diff options
author | Alexander Barkov <bar@mariadb.com> | 2020-03-18 17:14:07 +0400 |
---|---|---|
committer | Alexander Barkov <bar@mariadb.com> | 2020-03-18 17:14:07 +0400 |
commit | 68f390e598e71e52a3695dada12d1347892f2028 (patch) | |
tree | d4af8533b1ff40947baae033a72fba047e70563f | |
parent | 305cffebaba7a81fcc12f0c7511ffe639cb9b0d2 (diff) | |
download | mariadb-git-68f390e598e71e52a3695dada12d1347892f2028.tar.gz |
MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_binlog_state_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_cleanup_batch_size_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_ignore_duplicates_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_pos_auto_engines_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_slave_pos_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/r/gtid_strict_mode_grant.result | 46 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_binlog_state_grant.test | 67 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_cleanup_batch_size_grant.test | 9 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_ignore_duplicates_grant.test | 9 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_pos_auto_engines_grant.test | 9 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_slave_pos_grant.test | 9 | ||||
-rw-r--r-- | mysql-test/suite/sys_vars/t/gtid_strict_mode_grant.test | 9 | ||||
-rw-r--r-- | sql/privilege.h | 14 | ||||
-rw-r--r-- | sql/sys_vars.cc | 16 | ||||
-rw-r--r-- | sql/sys_vars.ic | 9 |
15 files changed, 423 insertions, 4 deletions
diff --git a/mysql-test/suite/sys_vars/r/gtid_binlog_state_grant.result b/mysql-test/suite/sys_vars/r/gtid_binlog_state_grant.result new file mode 100644 index 00000000000..0ccf610cc28 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_binlog_state_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +# Test that "SET gtid_binlog_state" is not allowed without REPLICATION MASTER ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION MASTER ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_binlog_state='0-1-10'; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION MASTER ADMIN privilege(s) for this operation +SET gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_binlog_state" is allowed with REPLICATION MASTER ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION MASTER ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_binlog_state='0-1-10'; +ERROR HY000: Binlog closed, cannot RESET MASTER +SET gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_binlog_state" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_binlog_state='0-1-10'; +ERROR HY000: Binlog closed, cannot RESET MASTER +SET gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_binlog_state='0-1-10'; +ERROR HY000: Variable 'gtid_binlog_state' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; diff --git a/mysql-test/suite/sys_vars/r/gtid_cleanup_batch_size_grant.result b/mysql-test/suite/sys_vars/r/gtid_cleanup_batch_size_grant.result new file mode 100644 index 00000000000..326fb47d48c --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_cleanup_batch_size_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +SET @global=@@global.gtid_cleanup_batch_size; +# Test that "SET gtid_cleanup_batch_size" is not allowed without REPLICATION SLAVE ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_cleanup_batch_size=1; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation +SET gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_cleanup_batch_size" is allowed with REPLICATION SLAVE ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_cleanup_batch_size=1; +SET gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_cleanup_batch_size" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_cleanup_batch_size=1; +SET gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_cleanup_batch_size=1; +ERROR HY000: Variable 'gtid_cleanup_batch_size' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.gtid_cleanup_batch_size=@global; diff --git a/mysql-test/suite/sys_vars/r/gtid_ignore_duplicates_grant.result b/mysql-test/suite/sys_vars/r/gtid_ignore_duplicates_grant.result new file mode 100644 index 00000000000..f4c95fb6192 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_ignore_duplicates_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +SET @global=@@global.gtid_ignore_duplicates; +# Test that "SET gtid_ignore_duplicates" is not allowed without REPLICATION SLAVE ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_ignore_duplicates=1; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation +SET gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_ignore_duplicates" is allowed with REPLICATION SLAVE ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_ignore_duplicates=1; +SET gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_ignore_duplicates" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_ignore_duplicates=1; +SET gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_ignore_duplicates=1; +ERROR HY000: Variable 'gtid_ignore_duplicates' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.gtid_ignore_duplicates=@global; diff --git a/mysql-test/suite/sys_vars/r/gtid_pos_auto_engines_grant.result b/mysql-test/suite/sys_vars/r/gtid_pos_auto_engines_grant.result new file mode 100644 index 00000000000..60fae07cf7c --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_pos_auto_engines_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +SET @global=@@global.gtid_pos_auto_engines; +# Test that "SET gtid_pos_auto_engines" is not allowed without REPLICATION SLAVE ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_pos_auto_engines=''; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation +SET gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_pos_auto_engines" is allowed with REPLICATION SLAVE ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_pos_auto_engines=''; +SET gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_pos_auto_engines" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_pos_auto_engines=''; +SET gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_pos_auto_engines=''; +ERROR HY000: Variable 'gtid_pos_auto_engines' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.gtid_pos_auto_engines=@global; diff --git a/mysql-test/suite/sys_vars/r/gtid_slave_pos_grant.result b/mysql-test/suite/sys_vars/r/gtid_slave_pos_grant.result new file mode 100644 index 00000000000..52918706e3f --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_slave_pos_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +SET @global=@@global.gtid_slave_pos; +# Test that "SET gtid_slave_pos" is not allowed without REPLICATION SLAVE ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_slave_pos=''; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation +SET gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_slave_pos" is allowed with REPLICATION SLAVE ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_slave_pos=''; +SET gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_slave_pos" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_slave_pos=''; +SET gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_slave_pos=''; +ERROR HY000: Variable 'gtid_slave_pos' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.gtid_slave_pos=@global; diff --git a/mysql-test/suite/sys_vars/r/gtid_strict_mode_grant.result b/mysql-test/suite/sys_vars/r/gtid_strict_mode_grant.result new file mode 100644 index 00000000000..0ea4d0ab0b3 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/gtid_strict_mode_grant.result @@ -0,0 +1,46 @@ +# +# MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +# +SET @global=@@global.gtid_strict_mode; +# Test that "SET gtid_strict_mode" is not allowed without REPLICATION SLAVE ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE REPLICATION SLAVE ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_strict_mode=1; +ERROR 42000: Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation +SET gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_strict_mode" is allowed with REPLICATION SLAVE ADMIN +CREATE USER user1@localhost; +GRANT REPLICATION SLAVE ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_strict_mode=1; +SET gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET gtid_strict_mode" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL gtid_strict_mode=1; +SET gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION gtid_strict_mode=1; +ERROR HY000: Variable 'gtid_strict_mode' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.gtid_strict_mode=@global; diff --git a/mysql-test/suite/sys_vars/t/gtid_binlog_state_grant.test b/mysql-test/suite/sys_vars/t/gtid_binlog_state_grant.test new file mode 100644 index 00000000000..b1cfa320c0f --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_binlog_state_grant.test @@ -0,0 +1,67 @@ +--source include/not_embedded.inc + + +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +# +# Binlog is not opened in this test. +# So the test returns "access denied" on the lack of privileges, +# or "Binlog closed, cannot RESET MASTER" on success. +# + + +--let var = gtid_binlog_state +--let grant = REPLICATION MASTER ADMIN +--let value = '0-1-10' + + +--echo # Test that "SET $var" is not allowed without $grant or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +--eval REVOKE $grant, SUPER ON *.* FROM user1@localhost +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +--eval SET GLOBAL $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET SESSION $var=$value +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET $var" is allowed with $grant + +CREATE USER user1@localhost; +--eval GRANT $grant ON *.* TO user1@localhost +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_FLUSH_MASTER_BINLOG_CLOSED +--eval SET GLOBAL $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET SESSION $var=$value +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET $var" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_FLUSH_MASTER_BINLOG_CLOSED +--eval SET GLOBAL $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET $var=$value +--error ER_GLOBAL_VARIABLE +--eval SET SESSION $var=$value +--disconnect user1 +--connection default +DROP USER user1@localhost; diff --git a/mysql-test/suite/sys_vars/t/gtid_cleanup_batch_size_grant.test b/mysql-test/suite/sys_vars/t/gtid_cleanup_batch_size_grant.test new file mode 100644 index 00000000000..73e68cc28b4 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_cleanup_batch_size_grant.test @@ -0,0 +1,9 @@ +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +--let var = gtid_cleanup_batch_size +--let grant = REPLICATION SLAVE ADMIN +--let value = 1 + +--source suite/sys_vars/inc/sysvar_global_grant.inc diff --git a/mysql-test/suite/sys_vars/t/gtid_ignore_duplicates_grant.test b/mysql-test/suite/sys_vars/t/gtid_ignore_duplicates_grant.test new file mode 100644 index 00000000000..69e8cb8d3c3 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_ignore_duplicates_grant.test @@ -0,0 +1,9 @@ +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +--let var = gtid_ignore_duplicates +--let grant = REPLICATION SLAVE ADMIN +--let value = 1 + +--source suite/sys_vars/inc/sysvar_global_grant.inc diff --git a/mysql-test/suite/sys_vars/t/gtid_pos_auto_engines_grant.test b/mysql-test/suite/sys_vars/t/gtid_pos_auto_engines_grant.test new file mode 100644 index 00000000000..500f70852a9 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_pos_auto_engines_grant.test @@ -0,0 +1,9 @@ +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +--let var = gtid_pos_auto_engines +--let grant = REPLICATION SLAVE ADMIN +--let value = '' + +--source suite/sys_vars/inc/sysvar_global_grant.inc diff --git a/mysql-test/suite/sys_vars/t/gtid_slave_pos_grant.test b/mysql-test/suite/sys_vars/t/gtid_slave_pos_grant.test new file mode 100644 index 00000000000..e5512847639 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_slave_pos_grant.test @@ -0,0 +1,9 @@ +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +--let var = gtid_slave_pos +--let grant = REPLICATION SLAVE ADMIN +--let value = '' + +--source suite/sys_vars/inc/sysvar_global_grant.inc diff --git a/mysql-test/suite/sys_vars/t/gtid_strict_mode_grant.test b/mysql-test/suite/sys_vars/t/gtid_strict_mode_grant.test new file mode 100644 index 00000000000..18c3cc76e45 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/gtid_strict_mode_grant.test @@ -0,0 +1,9 @@ +--echo # +--echo # MDEV-21973 Bind REPLICATION {MASTER|SLAVE} ADMIN to gtid_* GLOBAL-only system variables +--echo # + +--let var = gtid_strict_mode +--let grant = REPLICATION SLAVE ADMIN +--let value = 1 + +--source suite/sys_vars/inc/sysvar_global_grant.inc diff --git a/sql/privilege.h b/sql/privilege.h index 14750e001e0..bc302abbec7 100644 --- a/sql/privilege.h +++ b/sql/privilege.h @@ -485,6 +485,9 @@ constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_RPL_SEMI_SYNC_MASTER_WAIT_POINT constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MASTER_VERIFY_CHECKSUM= REPL_MASTER_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_BINLOG_STATE= + REPL_MASTER_ADMIN_ACL | SUPER_ACL; + /* Privileges for statements that are executed on the slave */ // Was SUPER_ACL prior to 10.5.2 @@ -572,6 +575,17 @@ constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SYNC_RELAY_LOG= constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SYNC_RELAY_LOG_INFO= REPL_SLAVE_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_CLEANUP_BATCH_SIZE= + REPL_SLAVE_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_IGNORE_DUPLICATES= + REPL_SLAVE_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_POS_AUTO_ENGINES= + REPL_SLAVE_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_SLAVE_POS= + REPL_SLAVE_ADMIN_ACL | SUPER_ACL; +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_STRICT_MODE= + REPL_SLAVE_ADMIN_ACL | SUPER_ACL; + /* Privileges for federated database related statements */ // Was SUPER_ACL prior to 10.5.2 diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index ff9dbcc8c49..62d34a447e9 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -1982,7 +1982,9 @@ static Sys_var_gtid_slave_pos Sys_gtid_slave_pos( GLOBAL_VAR(opt_gtid_slave_pos_dummy), NO_CMD_LINE); -static Sys_var_mybool Sys_gtid_strict_mode( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_STRICT_MODE> +Sys_gtid_strict_mode( "gtid_strict_mode", "Enforce strict seq_no ordering of events in the binary log. Slave " "stops with an error if it encounters an event that would cause it to " @@ -2126,7 +2128,9 @@ Sys_var_last_gtid::session_value_ptr(THD *thd, const LEX_CSTRING *base) } -static Sys_var_uint Sys_gtid_cleanup_batch_size( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_CLEANUP_BATCH_SIZE> +Sys_gtid_cleanup_batch_size( "gtid_cleanup_batch_size", "Normally does not need tuning. How many old rows must accumulate in " "the mysql.gtid_slave_pos table before a background job will be run to " @@ -2364,7 +2368,9 @@ fix_gtid_ignore_duplicates(sys_var *self, THD *thd, enum_var_type type) } -static Sys_var_mybool Sys_gtid_ignore_duplicates( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_IGNORE_DUPLICATES> +Sys_gtid_ignore_duplicates( "gtid_ignore_duplicates", "When set, different master connections in multi-source replication are " "allowed to receive and process event groups with the same GTID (when " @@ -4209,7 +4215,9 @@ check_gtid_pos_auto_engines(sys_var *self, THD *thd, set_var *var) } -static Sys_var_pluginlist Sys_gtid_pos_auto_engines( +static Sys_var_on_access_global<Sys_var_pluginlist, + PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_POS_AUTO_ENGINES> +Sys_gtid_pos_auto_engines( "gtid_pos_auto_engines", "List of engines for which to automatically create a " "mysql.gtid_slave_pos_ENGINE table, if a transaction using that engine " diff --git a/sql/sys_vars.ic b/sql/sys_vars.ic index b61183e1f5a..92d8a80c881 100644 --- a/sql/sys_vars.ic +++ b/sql/sys_vars.ic @@ -2531,6 +2531,10 @@ public: uchar *global_value_ptr(THD *thd, const LEX_CSTRING *base); uchar *default_value_ptr(THD *thd) { return 0; } + bool on_check_access_global(THD *thd) const + { + return check_global_access(thd, PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_SLAVE_POS); + } }; @@ -2573,6 +2577,11 @@ public: uchar *global_value_ptr(THD *thd, const LEX_CSTRING *base); uchar *default_value_ptr(THD *thd) { return 0; } + bool on_check_access_global(THD *thd) const + { + return + check_global_access(thd, PRIV_SET_SYSTEM_GLOBAL_VAR_GTID_BINLOG_STATE); + } }; |