Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
Description
Let's add a separate privilege BINLOG REPLAY to execute the BINLOG statement.
The original 10.5.2 idea (MDEV-21743) was to have REPLICATION SLAVE ADMIN control the BINLOG statement, however it appeared to be not flexible enough.
After this change, any user that has the SUPER privilege or the BINLOG REPLAY privilege will be allowed to execute the BINLOG STATEMENT.
Also, let's bind new 10.5.2 privileges to the following system variables:
Name Scope New GLOBAL privilege New SESSION privilege
|
---- ------------- --------------------------------- ---------------------
|
gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
|
preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
|
server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
|
gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
|
As of version 10.5.1 it works as follows:
- SET for the GLOBAL variables checked for the SUPER privilege
- SET for the SESSION variables checked for the SUPER privilege
Note, server_id and gtid_domain_id will have different privileges for SET GLOBAL and SET SESSION. This is intentional:
- The global variables are needed to configure the master
- The session variables are needed to replay binary logs:
mysqlbinlog | mysqlwhere mysqlbinlog produces statements like:
/*!100001 SET @@session.gtid_domain_id=0*//*!*/;/*!100001 SET @@session.server_id=1*//*!*/;/*!100001 SET @@session.gtid_seq_no=1*//*!*/;BEGIN/*!*/;
Attachments
Issue Links
- causes
-
MDEV-24344 BINLOG REPLAY privilege is missing from SHOW PRIVILEGES
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-