[MDEV-29596] Separate SUPER and READ ONLY ADMIN privileges - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 10.11.1
Component/s: Authentication and Privilege System
Labels:
- Preview_10.11

Description

Remove READ ONLY ADMIN from the SUPER privilege

The benefit of this is that one can remove the READ ONLY ADMIN privilege
from all users and this way ensure that no one can do any changes on
any non-temporary tables.

This is good option to use on slaves when one wants to ensure that the
slave is kept identical to the master.

Attachments

Issue Links

causes

MDEV-29632 SUPER users created before 10.11 should retain READ_ONLY ADMIN privilege upon upgrade

Closed

MDEV-29641 Help topics say SUPER is required to bypass read_only

Open

is part of

MDEV-29547 prepare 10.11.0 preview releases

Closed

relates to

MDEV-9458 FR: Super read-only mode

Closed

MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges

Closed

Activity

Ascending order - Click to sort in descending order

Michael Widenius added a comment - 2022-09-21 16:18

Pushed to bb-10.11-~~MDEV-29596~~

Michael Widenius added a comment - 2022-09-21 16:18 Pushed to bb-10.11- MDEV-29596

Elena Stepanova added a comment - 2022-09-27 22:46 - edited

I have no objections against pushing it as of bb-10.11-MDEV-29596 07581249 (that is, with the fix for ~~MDEV-29632~~ in addition to the preview commit) into main 10.11 and releasing with 10.11.1.

Documentation and help topics will need to be updated to reflect the change in SUPER capabilities, but as explained in MDEV-29641, it is usually done asynchronously with releases, so it cannot be a blocker for the feature.

Note: In OM=>NS replication, if a user with SUPER privilege is created on the master, it will have READ_ONLY ADMIN privilege, while the replicated user on the replica will not. I don't consider it a bug and the scenario is probably of a low importance, I will leave it to the documentation team to decide whether it should be mentioned anywhere (FYI greenman).

Elena Stepanova added a comment - 2022-09-27 22:46 - edited I have no objections against pushing it as of bb-10.11-MDEV-29596 07581249 (that is, with the fix for MDEV-29632 in addition to the preview commit) into main 10.11 and releasing with 10.11.1. Documentation and help topics will need to be updated to reflect the change in SUPER capabilities, but as explained in MDEV-29641 , it is usually done asynchronously with releases, so it cannot be a blocker for the feature. Note: In OM=>NS replication, if a user with SUPER privilege is created on the master, it will have READ_ONLY ADMIN privilege, while the replicated user on the replica will not. I don't consider it a bug and the scenario is probably of a low importance, I will leave it to the documentation team to decide whether it should be mentioned anywhere (FYI greenman ).

People

Assignee:: Sergei Golubchik

Reporter:: Michael Widenius

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-09-21 16:15

Updated:: 2023-08-07 16:22

Resolved:: 2022-09-29 18:50

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server