Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21975

Add BINLOG REPLAY privilege and bind new privileges to gtid_seq_no, preudo_thread_id, server_id, gtid_domain_id

Details

    Description

      Let's add a separate privilege BINLOG REPLAY to execute the BINLOG statement.

      The original 10.5.2 idea (MDEV-21743) was to have REPLICATION SLAVE ADMIN control the BINLOG statement, however it appeared to be not flexible enough.

      After this change, any user that has the SUPER privilege or the BINLOG REPLAY privilege will be allowed to execute the BINLOG STATEMENT.

      Also, let's bind new 10.5.2 privileges to the following system variables:

      Name               Scope            New GLOBAL privilege                New SESSION privilege
      		 
      ----               -------------    ---------------------------------   ---------------------
      		 
      gtid_seq_no        SESSION          N/A                                 SUPER or BINLOG REPLAY
      		 
      preudo_thread_id   SESSION          N/A                                 SUPER or BINLOG REPLAY
      		 
      server_id          GLOBAL,SESSION   SUPER or REPLICATION MASTER ADMIN   SUPER or BINLOG REPLAY
      		 
      gtid_domain_id     GLOBAL,SESSION   SUPER or REPLICATION MASTER ADMIN   SUPER or BINLOG REPLAY

      As of version 10.5.1 it works as follows:

      • SET for the GLOBAL variables checked for the SUPER privilege
      • SET for the SESSION variables checked for the SUPER privilege

      Note, server_id and gtid_domain_id will have different privileges for SET GLOBAL and SET SESSION. This is intentional:

      • The global variables are needed to configure the master
      • The session variables are needed to replay binary logs: 

        mysqlbinlog | mysql

        where mysqlbinlog produces statements like:

        /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
        		 
        /*!100001 SET @@session.server_id=1*//*!*/;
        		 
        /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
        		 
        BEGIN
        		 
        /*!*/;

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24344 BINLOG REPLAY privilege is missing from SHOW PRIVILEGES

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-21743 Split up SUPER privilege to smaller privileges

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-22026 Document 10.5 privilege changes

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            bar Alexander Barkov created issue -
            bar Alexander Barkov made changes -
            Field Original Value New Value
            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement. The original 10.5.2 idea was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG STATEMENT}}, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} priviles or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement. The original 10.5.2 idea was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} priviles or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement. The original 10.5.2 idea was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} priviles or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} priviles or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} priviles or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that have the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for global and session. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for {{SET GLOBAL}} and {{SET SESSION}. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for {{SET GLOBAL}} and {{SET SESSION}. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for {{SET GLOBAL}} and {{SET SESSION}}. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            Description Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for {{SET GLOBAL}} and {{SET SESSION}}. This is on purpose:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            		Let's add a separate privilege {{BINLOG REPLAY}} to execute the {{BINLOG}} statement.

            The original 10.5.2 idea (MDEV-21743) was to have {{REPLICATION SLAVE ADMIN}} control the {{BINLOG}} statement, however it appeared to be not flexible enough.

            After this change, any user that has the {{SUPER}} privilege or the {{BINLOG REPLAY}} privilege will be allowed to execute the {{BINLOG STATEMENT}}.


            Also, let's bind new 10.5.2 privileges to the following system variables:

            {noformat}
            Name Scope New GLOBAL privilege New SESSION privilege
            ---- ------------- --------------------------------- ---------------------
            gtid_seq_no SESSION N/A SUPER or BINLOG REPLAY
            preudo_thread_id SESSION N/A SUPER or BINLOG REPLAY
            server_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            gtid_domain_id GLOBAL,SESSION SUPER or REPLICATION MASTER ADMIN SUPER or BINLOG REPLAY
            {noformat}

            As of version 10.5.1 it works as follows:
            - SET for the GLOBAL variables checked for the SUPER privilege
            - SET for the SESSION variables checked for the SUPER privilege

            Note, {{server_id}} and {{gtid_domain_id}} will have different privileges for {{SET GLOBAL}} and {{SET SESSION}}. This is intentional:
            - The global variables are needed to configure the master
            - The session variables are needed to replay binary logs:
            {noformat}
            mysqlbinlog | mysql
            {noformat}
            where {{mysqlbinlog}} produces statements like:
            {noformat}
            /*!100001 SET @@session.gtid_domain_id=0*//*!*/;
            /*!100001 SET @@session.server_id=1*//*!*/;
            /*!100001 SET @@session.gtid_seq_no=1*//*!*/;
            BEGIN
            /*!*/;
            {noformat}

            bar Alexander Barkov made changes -
            issue.field.resolutiondate 2020-03-18 16:40:08.0 2020-03-18 16:40:08.271
            bar Alexander Barkov made changes -
            Component/s Replication [ 10100 ]
            Component/s Variables [ 13903 ]
            Fix Version/s 10.5.2 [ 24030 ]
            Fix Version/s 10.5 [ 23123 ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Closed [ 6 ]
            bar Alexander Barkov made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 105752 ] MariaDB v4 [ 134217 ]

            People

              bar Alexander Barkov
              bar Alexander Barkov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.