[MDEV-33006] Missing required privilege CONNECTION ADMIN - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.11.4
Fix Version/s: 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3
Component/s: Backup, Documentation, Replication
Labels:
None
Environment:
RedHat 8.9

Description

Maybe this is just a documentation glitch, but when I set up a backup-user with the privileges as described here and then run mariabackup under this user, I see `Missing required privilege CONNECTION ADMIN`.

Now, I don't mind adding this privilege for the backup-user, but the fact that the documentation doesn't mention this makes me wonder if I'm doing something wrong..

Now because I'm running a Galera-cluster using mariabackup as SST-method, and SST-documentation states that "The user account that performs the backup for the SST needs to have the same privileges as Mariabackup, which are the RELOAD , PROCESS, LOCK TABLES and REPLICATION CLIENT global privileges.", I'm wondering if I also should be adding the `CONNECTION ADMIN` privilege to the SST-user..

.. or am I just chasing a red herring, since everything seems to be running smooth? It's all a bit confusing to me.

Attachments

Issue Links

is caused by

MDEV-23607 Warning: missing required privilege REPLICATION CLIENT

Closed

relates to

MDEV-34053 privilege REPLICA MONITOR issue

Closed

Activity

Ascending order - Click to sort in descending order

Tim van Dijen created issue - 2023-12-12 16:22

Sergei Golubchik added a comment - 2023-12-12 19:56

According to the code

extra/mariabackup/xtrabackup.cc
if (!opt_no_lock && (opt_kill_long_queries_timeout \|\| opt_kill_long_query_type)) {
check_result \|= check_privilege(
granted_privileges,
"CONNECTION ADMIN", "", "",
PRIVILEGE_WARNING);

it needs CONNECTION ADMIN privilege to kill long queries. Which is used if you have not specified --no-lock and specified --kill-long-queries-timeout or --kill-long-query-type.

Sergei Golubchik added a comment - 2023-12-12 19:56 According to the code extra/mariabackup/xtrabackup.cc if (!opt_no_lock && (opt_kill_long_queries_timeout || opt_kill_long_query_type)) { check_result |= check_privilege( granted_privileges, "CONNECTION ADMIN" , "*" , "*" , PRIVILEGE_WARNING); it needs CONNECTION ADMIN privilege to kill long queries. Which is used if you have not specified --no-lock and specified --kill-long-queries-timeout or --kill-long-query-type .

Sergei Golubchik made changes - 2023-12-12 19:56

Field	Original Value	New Value
Priority	Trivial [ 5 ]	Major [ 3 ]

Sergei Golubchik made changes - 2023-12-12 19:56

Fix Version/s

N/A [ 14700 ]

Sergei Golubchik made changes - 2023-12-12 19:57

Status

Open [ 1 ]

Confirmed [ 10101 ]

Daniel Black made changes - 2023-12-13 04:40

Link

This issue is caused by ~~MDEV-23607~~ [ ~~MDEV-23607~~ ]

Daniel Black added a comment - 2023-12-13 05:23

SST page updated to have BINLOG MONITOR instead of REPLICATION client for 10.5+ per ~~MDEV-23607~~.

As the SST doesn't use the options serg listed above, no CONNECTION ADMIN is needed for SST.

CONNECTION ADMIN documented on mariadb-overview page per requirements.

--kill-log-query-type being an enum could be 0 for "ALL", but the CONNECTION ADMIN appears to be required. Fixing now.

Thanks for the bug report.

Daniel Black added a comment - 2023-12-13 05:23 SST page updated to have BINLOG MONITOR instead of REPLICATION client for 10.5+ per MDEV-23607 . As the SST doesn't use the options serg listed above, no CONNECTION ADMIN is needed for SST. CONNECTION ADMIN documented on mariadb-overview page per requirements. --kill-log-query-type being an enum could be 0 for "ALL", but the CONNECTION ADMIN appears to be required. Fixing now. Thanks for the bug report.

Daniel Black made changes - 2023-12-13 06:20

Assignee

Ian Gilfillan [ greenman ]

Daniel Black [ danblack ]

Daniel Black made changes - 2023-12-13 06:20

Fix Version/s		10.5 [ 23123 ]
Fix Version/s	N/A [ 14700 ]

Daniel Black added a comment - 2023-12-13 06:22

Given docs are fixed, I'm repurposing this task to fix the bug noticed in the highlighted code, about it not giving a "missing required privileges CONNECTION ADMIN" warning.

https://github.com/MariaDB/server/pull/2929

Daniel Black added a comment - 2023-12-13 06:22 Given docs are fixed, I'm repurposing this task to fix the bug noticed in the highlighted code, about it not giving a "missing required privileges CONNECTION ADMIN" warning. https://github.com/MariaDB/server/pull/2929

Daniel Black made changes - 2023-12-13 06:22

Assignee	Daniel Black [ danblack ]	Andrew Hutchings [ JIRAUSER52179 ]
Status	Confirmed [ 10101 ]	In Review [ 10002 ]

Daniel Black made changes - 2023-12-13 22:09

Fix Version/s		10.5.24 [ 29517 ]
Fix Version/s	10.5 [ 23123 ]
Assignee	Andrew Hutchings [ JIRAUSER52179 ]	Daniel Black [ danblack ]
Resolution		Fixed [ 1 ]
Status	In Review [ 10002 ]	Closed [ 6 ]

JiraAutomate made changes - 2023-12-13 22:09

Fix Version/s		10.6.17 [ 29518 ]
Fix Version/s		10.11.7 [ 29519 ]
Fix Version/s		11.0.5 [ 29520 ]
Fix Version/s		11.1.4 [ 29024 ]
Fix Version/s		11.2.3 [ 29521 ]

Daniel Black made changes - 2024-05-03 00:54

Link

This issue relates to ~~MDEV-34053~~ [ ~~MDEV-34053~~ ]

People

Assignee:: Daniel Black

Reporter:: Tim van Dijen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-12-12 16:22

Updated:: 2024-05-03 00:54

Resolved:: 2023-12-13 22:09

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server