Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18123

Users with SUPER get DELETE HISTORY privilege after upgrading

    Details

      Description

      After upgrading from MariaDB 10.2.21 to MariaDB 10.3.11 users with the SUPER privilege acquire the DELETE HISTORY (aka DELETE VERSIONING ROWS) privilege.

      State prior to upgrade:

      MariaDB [(none)]> select @@version;
      +-----------------+
      | @@version       |
      +-----------------+
      | 10.2.21-MariaDB |
      +-----------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> GRANT SUPER ON *.* to 'testuser'@'localhost' identified by 'Password123';
      Query OK, 0 rows affected (0.00 sec)
       
      MariaDB [(none)]> show grants for 'testuser'@'localhost';
      +-----------------------------------------------------------------------------------------------------------------+
      | Grants for testuser@localhost                                                                                   |
      +-----------------------------------------------------------------------------------------------------------------+
      | GRANT SUPER ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
      +-----------------------------------------------------------------------------------------------------------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> 
      

      Steps used to perform upgrade:

      service mysql stop
      rpm -qa |grep MariaDB |xargs rpm -e --nodeps
      sed -i 's/10.2/10.3/' /etc/yum.repos.d/mariadb.repo
      yum clean all
      yum check-update
      yum install MariaDB-server -y
      service mysql start

      After restarting but before mysql_upgrade, user still has the correct permissions:

      MariaDB [(none)]> select @@version;
      +-----------------+
      | @@version       |
      +-----------------+
      | 10.3.11-MariaDB |
      +-----------------+
      1 row in set (0.000 sec)
       
      MariaDB [(none)]> show grants for 'testuser'@'localhost';
      +-----------------------------------------------------------------------------------------------------------------+
      | Grants for testuser@localhost                                                                                   |
      +-----------------------------------------------------------------------------------------------------------------+
      | GRANT SUPER ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
      +-----------------------------------------------------------------------------------------------------------------+
      1 row in set (0.005 sec)

      Following mysql_upgrade, the additional privilege appears:

      [root@dev ~]# mysql_upgrade
      Phase 1/7: Checking and upgrading mysql database
      Processing databases
      mysql
      mysql.column_stats                                 OK
      mysql.columns_priv                                 OK
      mysql.db                                           OK
      mysql.event                                        OK
      mysql.func                                         OK
      mysql.gtid_slave_pos                               OK
      mysql.help_category                                OK
      mysql.help_keyword                                 OK
      mysql.help_relation                                OK
      mysql.help_topic                                   OK
      mysql.host                                         OK
      mysql.index_stats                                  OK
      mysql.innodb_index_stats                           OK
      mysql.innodb_table_stats                           OK
      mysql.plugin                                       OK
      mysql.proc                                         OK
      mysql.procs_priv                                   OK
      mysql.proxies_priv                                 OK
      mysql.roles_mapping                                OK
      mysql.servers                                      OK
      mysql.table_stats                                  OK
      mysql.tables_priv                                  OK
      mysql.time_zone                                    OK
      mysql.time_zone_leap_second                        OK
      mysql.time_zone_name                               OK
      mysql.time_zone_transition                         OK
      mysql.time_zone_transition_type                    OK
      mysql.user                                         OK
      Phase 2/7: Installing used storage engines... Skipped
      Phase 3/7: Fixing views
      Phase 4/7: Running 'mysql_fix_privilege_tables'
      Phase 5/7: Fixing table and database names
      Phase 6/7: Checking and upgrading tables
      Processing databases
      information_schema
      performance_schema
      test
      Phase 7/7: Running 'FLUSH PRIVILEGES'
      OK
       
       
      MariaDB [(none)]> show grants for 'testuser'@'localhost';
      +-----------------------------------------------------------------------------------------------------------------------------------------+
      | Grants for testuser@localhost                                                                                                           |
      +-----------------------------------------------------------------------------------------------------------------------------------------+
      | GRANT SUPER, DELETE VERSIONING ROWS ON *.* TO 'testuser'@'localhost' IDENTIFIED BY PASSWORD '*B867055C61BEA33BAB533EF0900D1B193FBE6844' |
      +-----------------------------------------------------------------------------------------------------------------------------------------+
      1 row in set (0.000 sec)

        Attachments

          Activity

            People

            • Assignee:
              greenman Ian Gilfillan
              Reporter:
              Coker Todd Coker
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: