MDEV-21963 Bind BINLOG ADMIN to a number of global system variables

author: Alexander Barkov <bar@mariadb.com> 2020-03-17 19:08:28 +0400
committer: Alexander Barkov <bar@mariadb.com> 2020-03-17 19:08:28 +0400
commit: 90b7ac28a917fde7bceed573956aa4c668c7685b (patch)
tree: 0285afba839a1090e2acd600bc581c8de2b52e14
parent: dec14dcffe08c0284daac4f93cd750956b15ca47 (diff)
download: mariadb-git-90b7ac28a917fde7bceed573956aa4c668c7685b.tar.gz
31 files changed, 910 insertions, 14 deletions
diff --git a/mysql-test/suite/sys_vars/inc/sysvar_global_grant.inc b/mysql-test/suite/sys_vars/inc/sysvar_global_grant.inc
new file mode 100644
index 00000000000..f452c1b19d9
--- /dev/null
+++ b/mysql-test/suite/sys_vars/inc/sysvar_global_grant.inc
@@ -0,0 +1,53 @@
+--source include/not_embedded.inc
+
+
+--eval SET @global=@@global.$var
+
+--echo # Test that "SET $var" is not allowed without $grant or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+--eval REVOKE $grant, SUPER ON *.* FROM user1@localhost
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+--eval SET GLOBAL $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET SESSION $var=$value
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET $var" is allowed with $grant
+
+CREATE USER user1@localhost;
+--eval GRANT $grant ON *.* TO user1@localhost
+--connect(user1,localhost,user1,,)
+--connection user1
+--eval SET GLOBAL $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET SESSION $var=$value
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET $var" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--eval SET GLOBAL $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET $var=$value
+--error ER_GLOBAL_VARIABLE
+--eval SET SESSION $var=$value
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--eval SET @@global.$var=@global
diff --git a/mysql-test/suite/sys_vars/r/binlog_cache_size_grant.result b/mysql-test/suite/sys_vars/r/binlog_cache_size_grant.result
new file mode 100644
index 00000000000..e6898e58968
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_cache_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_cache_size;
+# Test that "SET binlog_cache_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_cache_size=65536;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_cache_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_cache_size=65536;
+SET binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_cache_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_cache_size=65536;
+SET binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_cache_size=65536;
+ERROR HY000: Variable 'binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_cache_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/binlog_commit_wait_count_grant.result b/mysql-test/suite/sys_vars/r/binlog_commit_wait_count_grant.result
new file mode 100644
index 00000000000..930772f7499
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_commit_wait_count_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_commit_wait_count;
+# Test that "SET binlog_commit_wait_count" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_count=65536;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_commit_wait_count" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_count=65536;
+SET binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_commit_wait_count" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_count=65536;
+SET binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_count=65536;
+ERROR HY000: Variable 'binlog_commit_wait_count' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_commit_wait_count=@global;
diff --git a/mysql-test/suite/sys_vars/r/binlog_commit_wait_usec_grant.result b/mysql-test/suite/sys_vars/r/binlog_commit_wait_usec_grant.result
new file mode 100644
index 00000000000..cfbb759e959
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_commit_wait_usec_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_commit_wait_usec;
+# Test that "SET binlog_commit_wait_usec" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_usec=65536;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_commit_wait_usec" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_usec=65536;
+SET binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_commit_wait_usec" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_commit_wait_usec=65536;
+SET binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_commit_wait_usec=65536;
+ERROR HY000: Variable 'binlog_commit_wait_usec' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_commit_wait_usec=@global;
diff --git a/mysql-test/suite/sys_vars/r/binlog_file_cache_size_grant.result b/mysql-test/suite/sys_vars/r/binlog_file_cache_size_grant.result
new file mode 100644
index 00000000000..3cd5aaf57d4
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_file_cache_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_file_cache_size;
+# Test that "SET binlog_file_cache_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_file_cache_size=65536;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_file_cache_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_file_cache_size=65536;
+SET binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_file_cache_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_file_cache_size=65536;
+SET binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_file_cache_size=65536;
+ERROR HY000: Variable 'binlog_file_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_file_cache_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/binlog_row_metadata_grant.result b/mysql-test/suite/sys_vars/r/binlog_row_metadata_grant.result
new file mode 100644
index 00000000000..43282278aa3
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_row_metadata_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_row_metadata;
+# Test that "SET binlog_row_metadata" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_row_metadata=NO_LOG;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_row_metadata" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_row_metadata=NO_LOG;
+SET binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_row_metadata" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_row_metadata=NO_LOG;
+SET binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_row_metadata=NO_LOG;
+ERROR HY000: Variable 'binlog_row_metadata' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_row_metadata=@global;
diff --git a/mysql-test/suite/sys_vars/r/binlog_stmt_cache_size_grant.result b/mysql-test/suite/sys_vars/r/binlog_stmt_cache_size_grant.result
new file mode 100644
index 00000000000..87070de932c
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/binlog_stmt_cache_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.binlog_stmt_cache_size;
+# Test that "SET binlog_stmt_cache_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_stmt_cache_size=65536;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_stmt_cache_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_stmt_cache_size=65536;
+SET binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET binlog_stmt_cache_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL binlog_stmt_cache_size=65536;
+SET binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION binlog_stmt_cache_size=65536;
+ERROR HY000: Variable 'binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.binlog_stmt_cache_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/expire_logs_days_grant.result b/mysql-test/suite/sys_vars/r/expire_logs_days_grant.result
new file mode 100644
index 00000000000..f7a3ddc76c1
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/expire_logs_days_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.expire_logs_days;
+# Test that "SET expire_logs_days" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL expire_logs_days=33;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET expire_logs_days" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL expire_logs_days=33;
+SET expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET expire_logs_days" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL expire_logs_days=33;
+SET expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION expire_logs_days=33;
+ERROR HY000: Variable 'expire_logs_days' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.expire_logs_days=@global;
diff --git a/mysql-test/suite/sys_vars/r/log_bin_compress_grant.result b/mysql-test/suite/sys_vars/r/log_bin_compress_grant.result
new file mode 100644
index 00000000000..f75f22a75f8
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/log_bin_compress_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.log_bin_compress;
+# Test that "SET log_bin_compress" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress=1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_compress" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress=1;
+SET log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_compress" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress=1;
+SET log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress=1;
+ERROR HY000: Variable 'log_bin_compress' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.log_bin_compress=@global;
diff --git a/mysql-test/suite/sys_vars/r/log_bin_compress_min_len_grant.result b/mysql-test/suite/sys_vars/r/log_bin_compress_min_len_grant.result
new file mode 100644
index 00000000000..b1ccafb1dd2
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/log_bin_compress_min_len_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.log_bin_compress_min_len;
+# Test that "SET log_bin_compress_min_len" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress_min_len=512;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_compress_min_len" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress_min_len=512;
+SET log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_compress_min_len" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_compress_min_len=512;
+SET log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_compress_min_len=512;
+ERROR HY000: Variable 'log_bin_compress_min_len' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.log_bin_compress_min_len=@global;
diff --git a/mysql-test/suite/sys_vars/r/log_bin_trust_function_creators_grant.result b/mysql-test/suite/sys_vars/r/log_bin_trust_function_creators_grant.result
new file mode 100644
index 00000000000..ef9af94d8f6
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/log_bin_trust_function_creators_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.log_bin_trust_function_creators;
+# Test that "SET log_bin_trust_function_creators" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_trust_function_creators=1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_trust_function_creators" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_trust_function_creators=1;
+SET log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET log_bin_trust_function_creators" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL log_bin_trust_function_creators=1;
+SET log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION log_bin_trust_function_creators=1;
+ERROR HY000: Variable 'log_bin_trust_function_creators' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.log_bin_trust_function_creators=@global;
diff --git a/mysql-test/suite/sys_vars/r/max_binlog_cache_size_grant.result b/mysql-test/suite/sys_vars/r/max_binlog_cache_size_grant.result
new file mode 100644
index 00000000000..350194c46cc
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/max_binlog_cache_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.max_binlog_cache_size;
+# Test that "SET max_binlog_cache_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_cache_size=4096;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_cache_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_cache_size=4096;
+SET max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_cache_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_cache_size=4096;
+SET max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_binlog_cache_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/max_binlog_size_grant.result b/mysql-test/suite/sys_vars/r/max_binlog_size_grant.result
new file mode 100644
index 00000000000..34e1fde76fe
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/max_binlog_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.max_binlog_size;
+# Test that "SET max_binlog_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_size=4096;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_size=4096;
+SET max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_size=4096;
+SET max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_size=4096;
+ERROR HY000: Variable 'max_binlog_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_binlog_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/max_binlog_stmt_cache_size_grant.result b/mysql-test/suite/sys_vars/r/max_binlog_stmt_cache_size_grant.result
new file mode 100644
index 00000000000..2ddd164f7c1
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/max_binlog_stmt_cache_size_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.max_binlog_stmt_cache_size;
+# Test that "SET max_binlog_stmt_cache_size" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_stmt_cache_size=4096;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_stmt_cache_size" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_stmt_cache_size=4096;
+SET max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_binlog_stmt_cache_size" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_binlog_stmt_cache_size=4096;
+SET max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_binlog_stmt_cache_size=4096;
+ERROR HY000: Variable 'max_binlog_stmt_cache_size' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_binlog_stmt_cache_size=@global;
diff --git a/mysql-test/suite/sys_vars/r/sync_binlog_grant.result b/mysql-test/suite/sys_vars/r/sync_binlog_grant.result
new file mode 100644
index 00000000000..1fcdf8b000e
--- /dev/null
+++ b/mysql-test/suite/sys_vars/r/sync_binlog_grant.result
@@ -0,0 +1,46 @@
+#
+# MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+#
+SET @global=@@global.sync_binlog;
+# Test that "SET sync_binlog" is not allowed without BINLOG ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE BINLOG ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL sync_binlog=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, BINLOG ADMIN privilege(s) for this operation
+SET sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET sync_binlog" is allowed with BINLOG ADMIN
+CREATE USER user1@localhost;
+GRANT BINLOG ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL sync_binlog=10;
+SET sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET sync_binlog" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL sync_binlog=10;
+SET sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION sync_binlog=10;
+ERROR HY000: Variable 'sync_binlog' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.sync_binlog=@global;
diff --git a/mysql-test/suite/sys_vars/t/binlog_cache_size_grant.test b/mysql-test/suite/sys_vars/t/binlog_cache_size_grant.test
new file mode 100644
index 00000000000..bad55766f6e
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_cache_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_cache_size
+--let grant = BINLOG ADMIN
+--let value = 65536
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/binlog_commit_wait_count_grant.test b/mysql-test/suite/sys_vars/t/binlog_commit_wait_count_grant.test
new file mode 100644
index 00000000000..5095747ddb1
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_commit_wait_count_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_commit_wait_count
+--let grant = BINLOG ADMIN
+--let value = 65536
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/binlog_commit_wait_usec_grant.test b/mysql-test/suite/sys_vars/t/binlog_commit_wait_usec_grant.test
new file mode 100644
index 00000000000..87a8cd20e20
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_commit_wait_usec_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_commit_wait_usec
+--let grant = BINLOG ADMIN
+--let value = 65536
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/binlog_file_cache_size_grant.test b/mysql-test/suite/sys_vars/t/binlog_file_cache_size_grant.test
new file mode 100644
index 00000000000..b6362d14562
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_file_cache_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_file_cache_size
+--let grant = BINLOG ADMIN
+--let value = 65536
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/binlog_row_metadata_grant.test b/mysql-test/suite/sys_vars/t/binlog_row_metadata_grant.test
new file mode 100644
index 00000000000..8dac8218617
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_row_metadata_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_row_metadata
+--let grant = BINLOG ADMIN
+--let value = NO_LOG
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/binlog_stmt_cache_size_grant.test b/mysql-test/suite/sys_vars/t/binlog_stmt_cache_size_grant.test
new file mode 100644
index 00000000000..9b9afad12b7
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/binlog_stmt_cache_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = binlog_stmt_cache_size
+--let grant = BINLOG ADMIN
+--let value = 65536
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/expire_logs_days_grant.test b/mysql-test/suite/sys_vars/t/expire_logs_days_grant.test
new file mode 100644
index 00000000000..65099b745f8
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/expire_logs_days_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = expire_logs_days
+--let grant = BINLOG ADMIN
+--let value = 33
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/log_bin_compress_grant.test b/mysql-test/suite/sys_vars/t/log_bin_compress_grant.test
new file mode 100644
index 00000000000..3b2c7849948
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/log_bin_compress_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = log_bin_compress
+--let grant = BINLOG ADMIN
+--let value = 1
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/log_bin_compress_min_len_grant.test b/mysql-test/suite/sys_vars/t/log_bin_compress_min_len_grant.test
new file mode 100644
index 00000000000..26eff8c9b30
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/log_bin_compress_min_len_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = log_bin_compress_min_len
+--let grant = BINLOG ADMIN
+--let value = 512
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/log_bin_trust_function_creators_grant.test b/mysql-test/suite/sys_vars/t/log_bin_trust_function_creators_grant.test
new file mode 100644
index 00000000000..0744987e189
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/log_bin_trust_function_creators_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = log_bin_trust_function_creators
+--let grant = BINLOG ADMIN
+--let value = 1
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/max_binlog_cache_size_grant.test b/mysql-test/suite/sys_vars/t/max_binlog_cache_size_grant.test
new file mode 100644
index 00000000000..ae1178ca82c
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/max_binlog_cache_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = max_binlog_cache_size
+--let grant = BINLOG ADMIN
+--let value = 4096
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/max_binlog_size_grant.test b/mysql-test/suite/sys_vars/t/max_binlog_size_grant.test
new file mode 100644
index 00000000000..05b7b2669fd
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/max_binlog_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = max_binlog_size
+--let grant = BINLOG ADMIN
+--let value = 4096
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/max_binlog_stmt_cache_size_grant.test b/mysql-test/suite/sys_vars/t/max_binlog_stmt_cache_size_grant.test
new file mode 100644
index 00000000000..d9decb6e40f
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/max_binlog_stmt_cache_size_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = max_binlog_stmt_cache_size
+--let grant = BINLOG ADMIN
+--let value = 4096
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/mysql-test/suite/sys_vars/t/sync_binlog_grant.test b/mysql-test/suite/sys_vars/t/sync_binlog_grant.test
new file mode 100644
index 00000000000..114be48e19f
--- /dev/null
+++ b/mysql-test/suite/sys_vars/t/sync_binlog_grant.test
@@ -0,0 +1,9 @@
+--echo #
+--echo # MDEV-21963 Bind BINLOG ADMIN to a number of global system variables
+--echo #
+
+--let var = sync_binlog
+--let grant = BINLOG ADMIN
+--let value = 10
+
+--source suite/sys_vars/inc/sysvar_global_grant.inc
diff --git a/sql/privilege.h b/sql/privilege.h
index 6d5612e5c4b..fef44315d4f 100644
--- a/sql/privilege.h
+++ b/sql/privilege.h
@@ -318,11 +318,56 @@ constexpr privilege_t PRIV_SET_RESTRICTED_SESSION_SYSTEM_VARIABLE= SUPER_ACL;
 /* The following variables respected only SUPER_ACL prior to 10.5.2 */
 constexpr privilege_t PRIV_SET_SYSTEM_VAR_BINLOG_FORMAT=
   SUPER_ACL | BINLOG_ADMIN_ACL;
+
 constexpr privilege_t PRIV_SET_SYSTEM_VAR_BINLOG_DIRECT_NON_TRANSACTIONAL_UPDATES=
   SUPER_ACL | BINLOG_ADMIN_ACL;
+
 constexpr privilege_t PRIV_SET_SYSTEM_VAR_SQL_LOG_BIN=
   SUPER_ACL | BINLOG_ADMIN_ACL;
 
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_CACHE_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_FILE_CACHE_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_STMT_CACHE_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_COMMIT_WAIT_COUNT=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_COMMIT_WAIT_USEC=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_ROW_METADATA=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_EXPIRE_LOGS_DAYS=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_COMPRESS=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_COMPRESS_MIN_LEN=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_TRUST_FUNCTION_CREATORS=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_CACHE_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_STMT_CACHE_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_SIZE=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SYNC_BINLOG=
+  SUPER_ACL | BINLOG_ADMIN_ACL;
+
+
 
 /* Privileges related to --read-only */
 // Was super prior to 10.5.2
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
index 4d5c7a3c18d..87e7da9dedd 100644
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -526,7 +526,9 @@ static Sys_var_enum Sys_vers_alter_history(
        SESSION_VAR(vers_alter_history), CMD_LINE(REQUIRED_ARG),
        vers_alter_history_keywords, DEFAULT(VERS_ALTER_HISTORY_ERROR));
 
-static Sys_var_ulonglong Sys_binlog_cache_size(
+static Sys_var_on_access_global<Sys_var_ulonglong,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_CACHE_SIZE>
+Sys_binlog_cache_size(
        "binlog_cache_size", "The size of the transactional cache for "
        "updates to transactional engines for the binary log. "
        "If you often use transactions containing many statements, "
@@ -535,14 +537,18 @@ static Sys_var_ulonglong Sys_binlog_cache_size(
        CMD_LINE(REQUIRED_ARG),
        VALID_RANGE(IO_SIZE, SIZE_T_MAX), DEFAULT(32768), BLOCK_SIZE(IO_SIZE));
 
-static Sys_var_ulonglong  Sys_binlog_file_cache_size(
+static Sys_var_on_access_global<Sys_var_ulonglong,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_FILE_CACHE_SIZE>
+Sys_binlog_file_cache_size(
        "binlog_file_cache_size", 
        "The size of file cache for the binary log", 
        GLOBAL_VAR(binlog_file_cache_size),
        CMD_LINE(REQUIRED_ARG),
        VALID_RANGE(IO_SIZE*2, SIZE_T_MAX), DEFAULT(IO_SIZE*4), BLOCK_SIZE(IO_SIZE));
 
-static Sys_var_ulonglong Sys_binlog_stmt_cache_size(
+static Sys_var_on_access_global<Sys_var_ulonglong,
+                             PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_STMT_CACHE_SIZE>
+Sys_binlog_stmt_cache_size(
        "binlog_stmt_cache_size", "The size of the statement cache for "
        "updates to non-transactional engines for the binary log. "
        "If you often use statements updating a great number of rows, "
@@ -1150,7 +1156,9 @@ static Sys_var_enum Sys_event_scheduler(
        ON_CHECK(event_scheduler_check), ON_UPDATE(event_scheduler_update));
 #endif
 
-static Sys_var_ulong Sys_expire_logs_days(
+static Sys_var_on_access_global<Sys_var_ulong,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_EXPIRE_LOGS_DAYS>
+Sys_expire_logs_days(
        "expire_logs_days",
        "If non-zero, binary logs will be purged after expire_logs_days "
        "days; possible purges happen at startup and at binary log rotation",
@@ -1393,19 +1401,25 @@ static Sys_var_mybool Sys_log_bin(
        "log_bin", "Whether the binary log is enabled",
        READ_ONLY GLOBAL_VAR(opt_bin_log), NO_CMD_LINE, DEFAULT(FALSE));
 
-static Sys_var_mybool Sys_log_bin_compress(
+static Sys_var_on_access_global<Sys_var_mybool,
+                            PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_COMPRESS>
+Sys_log_bin_compress(
   "log_bin_compress", "Whether the binary log can be compressed",
   GLOBAL_VAR(opt_bin_log_compress), CMD_LINE(OPT_ARG), DEFAULT(FALSE));
 
 /* the min length is 10, means that Begin/Commit/Rollback would never be compressed!   */
-static Sys_var_uint Sys_log_bin_compress_min_len(
+static Sys_var_on_access_global<Sys_var_uint,
+                            PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_COMPRESS_MIN_LEN>
+Sys_log_bin_compress_min_len(
   "log_bin_compress_min_len",
   "Minimum length of sql statement(in statement mode) or record(in row mode)"
   "that can be compressed.",
   GLOBAL_VAR(opt_bin_log_compress_min_len),
   CMD_LINE(OPT_ARG), VALID_RANGE(10, 1024), DEFAULT(256), BLOCK_SIZE(1));
 
-static Sys_var_mybool Sys_trust_function_creators(
+static Sys_var_on_access_global<Sys_var_mybool,
+                    PRIV_SET_SYSTEM_GLOBAL_VAR_LOG_BIN_TRUST_FUNCTION_CREATORS>
+Sys_trust_function_creators(
        "log_bin_trust_function_creators",
        "If set to FALSE (the default), then when --log-bin is used, creation "
        "of a stored function (or trigger) is allowed only to users having the "
@@ -1586,14 +1600,18 @@ static Sys_var_ulong Sys_slave_max_allowed_packet(
        VALID_RANGE(1024, MAX_MAX_ALLOWED_PACKET),
        DEFAULT(MAX_MAX_ALLOWED_PACKET), BLOCK_SIZE(1024));
 
-static Sys_var_ulonglong Sys_max_binlog_cache_size(
+static Sys_var_on_access_global<Sys_var_ulonglong,
+                              PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_CACHE_SIZE>
+Sys_max_binlog_cache_size(
        "max_binlog_cache_size",
        "Sets the total size of the transactional cache",
        GLOBAL_VAR(max_binlog_cache_size), CMD_LINE(REQUIRED_ARG),
        VALID_RANGE(IO_SIZE, SIZE_T_MAX),
        DEFAULT((SIZE_T_MAX/IO_SIZE)*IO_SIZE), BLOCK_SIZE(IO_SIZE));
 
-static Sys_var_ulonglong Sys_max_binlog_stmt_cache_size(
+static Sys_var_on_access_global<Sys_var_ulonglong,
+                       PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_STMT_CACHE_SIZE>
+Sys_max_binlog_stmt_cache_size(
        "max_binlog_stmt_cache_size",
        "Sets the total size of the statement cache",
        GLOBAL_VAR(max_binlog_stmt_cache_size), CMD_LINE(REQUIRED_ARG),
@@ -1605,7 +1623,9 @@ static bool fix_max_binlog_size(sys_var *self, THD *thd, enum_var_type type)
   mysql_bin_log.set_max_size(max_binlog_size);
   return false;
 }
-static Sys_var_ulong Sys_max_binlog_size(
+static Sys_var_on_access_global<Sys_var_ulong,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_BINLOG_SIZE>
+Sys_max_binlog_size(
        "max_binlog_size",
        "Binary log will be rotated automatically when the size exceeds this "
        "value.",
@@ -2346,7 +2366,9 @@ static Sys_var_mybool Sys_gtid_ignore_duplicates(
 #endif
 
 
-static Sys_var_ulong Sys_binlog_commit_wait_count(
+static Sys_var_on_access_global<Sys_var_ulong,
+                           PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_COMMIT_WAIT_COUNT>
+Sys_binlog_commit_wait_count(
        "binlog_commit_wait_count",
        "If non-zero, binlog write will wait at most binlog_commit_wait_usec "
        "microseconds for at least this many commits to queue up for group "
@@ -2357,7 +2379,9 @@ static Sys_var_ulong Sys_binlog_commit_wait_count(
        VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1));
 
 
-static Sys_var_ulong Sys_binlog_commit_wait_usec(
+static Sys_var_on_access_global<Sys_var_ulong,
+                            PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_COMMIT_WAIT_USEC>
+Sys_binlog_commit_wait_usec(
        "binlog_commit_wait_usec",
        "Maximum time, in microseconds, to wait for more commits to queue up "
        "for binlog group commit. Only takes effect if the value of "
@@ -5408,7 +5432,9 @@ static Sys_var_uint Sys_sync_relayloginfo_period(
        VALID_RANGE(0, UINT_MAX), DEFAULT(10000), BLOCK_SIZE(1));
 #endif
 
-static Sys_var_uint Sys_sync_binlog_period(
+static Sys_var_on_access_global<Sys_var_uint,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_SYNC_BINLOG>
+Sys_sync_binlog_period(
        "sync_binlog", "Synchronously flush binary log to disk after "
        "every #th event. Use 0 (default) to disable synchronous flushing",
        GLOBAL_VAR(sync_binlog_period), CMD_LINE(REQUIRED_ARG),
@@ -6348,7 +6374,9 @@ static Sys_var_enum Sys_binlog_row_image(
        binlog_row_image_names, DEFAULT(BINLOG_ROW_IMAGE_FULL));
 
 static const char *binlog_row_metadata_names[]= {"NO_LOG", "MINIMAL", "FULL", NullS};
-static Sys_var_enum Sys_binlog_row_metadata(
+static Sys_var_on_access_global<Sys_var_enum,
+                                PRIV_SET_SYSTEM_GLOBAL_VAR_BINLOG_ROW_METADATA>
+Sys_binlog_row_metadata(
        "binlog_row_metadata",
        "Controls whether metadata is logged using FULL , MINIMAL format and NO_LOG."
        "FULL causes all metadata to be logged; MINIMAL means that only "
author	Alexander Barkov <bar@mariadb.com>	2020-03-17 19:08:28 +0400
committer	Alexander Barkov <bar@mariadb.com>	2020-03-17 19:08:28 +0400
commit	90b7ac28a917fde7bceed573956aa4c668c7685b (patch)
tree	0285afba839a1090e2acd600bc581c8de2b52e14
parent	dec14dcffe08c0284daac4f93cd750956b15ca47 (diff)
download	mariadb-git-90b7ac28a917fde7bceed573956aa4c668c7685b.tar.gz