Thanks for looking/testing.

https://github.com/MariaDB/server/blob/10.3/man/mysqldump.1#L2289 "Mappings of implementation specific grants/plugins isn't always one-to-one however"

I haven't tried to map the grants across as there isn't a specific mapping. Any recommendations?

The first step should be to make the full list of MySQL and MariaDB grants. Then we need to decide which ones are redundant and which need to be covered by a more general level privilege. This guarantees we understand the problem completely. Perhaps for some privileges, it makes sense to implement our own version of it. danblack, can you do this?

For example: CREATE ROLE privilege could be replaced by CREATE USER, but is there a use case when one needs to be able to create roles only? MySQL believes so. Should we follow suit?

There is however a problem with the whole logical dump of USERS from MySQL. Whenever MySQL chooses to support an extra privilege, we need to do the same. This will probably become unmaintainable in the long run and we'll probably have to stop doing it at some point. On the other hand, if we want to support migrating from MySQL to MariaDB and make it as painless as possible, we need to have this.

Thoughts serg, monty?

I'd suggest "Won't fix".

serg If we don't support this properly, I see little value in claiming:

Experimentally this option is designed to be able to dump system information from MySQL-5.7 and 8.0 servers. SQL generated is also
experimentally compatible with MySQL-5.7/8.0. Mappings of implementation specific grants/plugins isn't always one-to-one however.

This just opens up a can of worms on expectations set. On one hand we are designing a feature for MySQL dumps but we don't cover problematic cases. This way we guarantee the feature always remains "experimental". Either we claim it only works for MariaDB, or we adjust the logic (either in mariadb-dump or in the server) to get this in a usable state.

The simplest idea is to force mariadb-dump to "comment out" unknown privileges. That's the easy way out.

On second thought, there isn't a simple way to make this future proof . I vote for updating the wording to:

To help in migrating from MySQL to MariaDB, this option is designed to be able to dump system information from MySQL-5.7 and 8.0 servers. SQL generated is also

experimentally compatible with MySQL-5.7/8.0. Mappings of implementation specific grants/plugins isn't always one-to-one however between MariaDB and MySQL and will require manual changes.

Documenting per last comment in the man as suggested sounds pretty good. A kb page on comparison of grants might also have value if it's not there already and would help evaluating if particular grants are useful.

An alternative to keeping track of MySQL grants added is to whitelist the ones MariaDB supports (and in which version) and version comment the others to the source mysql version. Its still a bit of can of worms but hopefully less so.

I'm less inclined to implement grant classes because its there in MySQL. We could consider them one by one however.

Adding a kb/blog on using the feature as an example is something I could do.

cvicentiu I've committed the wording change on the man page. Do any other described remedies contain value?

cvicentiuserg implementation POC bb-10.2-danielblack-MDEV-24557-mysqldump-understand-all-grants . Doesn't cover CREATE ROLE -> CREATE USER however appropriately uses executable comments on each grant.

This feature definitely wasn't designed to dump MySQL 8.0 tables in a way that can be loaded into MariaDB.
Perhaps it was supposed to do it, but then the design should've better been to read from I_S tables and create GRANT statements in the client. And implement some mapping for privileges that don't exist in MariaDB.

So, my suggestion is either keep the design and clarify the use case. Or keep the use case and redesign. Because currently they don't seem to match.