diff options
| author | Alexander Barkov <bar@mariadb.com> | 2020-03-17 14:27:52 +0400 |
|---|---|---|
| committer | Alexander Barkov <bar@mariadb.com> | 2020-03-17 14:27:52 +0400 |
| commit | dec14dcffe08c0284daac4f93cd750956b15ca47 (patch) | |
| tree | 91409e83257701309aefd69f6094f826498d8915 | |
| parent | 513cfd046db8a6503fa02a2ebfbd8963452c4f51 (diff) | |
| download | mariadb-git-dec14dcffe08c0284daac4f93cd750956b15ca47.tar.gz | |
MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
30 files changed, 1531 insertions, 21 deletions
diff --git a/mysql-test/suite/sys_vars/r/connect_timeout_grant.result b/mysql-test/suite/sys_vars/r/connect_timeout_grant.result new file mode 100644 index 00000000000..96351490f6f --- /dev/null +++ b/mysql-test/suite/sys_vars/r/connect_timeout_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.connect_timeout; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET connect_timeout" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL connect_timeout=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET connect_timeout" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL connect_timeout=10; +SET connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET connect_timeout" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL connect_timeout=10; +SET connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION connect_timeout=10; +ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.connect_timeout=@global; diff --git a/mysql-test/suite/sys_vars/r/disconnect_on_expired_password_grant.result b/mysql-test/suite/sys_vars/r/disconnect_on_expired_password_grant.result new file mode 100644 index 00000000000..b7152351a5d --- /dev/null +++ b/mysql-test/suite/sys_vars/r/disconnect_on_expired_password_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.disconnect_on_expired_password; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET disconnect_on_expired_password" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL disconnect_on_expired_password=1; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET disconnect_on_expired_password" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL disconnect_on_expired_password=1; +SET disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET disconnect_on_expired_password" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL disconnect_on_expired_password=1; +SET disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION disconnect_on_expired_password=1; +ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.disconnect_on_expired_password=@global; diff --git a/mysql-test/suite/sys_vars/r/extra_max_connections_grant.result b/mysql-test/suite/sys_vars/r/extra_max_connections_grant.result new file mode 100644 index 00000000000..2f211dd5661 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/extra_max_connections_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.extra_max_connections; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET extra_max_connections" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL extra_max_connections=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET extra_max_connections" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL extra_max_connections=10; +SET extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET extra_max_connections" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL extra_max_connections=10; +SET extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION extra_max_connections=10; +ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.extra_max_connections=@global; diff --git a/mysql-test/suite/sys_vars/r/init_connect_grant.result b/mysql-test/suite/sys_vars/r/init_connect_grant.result new file mode 100644 index 00000000000..6c3726708f4 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/init_connect_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.init_connect; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET init_connect" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL init_connect="SET @xxx=1"; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET init_connect" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL init_connect="SET @xxx=1"; +SET init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET init_connect" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL init_connect="SET @xxx=1"; +SET init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION init_connect="SET @xxx=1"; +ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.init_connect=@global; diff --git a/mysql-test/suite/sys_vars/r/max_connect_errors_grant.result b/mysql-test/suite/sys_vars/r/max_connect_errors_grant.result new file mode 100644 index 00000000000..527a4ecaf72 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/max_connect_errors_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.max_connect_errors; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET max_connect_errors" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connect_errors=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_connect_errors" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connect_errors=10; +SET max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_connect_errors" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connect_errors=10; +SET max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connect_errors=10; +ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.max_connect_errors=@global; diff --git a/mysql-test/suite/sys_vars/r/max_connections_grant.result b/mysql-test/suite/sys_vars/r/max_connections_grant.result new file mode 100644 index 00000000000..e55904d4cc1 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/max_connections_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.max_connections; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET max_connections" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connections=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_connections" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connections=10; +SET max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_connections" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_connections=10; +SET max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_connections=10; +ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.max_connections=@global; diff --git a/mysql-test/suite/sys_vars/r/max_password_errors_grant.result b/mysql-test/suite/sys_vars/r/max_password_errors_grant.result new file mode 100644 index 00000000000..4ae0dfb887a --- /dev/null +++ b/mysql-test/suite/sys_vars/r/max_password_errors_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.max_password_errors; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET max_password_errors" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_password_errors=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_password_errors" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_password_errors=10; +SET max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET max_password_errors" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL max_password_errors=10; +SET max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION max_password_errors=10; +ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.max_password_errors=@global; diff --git a/mysql-test/suite/sys_vars/r/proxy_protocol_networks_grant.result b/mysql-test/suite/sys_vars/r/proxy_protocol_networks_grant.result new file mode 100644 index 00000000000..b6bae272443 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/proxy_protocol_networks_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.proxy_protocol_networks; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET proxy_protocol_networks" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL proxy_protocol_networks=""; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET proxy_protocol_networks" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL proxy_protocol_networks=""; +SET proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET proxy_protocol_networks" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL proxy_protocol_networks=""; +SET proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION proxy_protocol_networks=""; +ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.proxy_protocol_networks=@global; diff --git a/mysql-test/suite/sys_vars/r/secure_auth_grant.result b/mysql-test/suite/sys_vars/r/secure_auth_grant.result new file mode 100644 index 00000000000..ed33eb33951 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/secure_auth_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.secure_auth; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET secure_auth" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL secure_auth=1; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET secure_auth" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL secure_auth=1; +SET secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET secure_auth" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL secure_auth=1; +SET secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION secure_auth=1; +ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.secure_auth=@global; diff --git a/mysql-test/suite/sys_vars/r/slow_launch_time_grant.result b/mysql-test/suite/sys_vars/r/slow_launch_time_grant.result new file mode 100644 index 00000000000..45aef07d473 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/slow_launch_time_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.slow_launch_time; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET slow_launch_time" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL slow_launch_time=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET slow_launch_time" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL slow_launch_time=10; +SET slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET slow_launch_time" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL slow_launch_time=10; +SET slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION slow_launch_time=10; +ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.slow_launch_time=@global; diff --git a/mysql-test/suite/sys_vars/r/thread_pool_idle_timeout_grant.result b/mysql-test/suite/sys_vars/r/thread_pool_idle_timeout_grant.result new file mode 100644 index 00000000000..f9e14eaff0e --- /dev/null +++ b/mysql-test/suite/sys_vars/r/thread_pool_idle_timeout_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.thread_pool_idle_timeout; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET thread_pool_idle_timeout" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_idle_timeout=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_idle_timeout" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_idle_timeout=10; +SET thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_idle_timeout" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_idle_timeout=10; +SET thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_idle_timeout=10; +ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.thread_pool_idle_timeout=@global; diff --git a/mysql-test/suite/sys_vars/r/thread_pool_max_threads_grant.result b/mysql-test/suite/sys_vars/r/thread_pool_max_threads_grant.result new file mode 100644 index 00000000000..17511766787 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/thread_pool_max_threads_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.thread_pool_max_threads; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET thread_pool_max_threads" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_max_threads=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_max_threads" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_max_threads=10; +SET thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_max_threads" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_max_threads=10; +SET thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_max_threads=10; +ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.thread_pool_max_threads=@global; diff --git a/mysql-test/suite/sys_vars/r/thread_pool_oversubscribe_grant.result b/mysql-test/suite/sys_vars/r/thread_pool_oversubscribe_grant.result new file mode 100644 index 00000000000..965be157f02 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/thread_pool_oversubscribe_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.thread_pool_oversubscribe; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET thread_pool_oversubscribe" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_oversubscribe=10; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_oversubscribe" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_oversubscribe=10; +SET thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_oversubscribe" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_oversubscribe=10; +SET thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_oversubscribe=10; +ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.thread_pool_oversubscribe=@global; diff --git a/mysql-test/suite/sys_vars/r/thread_pool_stall_limit_grant.result b/mysql-test/suite/sys_vars/r/thread_pool_stall_limit_grant.result new file mode 100644 index 00000000000..08462dc4733 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/thread_pool_stall_limit_grant.result @@ -0,0 +1,46 @@ +SET @global=@@global.thread_pool_stall_limit; +# +# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +# +# Test that "SET thread_pool_stall_limit" is not allowed without CONNECTION ADMIN or SUPER +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_stall_limit=400; +ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation +SET thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_stall_limit" is allowed with CONNECTION ADMIN +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_stall_limit=400; +SET thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +# Test that "SET thread_pool_stall_limit" is allowed with SUPER +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +connect user1,localhost,user1,,; +connection user1; +SET GLOBAL thread_pool_stall_limit=400; +SET thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +SET SESSION thread_pool_stall_limit=400; +ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL +disconnect user1; +connection default; +DROP USER user1@localhost; +SET @@global.thread_pool_stall_limit=@global; diff --git a/mysql-test/suite/sys_vars/t/connect_timeout_grant.test b/mysql-test/suite/sys_vars/t/connect_timeout_grant.test new file mode 100644 index 00000000000..61a7a3eb530 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/connect_timeout_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.connect_timeout; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET connect_timeout" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION connect_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET connect_timeout" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION connect_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET connect_timeout" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET connect_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION connect_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.connect_timeout=@global; diff --git a/mysql-test/suite/sys_vars/t/disconnect_on_expired_password_grant.test b/mysql-test/suite/sys_vars/t/disconnect_on_expired_password_grant.test new file mode 100644 index 00000000000..0d317d298f4 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/disconnect_on_expired_password_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.disconnect_on_expired_password; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET disconnect_on_expired_password" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET SESSION disconnect_on_expired_password=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET disconnect_on_expired_password" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET SESSION disconnect_on_expired_password=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET disconnect_on_expired_password" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET disconnect_on_expired_password=1; +--error ER_GLOBAL_VARIABLE +SET SESSION disconnect_on_expired_password=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.disconnect_on_expired_password=@global; diff --git a/mysql-test/suite/sys_vars/t/extra_max_connections_grant.test b/mysql-test/suite/sys_vars/t/extra_max_connections_grant.test new file mode 100644 index 00000000000..058364ec0a8 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/extra_max_connections_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.extra_max_connections; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET extra_max_connections" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION extra_max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET extra_max_connections" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION extra_max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET extra_max_connections" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET extra_max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION extra_max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.extra_max_connections=@global; diff --git a/mysql-test/suite/sys_vars/t/init_connect_grant.test b/mysql-test/suite/sys_vars/t/init_connect_grant.test new file mode 100644 index 00000000000..685f0900833 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/init_connect_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.init_connect; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET init_connect" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET SESSION init_connect="SET @xxx=1"; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET init_connect" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET SESSION init_connect="SET @xxx=1"; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET init_connect" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET init_connect="SET @xxx=1"; +--error ER_GLOBAL_VARIABLE +SET SESSION init_connect="SET @xxx=1"; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.init_connect=@global; diff --git a/mysql-test/suite/sys_vars/t/max_connect_errors_grant.test b/mysql-test/suite/sys_vars/t/max_connect_errors_grant.test new file mode 100644 index 00000000000..d349d93818d --- /dev/null +++ b/mysql-test/suite/sys_vars/t/max_connect_errors_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.max_connect_errors; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET max_connect_errors" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connect_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_connect_errors" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connect_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_connect_errors" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_connect_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connect_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.max_connect_errors=@global; diff --git a/mysql-test/suite/sys_vars/t/max_connections_grant.test b/mysql-test/suite/sys_vars/t/max_connections_grant.test new file mode 100644 index 00000000000..d51bd08ed9d --- /dev/null +++ b/mysql-test/suite/sys_vars/t/max_connections_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.max_connections; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET max_connections" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL max_connections=10; +--error ER_GLOBAL_VARIABLE +SET max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_connections" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_connections=10; +--error ER_GLOBAL_VARIABLE +SET max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_connections" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_connections=10; +--error ER_GLOBAL_VARIABLE +SET max_connections=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_connections=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.max_connections=@global; diff --git a/mysql-test/suite/sys_vars/t/max_password_errors_grant.test b/mysql-test/suite/sys_vars/t/max_password_errors_grant.test new file mode 100644 index 00000000000..f11c1fb8226 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/max_password_errors_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.max_password_errors; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET max_password_errors" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_password_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_password_errors" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_password_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET max_password_errors" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET max_password_errors=10; +--error ER_GLOBAL_VARIABLE +SET SESSION max_password_errors=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.max_password_errors=@global; diff --git a/mysql-test/suite/sys_vars/t/proxy_protocol_networks_grant.test b/mysql-test/suite/sys_vars/t/proxy_protocol_networks_grant.test new file mode 100644 index 00000000000..f2dd8158424 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/proxy_protocol_networks_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.proxy_protocol_networks; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET proxy_protocol_networks" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET SESSION proxy_protocol_networks=""; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET proxy_protocol_networks" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET SESSION proxy_protocol_networks=""; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET proxy_protocol_networks" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET proxy_protocol_networks=""; +--error ER_GLOBAL_VARIABLE +SET SESSION proxy_protocol_networks=""; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.proxy_protocol_networks=@global; diff --git a/mysql-test/suite/sys_vars/t/secure_auth_grant.test b/mysql-test/suite/sys_vars/t/secure_auth_grant.test new file mode 100644 index 00000000000..f597ec790cb --- /dev/null +++ b/mysql-test/suite/sys_vars/t/secure_auth_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.secure_auth; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET secure_auth" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET SESSION secure_auth=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET secure_auth" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET SESSION secure_auth=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET secure_auth" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET secure_auth=1; +--error ER_GLOBAL_VARIABLE +SET SESSION secure_auth=1; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.secure_auth=@global; diff --git a/mysql-test/suite/sys_vars/t/slow_launch_time_grant.test b/mysql-test/suite/sys_vars/t/slow_launch_time_grant.test new file mode 100644 index 00000000000..1a81930593e --- /dev/null +++ b/mysql-test/suite/sys_vars/t/slow_launch_time_grant.test @@ -0,0 +1,56 @@ +--source include/not_embedded.inc + +SET @global=@@global.slow_launch_time; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET slow_launch_time" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET SESSION slow_launch_time=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET slow_launch_time" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET SESSION slow_launch_time=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET slow_launch_time" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET slow_launch_time=10; +--error ER_GLOBAL_VARIABLE +SET SESSION slow_launch_time=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.slow_launch_time=@global; diff --git a/mysql-test/suite/sys_vars/t/thread_pool_idle_timeout_grant.test b/mysql-test/suite/sys_vars/t/thread_pool_idle_timeout_grant.test new file mode 100644 index 00000000000..71b007bde23 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/thread_pool_idle_timeout_grant.test @@ -0,0 +1,57 @@ +--source include/not_windows.inc +--source include/not_embedded.inc + +SET @global=@@global.thread_pool_idle_timeout; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET thread_pool_idle_timeout" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_idle_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_idle_timeout" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_idle_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_idle_timeout" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_idle_timeout=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_idle_timeout=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.thread_pool_idle_timeout=@global; diff --git a/mysql-test/suite/sys_vars/t/thread_pool_max_threads_grant.test b/mysql-test/suite/sys_vars/t/thread_pool_max_threads_grant.test new file mode 100644 index 00000000000..29a9ac42ea0 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/thread_pool_max_threads_grant.test @@ -0,0 +1,57 @@ +# uint global +--source include/not_embedded.inc + +SET @global=@@global.thread_pool_max_threads; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET thread_pool_max_threads" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_max_threads=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_max_threads" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_max_threads=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_max_threads" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_max_threads=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_max_threads=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.thread_pool_max_threads=@global; diff --git a/mysql-test/suite/sys_vars/t/thread_pool_oversubscribe_grant.test b/mysql-test/suite/sys_vars/t/thread_pool_oversubscribe_grant.test new file mode 100644 index 00000000000..cbffb94c297 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/thread_pool_oversubscribe_grant.test @@ -0,0 +1,57 @@ +--source include/not_windows.inc +--source include/not_embedded.inc + +SET @global=@@global.thread_pool_oversubscribe; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET thread_pool_oversubscribe" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_oversubscribe=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_oversubscribe" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_oversubscribe=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_oversubscribe" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET thread_pool_oversubscribe=10; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_oversubscribe=10; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.thread_pool_oversubscribe=@global; diff --git a/mysql-test/suite/sys_vars/t/thread_pool_stall_limit_grant.test b/mysql-test/suite/sys_vars/t/thread_pool_stall_limit_grant.test new file mode 100644 index 00000000000..8c0908fe2c0 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/thread_pool_stall_limit_grant.test @@ -0,0 +1,57 @@ +# uint global +--source include/not_embedded.inc + +SET @global=@@global.thread_pool_stall_limit; + +--echo # +--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables +--echo # + +--echo # Test that "SET thread_pool_stall_limit" is not allowed without CONNECTION ADMIN or SUPER + +CREATE USER user1@localhost; +GRANT ALL PRIVILEGES ON *.* TO user1@localhost; +REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +--error ER_SPECIFIC_ACCESS_DENIED_ERROR +SET GLOBAL thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_stall_limit=400; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_stall_limit" is allowed with CONNECTION ADMIN + +CREATE USER user1@localhost; +GRANT CONNECTION ADMIN ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_stall_limit=400; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +--echo # Test that "SET thread_pool_stall_limit" is allowed with SUPER + +CREATE USER user1@localhost; +GRANT SUPER ON *.* TO user1@localhost; +--connect(user1,localhost,user1,,) +--connection user1 +SET GLOBAL thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET thread_pool_stall_limit=400; +--error ER_GLOBAL_VARIABLE +SET SESSION thread_pool_stall_limit=400; +--disconnect user1 +--connection default +DROP USER user1@localhost; + +SET @@global.thread_pool_stall_limit=@global; diff --git a/sql/privilege.h b/sql/privilege.h index 0d9b0a08af7..6d5612e5c4b 100644 --- a/sql/privilege.h +++ b/sql/privilege.h @@ -345,6 +345,41 @@ constexpr privilege_t PRIV_IGNORE_MAX_PASSWORD_ERRORS= CONNECTION_ADMIN_ACL | SU // Was SUPER_ACL prior to 10.5.2 constexpr privilege_t PRIV_KILL_OTHER_USER_PROCESS= CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_CONNECT_TIMEOUT= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_DISCONNECT_ON_EXPIRED_PASSWORD= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_EXTRA_MAX_CONNECTIONS= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_INIT_CONNECT= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECTIONS= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECT_ERRORS= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_PASSWORD_ERRORS= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_PROXY_PROTOCOL_NETWORKS= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SECURE_AUTH= + CONNECTION_ADMIN_ACL | SUPER_ACL; +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SLOW_LAUNCH_TIME= + CONNECTION_ADMIN_ACL | SUPER_ACL; + +// Was SUPER_ACL prior to 10.5.2 +constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL= + CONNECTION_ADMIN_ACL | SUPER_ACL; + /* Binary log related privileges that are checked regardless diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index 48d235238a0..4d5c7a3c18d 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -979,7 +979,9 @@ static Sys_var_enum Sys_concurrent_insert( GLOBAL_VAR(myisam_concurrent_insert), CMD_LINE(OPT_ARG), concurrent_insert_names, DEFAULT(1)); -static Sys_var_ulong Sys_connect_timeout( +static Sys_var_on_access_global<Sys_var_ulong, + PRIV_SET_SYSTEM_GLOBAL_VAR_CONNECT_TIMEOUT> +Sys_connect_timeout( "connect_timeout", "The number of seconds the mysqld server is waiting for a connect " "packet before responding with 'Bad handshake'", @@ -1234,7 +1236,10 @@ static bool check_init_string(sys_var *self, THD *thd, set_var *var) return false; } static PolyLock_rwlock PLock_sys_init_connect(&LOCK_sys_init_connect); -static Sys_var_lexstring Sys_init_connect( + +static Sys_var_on_access_global<Sys_var_lexstring, + PRIV_SET_SYSTEM_GLOBAL_VAR_INIT_CONNECT> +Sys_init_connect( "init_connect", "Command(s) that are executed for each " "new connection (unless the user has SUPER privilege)", GLOBAL_VAR(opt_init_connect), CMD_LINE(REQUIRED_ARG), @@ -1620,7 +1625,9 @@ static bool fix_max_connections(sys_var *self, THD *thd, enum_var_type type) // Default max_connections of 151 is larger than Apache's default max // children, to avoid "too many connections" error in a common setup -static Sys_var_ulong Sys_max_connections( +static Sys_var_on_access_global<Sys_var_ulong, + PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECTIONS> +Sys_max_connections( "max_connections", "The number of simultaneous clients allowed", PARSED_EARLY GLOBAL_VAR(max_connections), CMD_LINE(REQUIRED_ARG), VALID_RANGE(10, 100000), @@ -1637,7 +1644,9 @@ static Sys_var_uint Sys_default_password_lifetime( GLOBAL_VAR(default_password_lifetime), CMD_LINE(REQUIRED_ARG), VALID_RANGE(0, UINT_MAX), DEFAULT(0), BLOCK_SIZE(1)); -static Sys_var_mybool Sys_disconnect_on_expired_password( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_DISCONNECT_ON_EXPIRED_PASSWORD> +Sys_disconnect_on_expired_password( "disconnect_on_expired_password", "This variable controls how the server handles clients that are not " "aware of the sandbox mode. If enabled, the server disconnects the " @@ -1645,7 +1654,9 @@ static Sys_var_mybool Sys_disconnect_on_expired_password( GLOBAL_VAR(disconnect_on_expired_password), CMD_LINE(OPT_ARG), DEFAULT(FALSE)); -static Sys_var_ulong Sys_max_connect_errors( +static Sys_var_on_access_global<Sys_var_ulong, + PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECT_ERRORS> +Sys_max_connect_errors( "max_connect_errors", "If there is more than this number of interrupted connections from " "a host this host will be blocked from further connections", @@ -1653,7 +1664,9 @@ static Sys_var_ulong Sys_max_connect_errors( VALID_RANGE(1, UINT_MAX), DEFAULT(MAX_CONNECT_ERRORS), BLOCK_SIZE(1)); -static Sys_var_uint Sys_max_password_errors( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_PASSWORD_ERRORS> +Sys_max_password_errors( "max_password_errors", "If there is more than this number of failed connect attempts " "due to invalid password, user will be blocked from further connections until FLUSH_PRIVILEGES.", @@ -3094,7 +3107,9 @@ static Sys_var_mybool Sys_query_cache_wlock_invalidate( DEFAULT(FALSE)); #endif /* HAVE_QUERY_CACHE */ -static Sys_var_mybool Sys_secure_auth( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_SECURE_AUTH> +Sys_secure_auth( "secure_auth", "Disallow authentication for accounts that have old (pre-4.1) " "passwords", @@ -3436,7 +3451,9 @@ static Sys_var_uint Sys_semisync_slave_kill_conn_timeout( ON_UPDATE(fix_rpl_semi_sync_slave_kill_conn_timeout)); #endif /* HAVE_REPLICATION */ -static Sys_var_ulong Sys_slow_launch_time( +static Sys_var_on_access_global<Sys_var_ulong, + PRIV_SET_SYSTEM_GLOBAL_VAR_SLOW_LAUNCH_TIME> +Sys_slow_launch_time( "slow_launch_time", "If creating the thread takes longer than this value (in seconds), " "the Slow_launch_threads counter will be incremented", @@ -3773,7 +3790,9 @@ static bool fix_threadpool_stall_limit(sys_var*, THD*, enum_var_type) } #ifdef _WIN32 -static Sys_var_uint Sys_threadpool_min_threads( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_min_threads( "thread_pool_min_threads", "Minimum number of threads in the thread pool.", GLOBAL_VAR(threadpool_min_threads), CMD_LINE(REQUIRED_ARG), @@ -3783,7 +3802,9 @@ static Sys_var_uint Sys_threadpool_min_threads( ); static const char *threadpool_mode_names[]={ "windows", "generic", 0 }; -static Sys_var_enum Sys_threadpool_mode( +static Sys_var_on_access_global<Sys_var_enum, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_mode( "thread_pool_mode", "Chose implementation of the threadpool", READ_ONLY GLOBAL_VAR(threadpool_mode), CMD_LINE(REQUIRED_ARG), @@ -3792,27 +3813,35 @@ static Sys_var_enum Sys_threadpool_mode( #endif static const char *threadpool_priority_names[]={ "high", "low", "auto", 0 }; -static Sys_var_enum Sys_thread_pool_priority( +static Sys_var_on_access_global<Sys_var_enum, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_thread_pool_priority( "thread_pool_priority", "Threadpool priority. High priority connections usually start executing earlier than low priority." "If priority set to 'auto', the the actual priority(low or high) is determined based on whether or not connection is inside transaction.", SESSION_VAR(threadpool_priority), CMD_LINE(REQUIRED_ARG), threadpool_priority_names, DEFAULT(TP_PRIORITY_AUTO)); -static Sys_var_uint Sys_threadpool_idle_thread_timeout( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_idle_thread_timeout( "thread_pool_idle_timeout", "Timeout in seconds for an idle thread in the thread pool." "Worker thread will be shut down after timeout", GLOBAL_VAR(threadpool_idle_timeout), CMD_LINE(REQUIRED_ARG), VALID_RANGE(1, UINT_MAX), DEFAULT(60), BLOCK_SIZE(1) ); -static Sys_var_uint Sys_threadpool_oversubscribe( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_oversubscribe( "thread_pool_oversubscribe", "How many additional active worker threads in a group are allowed.", GLOBAL_VAR(threadpool_oversubscribe), CMD_LINE(REQUIRED_ARG), VALID_RANGE(1, 1000), DEFAULT(3), BLOCK_SIZE(1) ); -static Sys_var_uint Sys_threadpool_size( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_size( "thread_pool_size", "Number of thread groups in the pool. " "This parameter is roughly equivalent to maximum number of concurrently " @@ -3822,7 +3851,9 @@ static Sys_var_uint Sys_threadpool_size( NO_MUTEX_GUARD, NOT_IN_BINLOG, ON_CHECK(check_threadpool_size), ON_UPDATE(fix_threadpool_size) ); -static Sys_var_uint Sys_threadpool_stall_limit( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_stall_limit( "thread_pool_stall_limit", "Maximum query execution time in milliseconds," "before an executing non-yielding thread is considered stalled." @@ -3834,7 +3865,9 @@ static Sys_var_uint Sys_threadpool_stall_limit( ON_UPDATE(fix_threadpool_stall_limit) ); -static Sys_var_uint Sys_threadpool_max_threads( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_max_threads( "thread_pool_max_threads", "Maximum allowed number of worker threads in the thread pool", GLOBAL_VAR(threadpool_max_threads), CMD_LINE(REQUIRED_ARG), @@ -3843,21 +3876,27 @@ static Sys_var_uint Sys_threadpool_max_threads( ON_UPDATE(fix_tp_max_threads) ); -static Sys_var_uint Sys_threadpool_threadpool_prio_kickup_timer( +static Sys_var_on_access_global<Sys_var_uint, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_threadpool_prio_kickup_timer( "thread_pool_prio_kickup_timer", "The number of milliseconds before a dequeued low-priority statement is moved to the high-priority queue", GLOBAL_VAR(threadpool_prio_kickup_timer), CMD_LINE(REQUIRED_ARG), VALID_RANGE(0, UINT_MAX), DEFAULT(1000), BLOCK_SIZE(1) ); -static Sys_var_mybool Sys_threadpool_exact_stats( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_exact_stats( "thread_pool_exact_stats", "If set to 1, provides better statistics in information_schema threadpool tables", GLOBAL_VAR(threadpool_exact_stats), CMD_LINE(OPT_ARG), DEFAULT(FALSE), NO_MUTEX_GUARD, NOT_IN_BINLOG ); -static Sys_var_mybool Sys_threadpool_dedicated_listener( +static Sys_var_on_access_global<Sys_var_mybool, + PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL> +Sys_threadpool_dedicated_listener( "thread_pool_dedicated_listener", "If set to 1,listener thread will not pick up queries", GLOBAL_VAR(threadpool_dedicated_listener), CMD_LINE(OPT_ARG), DEFAULT(FALSE), @@ -4707,7 +4746,9 @@ static bool fix_proxy_protocol_networks(sys_var *, THD *, enum_var_type) } -static Sys_var_charptr_fscs Sys_proxy_protocol_networks( +static Sys_var_on_access_global<Sys_var_charptr_fscs, + PRIV_SET_SYSTEM_GLOBAL_VAR_PROXY_PROTOCOL_NETWORKS> +Sys_proxy_protocol_networks( "proxy_protocol_networks", "Enable proxy protocol for these source " "networks. The syntax is a comma separated list of IPv4 and IPv6 " "networks. If the network doesn't contain mask, it is considered to be " @@ -6017,7 +6058,9 @@ static Sys_var_uint Sys_extra_port( READ_ONLY GLOBAL_VAR(mysqld_extra_port), CMD_LINE(REQUIRED_ARG), VALID_RANGE(0, UINT_MAX32), DEFAULT(0), BLOCK_SIZE(1)); -static Sys_var_ulong Sys_extra_max_connections( +static Sys_var_on_access_global<Sys_var_ulong, + PRIV_SET_SYSTEM_GLOBAL_VAR_EXTRA_MAX_CONNECTIONS> +Sys_extra_max_connections( "extra_max_connections", "The number of connections on extra-port", GLOBAL_VAR(extra_max_connections), CMD_LINE(REQUIRED_ARG), VALID_RANGE(1, 100000), DEFAULT(1), BLOCK_SIZE(1), NO_MUTEX_GUARD, |