Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Cannot add certain grants in MariaDB 10.5 #58297

Closed
pgporada opened this issue Aug 26, 2020 · 3 comments · Fixed by #59280
Closed

[BUG] Cannot add certain grants in MariaDB 10.5 #58297

pgporada opened this issue Aug 26, 2020 · 3 comments · Fixed by #59280
Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Core relates to code central or existential to Salt Execution-Module severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Milestone
Approved

Comments

@pgporada
Copy link
Contributor

pgporada commented Aug 26, 2020
edited
Loading

Description
In MariaDB 10.5.x, certain grants were renamed, but have a mapping to the old grants name. https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/ and several new grants were introduced.

The REPLICATION CLIENT privilege was renamed to BINLOG MONITOR. The old syntax is understood for compatibility (MDEV-21743).
Split SUPER privilege to smaller privileges (MDEV-21743). New privileges were added so that more fine grained tuning of what each user can do can be applied:

BINLOG ADMIN
BINLOG REPLAY
CONNECTION ADMIN
FEDERATED ADMIN
READ_ONLY ADMIN
REPLICATION MASTER ADMIN
REPLICATION SLAVE ADMIN
SET USER

When I attempt to highstate a MariaDB 10.5 server, I receive the following errors from Saltstack for some of my configured users. Besides the addition of the BINLOG MONITOR grant to my pillar data, applying the grants worked without failure for me on MariaDB 10.3. If I remove BINLOG MONITOR/REPLICATION CLIENT and REPLICATION SLAVE ADMIN grants from my pillar data on the MariaDB 10.5 server, the remaining grants correctly apply.

[ERROR   ] Error during grant generation.                                                                                                                                    
[ERROR   ] Error during grant generation                                                                                                                                     
[ERROR   ] Failed to execute: "GRANT SELECT,RELOAD,LOCK TABLES,REPLICATION CLIENT,REPLICATION SLAVE ADMIN,PROCESS ON *.* TO backups@localhost"                                                             
[ERROR   ] Error during grant generation.                                                                                                                                    
[ERROR   ] Error during grant generation                                                                                                                                     
[ERROR   ] Failed to execute: "GRANT PROCESS,REPLICATION CLIENT,REPLICATION SLAVE ADMIN,SELECT ON *.* TO stats@localhost"                     


----------                                                                                                                                                                   
          ID: mysql_user_backup_localhost_0                                                                                                                                   
    Function: mysql_grants.present                                                                                                                                           
        Name: backup_*_all                                                                                                                                                    
      Result: False                                                                                                                                                          
     Comment: Failed to execute: GRANT SELECT,RELOAD,LOCK TABLES,REPLICATION CLIENT,REPLICATION SLAVE ADMIN,PROCESS ON *.* TO backup@localhost"                                                          
     Started: 20:48:54.722033                                                                                                                                                
    Duration: 1.751 ms                                                                                                                                                       
     Changes:               
----------                                                                                                                                                                   
          ID: mysql_user_stats_localhost_0                                                                                                                            
    Function: mysql_grants.present                                                                                                                                           
        Name: stats_*_all                                                                                                                                             
      Result: False                                                                                                                                                          
     Comment: Failed to execute: "GRANT PROCESS,REPLICATION CLIENT,REPLICATION SLAVE ADMIN,SELECT ON *.* TO stats@localhost"                                                                      
     Started: 20:48:54.741555                                                                                                                                                
    Duration: 2.083 ms

Manually adding grants via the MariaDB 10.5 CLI works as intended. They appear as

> show grants for backup@localhost;
GRANT SELECT, RELOAD, PROCESS, LOCK TABLES, BINLOG MONITOR ON *.* TO `backup`@`localhost`

> show grants for stats@localhost;
GRANT SELECT, PROCESS, BINLOG MONITOR, REPLICATION SLAVE ADMIN ON *.* TO `stats`@`localhost`

On the MariaDB 10.3 CLI the grants appear as

> show grants for backup@localhost;
GRANT SELECT, RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'backup'@'localhost'

> show grants for stats@localhost;
GRANT SELECT, PROCESS, REPLICATION CLIENT ON *.* TO 'stats'@'localhost'

Steps to Reproduce the behavior
salt-call state.highstate

Expected behavior
I expect to see the grants configured for my users.

Versions Report

# salt-call --versions-report
Salt Version:
           Salt: 3000.3
 
Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.10.1
        libgit2: Not Installed
       M2Crypto: 0.33.0
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.1
   mysql-python: 1.4.6
      pycparser: 2.14
       pycrypto: Not Installed
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.6.8 (default, Apr 16 2020, 01:36:27)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 17.0.0
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.1
 
System Versions:
           dist: centos 8.2.2004 Core
         locale: UTF-8
        machine: x86_64
        release: 4.18.0-193.6.3.el8_2.x86_64
         system: Linux
        version: CentOS Linux 8.2.2004 Core
@pgporada pgporada added the Bug broken, incorrect, or confusing behavior label Aug 26, 2020
@DmitryKuzmenko DmitryKuzmenko added Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Core relates to code central or existential to Salt Execution-Module severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around and removed needs-triage labels Oct 2, 2020
@DmitryKuzmenko DmitryKuzmenko added this to the Approved milestone Oct 2, 2020
@DmitryKuzmenko DmitryKuzmenko removed their assignment Oct 2, 2020
@pprkut pprkut mentioned this issue Jan 12, 2021
Merged
3 tasks
@luyomo luyomo mentioned this issue Jul 5, 2021
Open
@ITJamie
Copy link
Contributor

ITJamie commented Aug 25, 2022

+1 on this. got burnt today needing "BINLOG MONITOR" in grants

This was referenced Aug 25, 2022
Closed
Merged
@ITJamie
Copy link
Contributor

ITJamie commented Aug 25, 2022

found another pr / issue set for this
pr: #61410
issue: #61409

@ITJamie
Copy link
Contributor

ITJamie commented Aug 25, 2022

#61410 would be the fastest pr to merge to at least make mariadb grants useable again ASAP.

#59280 would be nice in the long term (needs tests) to automatically convert grant types based on mariadb version running

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Core relates to code central or existential to Salt Execution-Module severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Projects
None yet
Milestone
Approved
5 participants
@s0undt3ch @ITJamie @pgporada @DmitryKuzmenko @sagetherage