Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23899

admin privilege required to monitoring replication status - 10.5.5

    XMLWordPrintable

    Details

      Description

      It seems we need REPLICATION ADMIN privilege in order to monitor replication status using "SHOW SLAVE STATUS" command. Monitoring replication is different activity and configuring and maintaining replication is different activity.

      The replication admin privilege provides full access to users on replication tasks like start/stop/change master, etc.

      https://mariadb.com/kb/en/grant/#replication-slave-admin

      We have "replication client" privilege available for this purpose but replication client renamed to "binlog monitor" in 10.5.2 version. When we grant "replication client" privilege it internally grants "binlog monitor" privilege only.

      As per documentation, "binlog monitor" should provide access to check slave status but we are unable to execute slave status even with this privilege.

      "New name for REPLICATION CLIENT from MariaDB 10.5.2, (REPLICATION CLIENT still supported as an alias for compatibility purposes). Permits running SHOW commands related to the binary log, in particular the SHOW BINLOG STATUS, SHOW REPLICA STATUS and SHOW BINARY LOGS statements."

      https://mariadb.com/kb/en/grant/#binlog-monitor

      MariaDB [(none)]> select version();
      +--------------------+
      | version()          |
      +--------------------+
      | 10.5.5-MariaDB-log |
      +--------------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> show grants;
      +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
      | Grants for testscript@%                                                                                                                                                                                                                                                                                                                                                                             |
      +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
      | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO `testscript`@`%` IDENTIFIED BY PASSWORD '************' WITH GRANT OPTION |
      +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> show replica status;
      ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
      MariaDB [(none)]> show slave status;
      ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER, REPLICATION SLAVE ADMIN privilege(s) for this operation
      MariaDB [(none)]>
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              vidyadhar.chelluru vidyadhar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: