Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
55 changed files
with
503 additions
and
345 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
CREATE USER user1@localhost IDENTIFIED BY ''; | ||
GRANT ALL PRIVILEGES ON *.* TO user1@localhost; | ||
REVOKE SLAVE MONITOR, SUPER ON *.* FROM user1@localhost; | ||
FLUSH PRIVILEGES; | ||
connect con1,localhost,user1,,; | ||
connection con1; | ||
SHOW GRANTS; | ||
Grants for user1@localhost | ||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user1`@`localhost` | ||
# | ||
# Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW SLAVE STATUS | ||
# Expected error: Access denied; you need (at least one of) the SUPER, SLAVE | ||
# MONITOR privilege(s) for this operation | ||
# | ||
SHOW SLAVE STATUS; | ||
ERROR 42000: Access denied; you need (at least one of) the SUPER, SLAVE MONITOR privilege(s) for this operation | ||
# | ||
# Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW RELAYLOG EVENTS | ||
# Expected error: Access denied; you need (at least one of) the REPLICA MONITOR | ||
# privilege(s) for this operation | ||
# | ||
SHOW RELAYLOG EVENTS; | ||
ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation | ||
disconnect con1; | ||
# | ||
# SHOW SLAVE STATUS and SHOW RELAYLOG EVENTS are allowed with SLAVE MONITOR privilege | ||
# | ||
connection default; | ||
GRANT SLAVE MONITOR ON *.* TO user1@localhost; | ||
FLUSH PRIVILEGES; | ||
connect con1,localhost,user1,,; | ||
connection con1; | ||
SHOW GRANTS; | ||
Grants for user1@localhost | ||
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `user1`@`localhost` | ||
SHOW SLAVE STATUS; | ||
SHOW RELAYLOG EVENTS; | ||
disconnect con1; | ||
connection default; | ||
DROP USER user1@localhost; | ||
# | ||
# SHOW SLAVE STATUS command is allowed with SUPER privilege | ||
# | ||
CREATE USER user1@localhost IDENTIFIED BY ''; | ||
GRANT SUPER ON *.* TO user1@localhost; | ||
connect con1,localhost,user1,,; | ||
SHOW SLAVE STATUS; | ||
# | ||
# SHOW RELAYLOG EVENTS is not allowed with SUPER privilege, it requires SLAVE MONITOR | ||
# | ||
SHOW RELAYLOG EVENTS; | ||
ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privilege(s) for this operation | ||
disconnect con1; | ||
connection default; | ||
DROP USER user1@localhost; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# ==== Purpose ==== | ||
# | ||
# SLAVE MONITOR privilege is required to execute following commands. | ||
# SHOW SLAVE STATUS | ||
# SHOW RELAYLOG EVENTS | ||
# | ||
# ==== Implementation ==== | ||
# | ||
# Step1: GRANT ALL privileges for a new user 'user1' and then REVOKE | ||
# SLAVE MONITOR and SUPER privileges. | ||
# Step2: Execute SHOW SLAVE STAUTS/SHOW RELAYLOG EVENTS commands and expect | ||
# ER_SPECIFIC_ACCESS_DENIED_ERROR. This also verifies that REPLICATION | ||
# SLAVE ADMIN privilege is not required for these two commands. | ||
# Step3: GRANT SLAVE MONITOR privilege and observe that both commands are | ||
# allowd to execute. | ||
# Step4: GRANT SUPER privilege and observe that only SHOW SLAVE STATUS command | ||
# is allowed. | ||
# | ||
# ==== References ==== | ||
# | ||
# MDEV-23610: Slave user can't run "SHOW SLAVE STATUS" anymore after upgrade | ||
# to 10.5, mysql_upgrade should take of that | ||
# MDEV-23918: admin privlege required to view contents of relay logs in 10.5 | ||
# | ||
|
||
--source include/not_embedded.inc | ||
|
||
CREATE USER user1@localhost IDENTIFIED BY ''; | ||
GRANT ALL PRIVILEGES ON *.* TO user1@localhost; | ||
REVOKE SLAVE MONITOR, SUPER ON *.* FROM user1@localhost; | ||
FLUSH PRIVILEGES; | ||
|
||
--connect(con1,localhost,user1,,) | ||
--connection con1 | ||
SHOW GRANTS; | ||
|
||
--echo # | ||
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW SLAVE STATUS | ||
--echo # Expected error: Access denied; you need (at least one of) the SUPER, SLAVE | ||
--echo # MONITOR privilege(s) for this operation | ||
--echo # | ||
--error ER_SPECIFIC_ACCESS_DENIED_ERROR | ||
SHOW SLAVE STATUS; | ||
|
||
--echo # | ||
--echo # Verify that having REPLICATION SLAVE ADMIN doesn't allow SHOW RELAYLOG EVENTS | ||
--echo # Expected error: Access denied; you need (at least one of) the REPLICA MONITOR | ||
--echo # privilege(s) for this operation | ||
--echo # | ||
--disable_ps_protocol | ||
--error ER_SPECIFIC_ACCESS_DENIED_ERROR | ||
SHOW RELAYLOG EVENTS; | ||
--enable_ps_protocol | ||
--disconnect con1 | ||
|
||
--echo # | ||
--echo # SHOW SLAVE STATUS and SHOW RELAYLOG EVENTS are allowed with SLAVE MONITOR privilege | ||
--echo # | ||
|
||
--connection default | ||
GRANT SLAVE MONITOR ON *.* TO user1@localhost; | ||
FLUSH PRIVILEGES; | ||
|
||
--connect(con1,localhost,user1,,) | ||
--connection con1 | ||
SHOW GRANTS; | ||
|
||
--disable_result_log | ||
SHOW SLAVE STATUS; | ||
--disable_ps_protocol | ||
SHOW RELAYLOG EVENTS; | ||
--enable_ps_protocol | ||
--enable_result_log | ||
--disconnect con1 | ||
|
||
--connection default | ||
DROP USER user1@localhost; | ||
|
||
--echo # | ||
--echo # SHOW SLAVE STATUS command is allowed with SUPER privilege | ||
--echo # | ||
CREATE USER user1@localhost IDENTIFIED BY ''; | ||
GRANT SUPER ON *.* TO user1@localhost; | ||
|
||
--connect(con1,localhost,user1,,) | ||
--disable_result_log | ||
SHOW SLAVE STATUS; | ||
--enable_result_log | ||
|
||
--echo # | ||
--echo # SHOW RELAYLOG EVENTS is not allowed with SUPER privilege, it requires SLAVE MONITOR | ||
--echo # | ||
|
||
--disable_ps_protocol | ||
--error ER_SPECIFIC_ACCESS_DENIED_ERROR | ||
SHOW RELAYLOG EVENTS; | ||
--enable_ps_protocol | ||
--disconnect con1 | ||
|
||
--connection default | ||
DROP USER user1@localhost; |
Oops, something went wrong.