && !(sctx->master_access & SUPER_ACL))
+ if (opt_init_connect.length &&
+ !(sctx->master_access & PRIV_IGNORE_INIT_CONNECT))
{
execute_init_command(thd, &opt_init_connect, &LOCK_sys_init_connect);
if (unlikely(thd->is_error()))
diff --git a/sql/sql_delete.cc b/sql/sql_delete.cc
index 6a4ce266af2..bef77e1a2e9 100644
--- a/sql/sql_delete.cc
+++ b/sql/sql_delete.cc
@@ -30,7 +30,6 @@
#include "lock.h" // unlock_table_name
#include "sql_view.h" // check_key_in_view, mysql_frm_type
#include "sql_parse.h" // mysql_init_select
-#include "sql_acl.h" // *_ACL
#include "filesort.h" // filesort
#include "sql_handler.h" // mysql_ha_rm_tables
#include "sql_select.h"
diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc
index 71c09159f1c..708423c6214 100644
--- a/sql/sql_insert.cc
+++ b/sql/sql_insert.cc
@@ -67,7 +67,6 @@
#include "sp_head.h"
#include "sql_view.h" // check_key_in_view, insert_view_fields
#include "sql_table.h" // mysql_create_table_no_lock
-#include "sql_acl.h" // *_ACL, check_grant_all_columns
#include "sql_trigger.h"
#include "sql_select.h"
#include "sql_show.h"
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index fa5da2cf23d..cb0d210b12c 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -56,13 +56,6 @@
#include "sql_rename.h" // mysql_rename_tables
#include "sql_tablespace.h" // mysql_alter_tablespace
#include "hostname.h" // hostname_cache_refresh
-#include "sql_acl.h" // *_ACL, check_grant, is_acl_user,
- // has_any_table_level_privileges,
- // mysql_drop_user, mysql_rename_user,
- // check_grant_routine,
- // mysql_routine_grant,
- // mysql_show_grants,
- // sp_grant_privileges, ...
#include "sql_test.h" // mysql_print_status
#include "sql_select.h" // handle_select, mysql_select,
// mysql_explain_union
@@ -680,7 +673,7 @@ void init_update_queries(void)
sql_command_flags[SQLCOM_SHOW_CREATE_USER]= CF_STATUS_COMMAND;
sql_command_flags[SQLCOM_SHOW_CREATE_DB]= CF_STATUS_COMMAND;
sql_command_flags[SQLCOM_SHOW_CREATE]= CF_STATUS_COMMAND;
- sql_command_flags[SQLCOM_SHOW_MASTER_STAT]= CF_STATUS_COMMAND;
+ sql_command_flags[SQLCOM_SHOW_BINLOG_STAT]= CF_STATUS_COMMAND;
sql_command_flags[SQLCOM_SHOW_SLAVE_STAT]= CF_STATUS_COMMAND;
sql_command_flags[SQLCOM_SHOW_CREATE_PROC]= CF_STATUS_COMMAND;
sql_command_flags[SQLCOM_SHOW_CREATE_FUNC]= CF_STATUS_COMMAND;
@@ -1406,7 +1399,7 @@ static bool deny_updates_if_read_only_option(THD *thd, TABLE_LIST *all_tables)
LEX *lex= thd->lex;
/* Super user is allowed to do changes */
- if ((thd->security_ctx->master_access & SUPER_ACL) == SUPER_ACL)
+ if ((thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) != NO_ACL)
DBUG_RETURN(FALSE);
/* Check if command doesn't update anything */
@@ -1446,10 +1439,10 @@ static bool deny_updates_if_read_only_option(THD *thd, TABLE_LIST *all_tables)
static my_bool wsrep_read_only_option(THD *thd, TABLE_LIST *all_tables)
{
int opt_readonly_saved = opt_readonly;
- privilege_t flag_saved= thd->security_ctx->master_access & SUPER_ACL;
+ privilege_t flag_saved= thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY;
opt_readonly = 0;
- thd->security_ctx->master_access &= ~SUPER_ACL;
+ thd->security_ctx->master_access &= ~PRIV_IGNORE_READ_ONLY;
my_bool ret = !deny_updates_if_read_only_option(thd, all_tables);
@@ -2093,7 +2086,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
status_var_increment(thd->status_var.com_other);
thd->query_plan_flags|= QPLAN_ADMIN;
- if (check_global_access(thd, REPL_SLAVE_ACL))
+ if (check_global_access(thd, PRIV_COM_BINLOG_DUMP))
break;
/* TODO: The following has to be changed to an 8 byte integer */
@@ -2249,12 +2242,12 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
case COM_PROCESS_INFO:
status_var_increment(thd->status_var.com_stat[SQLCOM_SHOW_PROCESSLIST]);
if (!thd->security_ctx->priv_user[0] &&
- check_global_access(thd, PROCESS_ACL))
+ check_global_access(thd, PRIV_COM_PROCESS_INFO))
break;
general_log_print(thd, command, NullS);
mysqld_list_processes(thd,
- thd->security_ctx->master_access & PROCESS_ACL ?
- NullS : thd->security_ctx->priv_user, 0);
+ thd->security_ctx->master_access & PRIV_COM_PROCESS_INFO ?
+ NullS : thd->security_ctx->priv_user, 0);
break;
case COM_PROCESS_KILL:
{
@@ -2286,7 +2279,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
}
case COM_DEBUG:
status_var_increment(thd->status_var.com_other);
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_DEBUG))
break; /* purecov: inspected */
mysql_print_status();
general_log_print(thd, command, NullS);
@@ -2840,7 +2833,7 @@ bool sp_process_definer(THD *thd)
!my_strcasecmp(system_charset_info, d->host.str,
thd->security_ctx->priv_host);
if (!curuserhost && !currole &&
- check_global_access(thd, SUPER_ACL, false))
+ check_global_access(thd, PRIV_DEFINER_CLAUSE, false))
DBUG_RETURN(TRUE);
}
@@ -3828,7 +3821,7 @@ mysql_execute_command(THD *thd)
case SQLCOM_SHOW_EXPLAIN:
{
if (!thd->security_ctx->priv_user[0] &&
- check_global_access(thd,PROCESS_ACL))
+ check_global_access(thd, PRIV_STMT_SHOW_EXPLAIN))
break;
/*
@@ -3946,7 +3939,7 @@ mysql_execute_command(THD *thd)
#ifndef EMBEDDED_LIBRARY
case SQLCOM_PURGE:
{
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_PURGE_BINLOG))
goto error;
/* PURGE MASTER LOGS TO 'file' */
res = purge_master_logs(thd, lex->to_log);
@@ -3956,7 +3949,7 @@ mysql_execute_command(THD *thd)
{
Item *it;
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_PURGE_BINLOG))
goto error;
/* PURGE MASTER LOGS BEFORE 'data' */
it= (Item *)lex->value_list.head();
@@ -4003,16 +3996,23 @@ mysql_execute_command(THD *thd)
#ifdef HAVE_REPLICATION
case SQLCOM_SHOW_SLAVE_HOSTS:
{
- if (check_global_access(thd, REPL_SLAVE_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_SLAVE_HOSTS))
goto error;
res = show_slave_hosts(thd);
break;
}
- case SQLCOM_SHOW_RELAYLOG_EVENTS: /* fall through */
+ case SQLCOM_SHOW_RELAYLOG_EVENTS:
+ {
+ WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
+ if (check_global_access(thd, PRIV_STMT_SHOW_RELAYLOG_EVENTS))
+ goto error;
+ res = mysql_show_binlog_events(thd);
+ break;
+ }
case SQLCOM_SHOW_BINLOG_EVENTS:
{
WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
- if (check_global_access(thd, REPL_SLAVE_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_BINLOG_EVENTS))
goto error;
res = mysql_show_binlog_events(thd);
break;
@@ -4049,7 +4049,7 @@ mysql_execute_command(THD *thd)
bool new_master= 0;
bool master_info_added;
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_CHANGE_MASTER))
goto error;
/*
In this code it's ok to use LOCK_active_mi as we are adding new things
@@ -4104,10 +4104,10 @@ mysql_execute_command(THD *thd)
break;
}
- case SQLCOM_SHOW_MASTER_STAT:
+ case SQLCOM_SHOW_BINLOG_STAT:
{
/* Accept one of two privileges */
- if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_BINLOG_STATUS))
goto error;
res = show_binlog_info(thd);
break;
@@ -4116,14 +4116,14 @@ mysql_execute_command(THD *thd)
#endif /* HAVE_REPLICATION */
case SQLCOM_SHOW_ENGINE_STATUS:
{
- if (check_global_access(thd, PROCESS_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_ENGINE_STATUS))
goto error;
res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_STATUS);
break;
}
case SQLCOM_SHOW_ENGINE_MUTEX:
{
- if (check_global_access(thd, PROCESS_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_ENGINE_MUTEX))
goto error;
res = ha_show_status(thd, lex->create_info.db_type, HA_ENGINE_MUTEX);
break;
@@ -4284,7 +4284,7 @@ mysql_execute_command(THD *thd)
goto error;
#else
{
- if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
+ if (check_global_access(thd, PRIV_STMT_SHOW_BINARY_LOGS))
goto error;
WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
res = show_binlogs(thd);
@@ -4416,7 +4416,7 @@ mysql_execute_command(THD *thd)
if (res)
break;
if (opt_readonly &&
- !(thd->security_ctx->master_access & SUPER_ACL) &&
+ !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
some_non_temp_table_to_be_updated(thd, all_tables))
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
@@ -4892,13 +4892,13 @@ mysql_execute_command(THD *thd)
}
case SQLCOM_SHOW_PROCESSLIST:
if (!thd->security_ctx->priv_user[0] &&
- check_global_access(thd,PROCESS_ACL))
+ check_global_access(thd, PRIV_STMT_SHOW_PROCESSLIST))
break;
mysqld_list_processes(thd,
- (thd->security_ctx->master_access & PROCESS_ACL ?
- NullS :
- thd->security_ctx->priv_user),
- lex->verbose);
+ (thd->security_ctx->master_access & PRIV_STMT_SHOW_PROCESSLIST ?
+ NullS :
+ thd->security_ctx->priv_user),
+ lex->verbose);
break;
case SQLCOM_SHOW_AUTHORS:
res= mysqld_show_authors(thd);
@@ -5810,7 +5810,7 @@ mysql_execute_command(THD *thd)
{
DBUG_PRINT("info", ("case SQLCOM_CREATE_SERVER"));
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_CREATE_SERVER))
break;
WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@@ -5823,7 +5823,7 @@ mysql_execute_command(THD *thd)
int error;
DBUG_PRINT("info", ("case SQLCOM_ALTER_SERVER"));
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_ALTER_SERVER))
break;
WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@@ -5843,7 +5843,7 @@ mysql_execute_command(THD *thd)
int err_code;
DBUG_PRINT("info", ("case SQLCOM_DROP_SERVER"));
- if (check_global_access(thd, SUPER_ACL))
+ if (check_global_access(thd, PRIV_STMT_DROP_SERVER))
break;
WSREP_TO_ISOLATION_BEGIN(WSREP_MYSQL_DB, NULL, NULL);
@@ -7146,10 +7146,8 @@ bool check_some_access(THD *thd, privilege_t want_access, TABLE_LIST *table)
@param want_access Use should have any of these global rights
@warning
- One gets access right if one has ANY of the rights in want_access.
- This is useful as one in most cases only need one global right,
- but in some case we want to check if the user has SUPER or
- REPL_CLIENT_ACL rights.
+ Starting from 10.5.2 only one bit is allowed in want_access.
+ Access denied error is returned if want_access has multiple bits set.
@retval
0 ok
@@ -7161,7 +7159,7 @@ bool check_global_access(THD *thd, privilege_t want_access, bool no_errors)
{
#ifndef NO_EMBEDDED_ACCESS_CHECKS
char command[128];
- if ((thd->security_ctx->master_access & want_access))
+ if (thd->security_ctx->master_access & want_access)
return 0;
if (unlikely(!no_errors))
{
@@ -9099,11 +9097,11 @@ kill_one_thread(THD *thd, longlong id, killed_state kill_signal, killed_type typ
*/
#ifdef WITH_WSREP
- if (((thd->security_ctx->master_access & SUPER_ACL) ||
+ if (((thd->security_ctx->master_access & PRIV_KILL_OTHER_USER_PROCESS) ||
thd->security_ctx->user_matches(tmp->security_ctx)) &&
!wsrep_thd_is_BF(tmp, false) && !tmp->wsrep_applier)
#else
- if ((thd->security_ctx->master_access & SUPER_ACL) ||
+ if ((thd->security_ctx->master_access & PRIV_KILL_OTHER_USER_PROCESS) ||
thd->security_ctx->user_matches(tmp->security_ctx))
#endif /* WITH_WSREP */
{
@@ -9156,7 +9154,8 @@ static my_bool kill_threads_callback(THD *thd, kill_threads_callback_arg *arg)
!strcmp(thd->security_ctx->host_or_ip, arg->user->host.str)) &&
!strcmp(thd->security_ctx->user, arg->user->user.str))
{
- if (!(arg->thd->security_ctx->master_access & SUPER_ACL) &&
+ if (!(arg->thd->security_ctx->master_access &
+ PRIV_KILL_OTHER_USER_PROCESS) &&
!arg->thd->security_ctx->user_matches(thd->security_ctx))
return 1;
if (!arg->threads_to_kill.push_back(thd, arg->thd->mem_root))
diff --git a/sql/sql_plugin.cc b/sql/sql_plugin.cc
index 478fd4b4335..1d18b0ef392 100644
--- a/sql/sql_plugin.cc
+++ b/sql/sql_plugin.cc
@@ -28,7 +28,6 @@
#include "sql_table.h"
#include "sql_show.h" // remove_status_vars, add_status_vars
#include "strfunc.h" // find_set
-#include "sql_acl.h" // *_ACL
#include "records.h" // init_read_record, end_read_record
#include <my_pthread.h>
#include <my_getopt.h>
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 216ee5bd680..98ffc842196 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -99,7 +99,6 @@ When one supplies long data for a placeholder:
#include "sql_insert.h" // upgrade_lock_type_for_insert, mysql_prepare_insert
#include "sql_update.h" // mysql_prepare_update
#include "sql_db.h" // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h" // *_ACL
#include "sql_derived.h" // mysql_derived_prepare,
// mysql_handle_derived
#include "sql_cte.h"
@@ -1949,7 +1948,7 @@ static int mysql_test_show_slave_status(Prepared_statement *stmt,
/**
- Validate and prepare for execution SHOW MASTER STATUS statement.
+ Validate and prepare for execution SHOW BINLOG STATUS statement.
@param stmt prepared statement
@@ -1959,9 +1958,9 @@ static int mysql_test_show_slave_status(Prepared_statement *stmt,
TRUE error, error message is set in THD
*/
-static int mysql_test_show_master_status(Prepared_statement *stmt)
+static int mysql_test_show_binlog_status(Prepared_statement *stmt)
{
- DBUG_ENTER("mysql_test_show_master_status");
+ DBUG_ENTER("mysql_test_show_binlog_status");
THD *thd= stmt->thd;
List<Item> fields;
@@ -2410,8 +2409,8 @@ static bool check_prepared_statement(Prepared_statement *stmt)
}
break;
}
- case SQLCOM_SHOW_MASTER_STAT:
- if ((res= mysql_test_show_master_status(stmt)) == 2)
+ case SQLCOM_SHOW_BINLOG_STAT:
+ if ((res= mysql_test_show_binlog_status(stmt)) == 2)
{
/* Statement and field info has already been sent */
DBUG_RETURN(FALSE);
diff --git a/sql/sql_repl.cc b/sql/sql_repl.cc
index 73fc01618e3..f11b3a35a80 100644
--- a/sql/sql_repl.cc
+++ b/sql/sql_repl.cc
@@ -24,7 +24,6 @@
#include "rpl_mi.h"
#include "rpl_rli.h"
#include "sql_repl.h"
-#include "sql_acl.h" // SUPER_ACL
#include "log_event.h"
#include "rpl_filter.h"
#include <my_dir.h>
@@ -3081,7 +3080,7 @@ int start_slave(THD* thd , Master_info* mi, bool net_report)
char relay_log_info_file_tmp[FN_REFLEN];
DBUG_ENTER("start_slave");
- if (check_access(thd, SUPER_ACL, any_db, NULL, NULL, 0, 0))
+ if (check_global_access(thd, PRIV_STMT_START_SLAVE))
DBUG_RETURN(-1);
create_logfile_name_with_suffix(master_info_file_tmp,
@@ -3284,7 +3283,7 @@ int stop_slave(THD* thd, Master_info* mi, bool net_report )
DBUG_ENTER("stop_slave");
DBUG_PRINT("enter",("Connection: %s", mi->connection_name.str));
- if (check_access(thd, SUPER_ACL, any_db, NULL, NULL, 0, 0))
+ if (check_global_access(thd, PRIV_STMT_STOP_SLAVE))
DBUG_RETURN(-1);
THD_STAGE_INFO(thd, stage_killing_slave);
int thread_mask;
@@ -4217,7 +4216,7 @@ void show_binlog_info_get_fields(THD *thd, List<Item> *field_list)
/**
- Execute a SHOW MASTER STATUS statement.
+ Execute a SHOW BINLOG STATUS statement.
@param thd Pointer to THD object for the client thread executing the
statement.
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 397b5b988b2..e8fd275c55b 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -43,7 +43,6 @@
#include "sql_base.h" // setup_wild, setup_fields, fill_record
#include "sql_parse.h" // check_stack_overrun
#include "sql_partition.h" // make_used_partitions_str
-#include "sql_acl.h" // *_ACL
#include "sql_test.h" // print_where, print_keyuse_array,
// print_sjm, print_plan, TEST_join
#include "records.h" // init_read_record, end_read_record
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index bbb7dae7250..02f6278140c 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -480,7 +480,10 @@ static struct show_privileges_st sys_privileges[]=
{"Proxy", "Server Admin", "To make proxy user possible"},
{"References", "Databases,Tables", "To have references on tables"},
{"Reload", "Server Admin", "To reload or refresh tables, logs and privileges"},
- {"Replication client","Server Admin","To ask where the slave or master servers are"},
+ {"Binlog admin", "Server", "To purge binary logs"},
+ {"Binlog monitor", "Server", "To use SHOW BINLOG STATUS and SHOW BINARY LOG"},
+ {"Replication master admin", "Server", "To monitor connected slaves"},
+ {"Replication slave admin", "Server", "To start/monitor/stop slave and apply binlog events"},
{"Replication slave","Server Admin","To read binary log events from the master"},
{"Select", "Tables", "To retrieve rows from table"},
{"Show databases","Server Admin","To see all databases with SHOW DATABASES"},
@@ -490,6 +493,10 @@ static struct show_privileges_st sys_privileges[]=
{"Trigger","Tables", "To use triggers"},
{"Create tablespace", "Server Admin", "To create/alter/drop tablespaces"},
{"Update", "Tables", "To update existing rows"},
+ {"Set user","Server", "To create views and stored routines with a different definer"},
+ {"Federated admin", "Server", "To execute the CREATE SERVER, ALTER SERVER, DROP SERVER statements"},
+ {"Connection admin", "Server", "To bypass connection limits and kill other users' connections"},
+ {"Read_only admin", "Server", "To perform write operations even if @@read_only=ON"},
{"Usage","Server Admin","No privileges - allow connect only"},
{NullS, NullS, NullS}
};
@@ -3053,8 +3060,8 @@ int fill_show_explain(THD *thd, TABLE_LIST *table, COND *cond)
DBUG_ASSERT(cond==NULL);
thread_id= thd->lex->value_list.head()->val_int();
- calling_user= (thd->security_ctx->master_access & PROCESS_ACL) ? NullS :
- thd->security_ctx->priv_user;
+ calling_user= (thd->security_ctx->master_access & PRIV_STMT_SHOW_EXPLAIN) ?
+ NullS : thd->security_ctx->priv_user;
if ((tmp= find_thread_by_id(thread_id)))
{
@@ -3171,8 +3178,9 @@ static my_bool processlist_callback(THD *tmp, processlist_callback_arg *arg)
const char *val;
ulonglong max_counter;
bool got_thd_data;
- char *user= arg->thd->security_ctx->master_access & PROCESS_ACL ?
- NullS : arg->thd->security_ctx->priv_user;
+ char *user=
+ arg->thd->security_ctx->master_access & PRIV_STMT_SHOW_PROCESSLIST ?
+ NullS : arg->thd->security_ctx->priv_user;
if ((!tmp->vio_ok() && !tmp->system_thread) ||
(user && (tmp->system_thread || !tmp_sctx->user ||
diff --git a/sql/sql_trigger.cc b/sql/sql_trigger.cc
index cb10d8ecb3b..5b8ae46d33f 100644
--- a/sql/sql_trigger.cc
+++ b/sql/sql_trigger.cc
@@ -30,7 +30,6 @@
#include "sql_table.h" // build_table_filename,
// check_n_cut_mysql50_prefix
#include "sql_db.h" // get_default_db_collation
-#include "sql_acl.h" // *_ACL
#include "sql_handler.h" // mysql_ha_rm_tables
#include "sp_cache.h" // sp_invalidate_cache
#include <mysys_err.h>
@@ -441,7 +440,7 @@ bool mysql_create_or_drop_trigger(THD *thd, TABLE_LIST *tables, bool create)
*/
if (!trust_function_creators &&
(WSREP_EMULATE_BINLOG(thd) || mysql_bin_log.is_open()) &&
- !(thd->security_ctx->master_access & SUPER_ACL))
+ !(thd->security_ctx->master_access & PRIV_LOG_BIN_TRUSTED_SP_CREATOR))
{
my_error(ER_BINLOG_CREATE_ROUTINE_NEED_SUPER, MYF(0));
DBUG_RETURN(TRUE);
@@ -464,7 +463,8 @@ bool mysql_create_or_drop_trigger(THD *thd, TABLE_LIST *tables, bool create)
*/
thd->lex->sql_command= backup.sql_command;
- if (opt_readonly && !(thd->security_ctx->master_access & SUPER_ACL) &&
+ if (opt_readonly &&
+ !(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY) &&
!thd->slave_thread)
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
diff --git a/sql/sql_update.cc b/sql/sql_update.cc
index 6d6958ba50b..d0a920fd473 100644
--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@@ -35,7 +35,6 @@
#include "probes_mysql.h"
#include "debug_sync.h"
#include "key.h" // is_key_used
-#include "sql_acl.h" // *_ACL, check_grant
#include "records.h" // init_read_record,
// end_read_record
#include "filesort.h" // filesort
diff --git a/sql/sql_view.cc b/sql/sql_view.cc
index 88a65dcaedb..b2e977151fd 100644
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@@ -27,7 +27,6 @@
#include "sql_show.h" // append_identifier
#include "sql_table.h" // build_table_filename
#include "sql_db.h" // mysql_opt_change_db, mysql_change_db
-#include "sql_acl.h" // *_ACL, check_grant
#include "sql_select.h"
#include "parse_file.h"
#include "sp_head.h"
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index 41891696f22..3f0f7251d5c 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -38,7 +38,6 @@
#include "sql_parse.h" /* comp_*_creator */
#include "sql_table.h" /* primary_key_name */
#include "sql_partition.h" /* partition_info, HASH_PARTITION */
-#include "sql_acl.h" /* *_ACL */
#include "sql_class.h" /* Key_part_spec, enum_filetype, Diag_condition_item_name */
#include "slave.h"
#include "lex_symbol.h"
@@ -835,6 +834,7 @@ End SQL_MODE_ORACLE_SPECIFIC */
%token <kwd> EXTENT_SIZE_SYM
%token <kwd> FAST_SYM
%token <kwd> FAULTS_SYM
+%token <kwd> FEDERATED_SYM /* MariaDB privilege */
%token <kwd> FILE_SYM
%token <kwd> FIRST_SYM /* SQL-2003-N */
%token <kwd> FIXED_SYM
@@ -931,6 +931,7 @@ End SQL_MODE_ORACLE_SPECIFIC */
%token <kwd> MIN_ROWS
%token <kwd> MODE_SYM
%token <kwd> MODIFY_SYM
+%token <kwd> MONITOR_SYM /* MariaDB privilege */
%token <kwd> MONTH_SYM /* SQL-2003-R */
%token <kwd> MUTEX_SYM
%token <kwd> MYSQL_SYM
@@ -13620,9 +13621,13 @@ show_param:
MYSQL_YYABORT;
lex->table_type= TABLE_TYPE_SEQUENCE;
}
+ | BINLOG_SYM STATUS_SYM
+ {
+ Lex->sql_command = SQLCOM_SHOW_BINLOG_STAT;
+ }
| MASTER_SYM STATUS_SYM
{
- Lex->sql_command = SQLCOM_SHOW_MASTER_STAT;
+ Lex->sql_command = SQLCOM_SHOW_BINLOG_STAT;
}
| ALL SLAVES STATUS_SYM
{
@@ -15512,6 +15517,7 @@ keyword_sp_var_and_label:
| FAST_SYM
| FOUND_SYM
| ENABLE_SYM
+ | FEDERATED_SYM
| FULL
| FILE_SYM
| FIRST_SYM
@@ -15590,6 +15596,7 @@ keyword_sp_var_and_label:
| MIN_ROWS
| MODIFY_SYM
| MODE_SYM
+ | MONITOR_SYM
| MONTH_SYM
| MUTEX_SYM
| MYSQL_SYM
@@ -16898,7 +16905,7 @@ object_privilege:
| CREATE TEMPORARY TABLES { $$= CREATE_TMP_ACL;}
| LOCK_SYM TABLES { $$= LOCK_TABLES_ACL; }
| REPLICATION SLAVE { $$= REPL_SLAVE_ACL; }
- | REPLICATION CLIENT_SYM { $$= REPL_CLIENT_ACL; }
+ | REPLICATION CLIENT_SYM { $$= BINLOG_MONITOR_ACL; /*Compatibility*/ }
| CREATE VIEW_SYM { $$= CREATE_VIEW_ACL; }
| SHOW VIEW_SYM { $$= SHOW_VIEW_ACL; }
| CREATE ROUTINE_SYM { $$= CREATE_PROC_ACL; }
@@ -16908,6 +16915,15 @@ object_privilege:
| TRIGGER_SYM { $$= TRIGGER_ACL; }
| CREATE TABLESPACE { $$= CREATE_TABLESPACE_ACL; }
| DELETE_SYM HISTORY_SYM { $$= DELETE_HISTORY_ACL; }
+ | SET USER_SYM { $$= SET_USER_ACL; }
+ | FEDERATED_SYM ADMIN_SYM { $$= FEDERATED_ADMIN_ACL; }
+ | CONNECTION_SYM ADMIN_SYM { $$= CONNECTION_ADMIN_ACL; }
+ | READ_SYM ONLY_SYM ADMIN_SYM { $$= READ_ONLY_ADMIN_ACL; }
+ | READ_ONLY_SYM ADMIN_SYM { $$= READ_ONLY_ADMIN_ACL; }
+ | BINLOG_SYM MONITOR_SYM { $$= BINLOG_MONITOR_ACL; }
+ | BINLOG_SYM ADMIN_SYM { $$= BINLOG_ADMIN_ACL; }
+ | REPLICATION MASTER_SYM ADMIN_SYM { $$= REPL_MASTER_ADMIN_ACL; }
+ | REPLICATION SLAVE ADMIN_SYM { $$= REPL_SLAVE_ADMIN_ACL; }
;
opt_and:
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
index 9177cd9d1a1..ea2ca31bf3d 100644
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -45,8 +45,7 @@
#include "mysqld.h"
#include "lock.h"
#include "sql_time.h" // known_date_time_formats
-#include "sql_acl.h" // SUPER_ACL,
- // mysql_user_table_is_in_short_password_format
+#include "sql_acl.h" // mysql_user_table_is_in_short_password_format
#include "derror.h" // read_texts
#include "sql_base.h" // close_cached_tables
#include "hostname.h" // host_cache_size
@@ -585,7 +584,8 @@ bool check_has_super(sys_var *self, THD *thd, set_var *var)
{
DBUG_ASSERT(self->scope() != sys_var::GLOBAL);// don't abuse check_has_super()
#ifndef NO_EMBEDDED_ACCESS_CHECKS
- if (!(thd->security_ctx->master_access & SUPER_ACL))
+ if (!(thd->security_ctx->master_access &
+ PRIV_SET_RESTRICTED_SESSION_SYSTEM_VARIABLE))
{
my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "SUPER");
return true;
diff --git a/sql/table.cc b/sql/table.cc
index 8c4c562647a..10c44013538 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -27,7 +27,6 @@
#include "strfunc.h" // unhex_type2
#include "sql_partition.h" // mysql_unpack_partition,
// fix_partition_func, partition_info
-#include "sql_acl.h" // *_ACL, acl_getroot_no_password
#include "sql_base.h"
#include "create_options.h"
#include "sql_trigger.h"
@@ -6209,7 +6208,7 @@ bool TABLE_LIST::prepare_view_security_context(THD *thd)
}
else
{
- if (thd->security_ctx->master_access & SUPER_ACL)
+ if (thd->security_ctx->master_access & PRIV_REVEAL_MISSING_DEFINER)
{
my_error(ER_NO_SUCH_USER, MYF(0), definer.user.str, definer.host.str);
diff --git a/sql/transaction.cc b/sql/transaction.cc
index f5258abb751..82e04d35479 100644
--- a/sql/transaction.cc
+++ b/sql/transaction.cc
@@ -163,7 +163,7 @@ bool trans_begin(THD *thd, uint flags)
compatibility.
*/
const bool user_is_super=
- MY_TEST(thd->security_ctx->master_access & SUPER_ACL);
+ MY_TEST(thd->security_ctx->master_access & PRIV_IGNORE_READ_ONLY);
if (opt_readonly && !user_is_super)
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--read-only");
diff --git a/storage/maria/ma_pagecache.c b/storage/maria/ma_pagecache.c
index ca2661fc0ed..e08c18fb579 100644
--- a/storage/maria/ma_pagecache.c
+++ b/storage/maria/ma_pagecache.c
@@ -801,7 +801,7 @@ size_t init_pagecache(PAGECACHE *pagecache, size_t use_mem,
pagecache->mem_size= use_mem;
pagecache->block_size= block_size;
- pagecache->shift= my_bit_log2(block_size);
+ pagecache->shift= my_bit_log2_uint64(block_size);
pagecache->readwrite_flags= my_readwrite_flags | MY_NABP | MY_WAIT_IF_FULL;
pagecache->org_readwrite_flags= pagecache->readwrite_flags;
DBUG_PRINT("info", ("block_size: %u", block_size));
diff --git a/storage/myisam/ha_myisam.cc b/storage/myisam/ha_myisam.cc
index 1e9aadf038b..0d3c28fff56 100644
--- a/storage/myisam/ha_myisam.cc
+++ b/storage/myisam/ha_myisam.cc
@@ -2520,7 +2520,7 @@ static int myisam_init(void *p)
else
myisam_recover_options= HA_RECOVER_OFF;
- myisam_block_size=(uint) 1 << my_bit_log2(opt_myisam_block_size);
+ myisam_block_size=(uint) 1 << my_bit_log2_uint64(opt_myisam_block_size);
hton= (handlerton *)p;
hton->db_type= DB_TYPE_MYISAM;
diff --git a/storage/myisam/myisamchk.c b/storage/myisam/myisamchk.c
index 69c30dedb89..c4b274b3fe9 100644
--- a/storage/myisam/myisamchk.c
+++ b/storage/myisam/myisamchk.c
@@ -797,7 +797,7 @@ static void get_options(register int *argc,register char ***argv)
MYF(MY_WME))))
exit(1);
- myisam_block_size=(uint) 1 << my_bit_log2(opt_myisam_block_size);
+ myisam_block_size=(uint) 1 << my_bit_log2_uint64(opt_myisam_block_size);
return;
} /* get options */
diff --git a/storage/rocksdb/rdb_datadic.cc b/storage/rocksdb/rdb_datadic.cc
index 3673a67bf22..a7b44ff85ab 100644
--- a/storage/rocksdb/rdb_datadic.cc
+++ b/storage/rocksdb/rdb_datadic.cc
@@ -3121,7 +3121,7 @@ static const Rdb_collation_codec *rdb_init_collation_mapping(
for (uint idx = 0; idx < p.second.size(); idx++) {
uchar src = p.second[idx];
uchar bits =
- my_bit_log2(my_round_up_to_next_power(p.second.size()));
+ my_bit_log2_uint32(my_round_up_to_next_power(p.second.size()));
cur->m_enc_idx[src] = idx;
cur->m_enc_size[src] = bits;
cur->m_dec_size[dst] = bits;
diff --git a/storage/spider/ha_spider.cc b/storage/spider/ha_spider.cc
index 1cec6c894c2..694f612ff63 100644
--- a/storage/spider/ha_spider.cc
+++ b/storage/spider/ha_spider.cc
@@ -13594,7 +13594,7 @@ void ha_spider::set_error_mode()
case SQLCOM_SHOW_ENGINE_STATUS:
case SQLCOM_SHOW_ENGINE_MUTEX:
case SQLCOM_SHOW_PROCESSLIST:
- case SQLCOM_SHOW_MASTER_STAT:
+ case SQLCOM_SHOW_BINLOG_STAT:
case SQLCOM_SHOW_SLAVE_STAT:
case SQLCOM_SHOW_GRANTS:
case SQLCOM_SHOW_CREATE:
View Lorry Controller Status