Let's add a separate privilege BINLOG REPLAY to execute the BINLOG statement.
The original 10.5.2 idea (
MDEV-21743) was to have REPLICATION SLAVE ADMIN control the BINLOG statement, however it appeared to be not flexible enough.
After this change, any user that has the SUPER privilege or the BINLOG REPLAY privilege will be allowed to execute the BINLOG STATEMENT.
Also, let's bind new 10.5.2 privileges to the following system variables:
As of version 10.5.1 it works as follows:
- SET for the GLOBAL variables checked for the SUPER privilege
- SET for the SESSION variables checked for the SUPER privilege
Note, server_id and gtid_domain_id will have different privileges for SET GLOBAL and SET SESSION. This is intentional:
- The global variables are needed to configure the master
- The session variables are needed to replay binary logs:
where mysqlbinlog produces statements like: