Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5
-
None
-
Redhat Enterprise Linux 7.9 x86_64 on VMware
Description
Found galera does not replace grant EXECUTE , ALTER RONTINE from automatic_sp_privileges. automatic_sp_privileges is ON by default
step 1: build a galera DB cluster with automatic_sp_privileges default value ON
step 2: create database testdb1
step 3: create user app_owner
step 4: grant schema level privileges
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `testdb1`.* TO `app_owner`@`%` WITH GRANT OPTION ;
step 5: create procedure by user app_owner
delimiter //
create or replace procedure testdb1.p_test()
begin
select now() ;
end //
delimiter ;
step 6: show grant in galera node 1 has routine level privileges from automatic_sp_privileges
GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `testdb1`.`p_test` TO `app_owner`@`%`
step 7: show grant in galera node 2 has no such object privilege
workaround: grant db level EXECUTE privilege but may not apply to all situation