Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39275

XA COMMIT / XA ROLLBACK / XA RECOVER don't require any privileges

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.6, 10.11, 11.4, 11.8, 12.3
    • 13.0
    • None

    Description

      Currently one doesn't need any privileges to execute XA ROLLBACK, XA COMMIT, XA RECOVER statements.

      This allows for annoying behavior when an unprivileged user repeatedly executes XA RECOVER and nukes everything that appears there. This isn't exactly the only way an unprivileged user can be annoying, still let's fix it.

      MySQL fixed it in https://dev.mysql.com/worklog/task/?id=7194 by introducing a new privilege XA_RECOVER_ADMIN.

      I'm not sure it's the best approach. It'd be reasonable for XID_cache_element to store the user who prepared the transaction and only allow that user to commit/rollback it. And only require XA_RECOVER_ADMIN for XA recovery.

      On the other hand, MySQL compatibility...

      Attachments

        Activity

          People

            wlad Vladislav Vaintroub
            serg Sergei Golubchik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.