Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38506

Failed GRANT on a procedure breaks replication

    XMLWordPrintable

Details

    • Unexpected results
    • An issue is fixed where GRANT EXECUTE ON PROCEDURE would fail on the master, but would still be replicated and executed successfully on the slave.
    • Q1/2026 Server Maintenance

    Description

      A customer has an issue in 10.6.23, where they are able to run the following statement and this gets logged to the binary log after receiving a 1410 error and this is in turn replicated and causes an 1819 error on replication and breaks it.

      They are running with an empty sql_mode, so the NO_AUTO_CREATE_USER doesn’t get enforced.

      The statement they are running is:

      MariaDB [(none)]> GRANT EXECUTE ON PROCEDURE webleads_generic.createBuyerInsertTable TO 'prole_developerline1'@'';
      		 
      ERROR 1410 (42000): You are not allowed to create a user with GRANT

      This is supposed to be a GRANT to a ROLE and not a user.

      Steps to reproduce this:

      -- 1. Enable the Password Policy (Simulating Production Constraints)
      		 
      INSTALL SONAME 'simple_password_check';
      		 
      SET GLOBAL simple_password_check_minimal_length = 8;
      		 
      SET GLOBAL simple_password_check_other_characters_length = 1;
      		 
       
      		 
      -- 2. Create the Database and Procedure
      		 
      DROP DATABASE IF EXISTS webleads_generic;
      		 
      CREATE DATABASE webleads_generic;
      		 
      DELIMITER //
      		 
      CREATE PROCEDURE webleads_generic.createBuyerInsertTable() BEGIN SELECT 1; END//
      		 
      DELIMITER ;
      		 
       
      		 
      -- 3. Create the Developer User (Simulating 'cc')
      		 
      DROP USER IF EXISTS 'developer_l2_test'@'%';
      		 
      CREATE USER 'developer_l2_test'@'%' IDENTIFIED BY 'ComplexPass123!';
      		 
       
      		 
      -- 4. Apply Grants from file like customer has
      		 
      GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, 
            CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, 
            CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER 
      ON `webleads_generic`.* TO 'developer_l2_test'@'%' 
      WITH GRANT OPTION;
      		 
       
      		 
      -- 5. Ensure the target ROLE exists (Simulating the Master state)
      		 
      -- If we don't create this, the second test will also fail with 1410.
      		 
      CREATE OR REPLACE ROLE 'prole_developerline1';
      		 
       
      		 
      -- Reset sql_mode
      		 
      SET GLOBAL sql_mode='';
      		 
       
      		 
      -- Login as user developer_l2_test
      		 
      mariadb -A -u developer_l2_test -p
      		 
       
      		 
      -- Run command that failed
      		 
      GRANT EXECUTE ON PROCEDURE webleads_generic.createBuyerInsertTable TO 'prole_developerline1'@'';
      		 
       
      		 
      This should fail with 1410 error

      Then check the binary logs and you should see the GRANT statement that shouldn't be logged.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-29848 Partially failed grant not written into binlog => discrepancy between master and replica

          • Major - Major loss of function.
          • Open

          Activity

            People

              bnestere Brandon Nesterenko
              sunnynagra Sunny Nagra
              Brandon Nesterenko Brandon Nesterenko
              Sergei Golubchik Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.