Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22030

Don't grant REPLICATION MASTER ADMIN automatically on upgrade from an older JSON user table

    XMLWordPrintable

    Details

      Description

      The SHOW SLAVE HOSTS statement:

      • required REPLICATION SLAVE privilege prior to 10.5.2 (which was not good from the security point of view: a user with REPLICATION SLAVE should not be able to see other slaves connected to the same master - it should only be able to connect to the master using the replication IO to pull binlog events)
      • requires REPLICATION MASTER ADMIN privilege since 10.5.2

      The original patch for MDEV-21743 automatically granted REPLICATION MASTER ADMIN on upgrade to any user that had REPLICATION SLAVE before the upgrade. The idea was to automatically allow SHOW SLAVE HOSTS after upgrade to all users who were able to do so before the upgrade.

      However, later we also bound the following statements to REPLICATION MASTER ADMIN (under terms of MDEV-21967, MDEV-21972, MDEV-21973):

      • SET GLOBAL rpl_semi_sync_master_enabled
      • SET GLOBAL rpl_semi_sync_master_timeout
      • SET GLOBAL rpl_semi_sync_master_wait_no_slave
      • SET GLOBAL rpl_semi_sync_master_trace_level
      • SET GLOBAL rpl_semi_sync_master_wait_point
      • SET GLOBAL master_verify_checksum
      • SET GLOBAL gtid_binlog_state
      • SET GLOBAL server_id
      • SET GLOBAL gtid_domain_id

      It's not a good idea to give access to set these global variables on the master to any user who is only supposed to communicate with the master from slave (using the replication IO protocol).

      Let's revert this change: REPLICATION MASTER ADMIN should not be granted automatically when reading user data from a pre-10.5.2 JSON table. The DBA after the upgrade will have to do GRANT REPLICATION MASTER ADMIN to all users who need SHOW SLAVE HOSTS. This is an incompatible change and should be mentioned in the documentation explicitly.

      Note, we revert this automatic grant for upgrade from an older (pre-10.5.2) JSON user table only!

      There is no a way to GRANT REPLICATION MASTER ADMIN with the old-style (pre-10.4) user table. So let's keep this behavior and keep automatic grant of REPLICATION MASTER ADMIN for all users that had REPLICATION SLAVE in the pre-10.4 user table. This will allow to do SHOW SLAVE HOSTS with the old pre-10.4 user table. After upgrade from the pre-10.4 user table to JSON table, the DBA will have to revoke REPLICATION MASTER ADMIN from any users who do not really need it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bar Alexander Barkov
              Reporter:
              bar Alexander Barkov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: