[MDEV-39275] XA COMMIT / XA ROLLBACK / XA RECOVER don't require any privileges - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.3
Fix Version/s: 13.0
Component/s: None
Labels:
- compat80

Description

Currently one doesn't need any privileges to execute XA ROLLBACK, XA COMMIT, XA RECOVER statements.

This allows for annoying behavior when an unprivileged user repeatedly executes XA RECOVER and nukes everything that appears there. This isn't exactly the only way an unprivileged user can be annoying, still let's fix it.

MySQL fixed it in https://dev.mysql.com/worklog/task/?id=7194 by introducing a new privilege XA_RECOVER_ADMIN.

I'm not sure it's the best approach. It'd be reasonable for XID_cache_element to store the user who prepared the transaction and only allow that user to commit/rollback it. And only require XA_RECOVER_ADMIN for XA recovery.

On the other hand, MySQL compatibility...

Attachments

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 6 days ago 13:24

Updated:: 6 days ago 13:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.