[MDEV-29596] Separate SUPER and READ ONLY ADMIN privileges - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 10.11.1
Component/s: Authentication and Privilege System
Labels:
- Preview_10.11

Description

Remove READ ONLY ADMIN from the SUPER privilege

The benefit of this is that one can remove the READ ONLY ADMIN privilege
from all users and this way ensure that no one can do any changes on
any non-temporary tables.

This is good option to use on slaves when one wants to ensure that the
slave is kept identical to the master.

Attachments

Issue Links

causes

MDEV-29632 SUPER users created before 10.11 should retain READ_ONLY ADMIN privilege upon upgrade

Closed

MDEV-29641 Help topics say SUPER is required to bypass read_only

Open

is part of

MDEV-29547 prepare 10.11.0 preview releases

Closed

relates to

MDEV-9458 FR: Super read-only mode

Closed

MDEV-29668 SUPER should not allow actions that have fine-grained dedicated privileges

Closed

Activity

Ascending order - Click to sort in descending order

Michael Widenius created issue - 2022-09-21 16:15

Michael Widenius made changes - 2022-09-21 16:16

Field	Original Value	New Value
Fix Version/s		10.11 [ 27614 ]

Michael Widenius made changes - 2022-09-21 16:16

Status

Open [ 1 ]

In Progress [ 3 ]

Michael Widenius added a comment - 2022-09-21 16:18

Pushed to bb-10.11-~~MDEV-29596~~

Michael Widenius added a comment - 2022-09-21 16:18 Pushed to bb-10.11- MDEV-29596

Michael Widenius made changes - 2022-09-21 16:18

Status

In Progress [ 3 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2022-09-21 17:47

Assignee

Michael Widenius [ monty ]

Elena Stepanova [ elenst ]

Sergei Golubchik made changes - 2022-09-21 17:59

Link

This issue is part of ~~MDEV-29547~~ [ ~~MDEV-29547~~ ]

Sergei Golubchik made changes - 2022-09-21 17:59

Affects Version/s	10.11 [ 27614 ]
Issue Type	Bug [ 1 ]	Task [ 3 ]

Elena Stepanova made changes - 2022-09-25 13:18

Link

This issue relates to TODO-3606 [ TODO-3606 ]

Elena Stepanova made changes - 2022-09-25 21:11

Link

This issue causes ~~MDEV-29632~~ [ ~~MDEV-29632~~ ]

Elena Stepanova made changes - 2022-09-26 20:58

Link

This issue causes MDEV-29641 [ MDEV-29641 ]

Elena Stepanova added a comment - 2022-09-27 22:46 - edited

I have no objections against pushing it as of bb-10.11-MDEV-29596 07581249 (that is, with the fix for ~~MDEV-29632~~ in addition to the preview commit) into main 10.11 and releasing with 10.11.1.

Documentation and help topics will need to be updated to reflect the change in SUPER capabilities, but as explained in MDEV-29641, it is usually done asynchronously with releases, so it cannot be a blocker for the feature.

Note: In OM=>NS replication, if a user with SUPER privilege is created on the master, it will have READ_ONLY ADMIN privilege, while the replicated user on the replica will not. I don't consider it a bug and the scenario is probably of a low importance, I will leave it to the documentation team to decide whether it should be mentioned anywhere (FYI greenman).

Elena Stepanova added a comment - 2022-09-27 22:46 - edited I have no objections against pushing it as of bb-10.11-MDEV-29596 07581249 (that is, with the fix for MDEV-29632 in addition to the preview commit) into main 10.11 and releasing with 10.11.1. Documentation and help topics will need to be updated to reflect the change in SUPER capabilities, but as explained in MDEV-29641 , it is usually done asynchronously with releases, so it cannot be a blocker for the feature. Note: In OM=>NS replication, if a user with SUPER privilege is created on the master, it will have READ_ONLY ADMIN privilege, while the replicated user on the replica will not. I don't consider it a bug and the scenario is probably of a low importance, I will leave it to the documentation team to decide whether it should be mentioned anywhere (FYI greenman ).

Elena Stepanova made changes - 2022-09-27 22:46

Assignee	Elena Stepanova [ elenst ]	Sergei Golubchik [ serg ]
Status	In Testing [ 10301 ]	Stalled [ 10000 ]