[MDEV-18544] "missing required privilege PROCESS on *.*" using mariabackup for SST Created: 2019-02-11  Updated: 2019-05-02  Resolved: 2019-05-02

Status: Closed
Project: MariaDB Server
Component/s: Galera SST, mariabackup
Affects Version/s: 10.3.12
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Konstantin Vasserman Assignee: Vladislav Vaintroub
Resolution: Incomplete Votes: 0
Labels: None
Environment:

Ubuntu 18.04


 Description   

We had a 10.2 Galera cluster that used mariabackup as SST method. Everything worked fine, until we've upgraded to 10.3.

With 10.3, SST started failing on donor node with "missing required privilege PROCESS on ." error. When we checked the privileges on the account used for SST, it already had PROCESS privilege (and that didn't change since 10.2). We tried granting it again, just in case, that didn't help.

We attempted mariabackup --backup with the same account and it worked fine. So the problem appears to be specific to mariabackup used as SST. Only after we've granted ALL privileges to the account, SST began to function.

Here is an excerpt from syslog on the donor node that is related to this issue:

----------
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 0 [Note] WSREP: Member 1.0 (maria1) requested state transfer from 'maria3,maria2,'. Selected 2.0 (maria3)(SYNCED) as
donor.
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 0 [Note] WSREP: Shifting SYNCED -> DONOR/DESYNCED (TO: 863845639)
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 12 [Note] WSREP: IST request: d7a81744-d48f-11e7-abeb-9efa07dcbffd:863832526-863845639|ssl://maria1:4568
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 12 [Note] WSREP: IST first seqno 863832527 not found from cache, falling back to SST
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 12 [Note] WSREP: wsrep_notify_cmd is not defined, skipping notification.
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 0 [Note] WSREP: Running: 'wsrep_sst_mariabackup --role 'donor' --address 'maria1:4444/xtrabackup_sst//1' --socket '/
var/run/mysqld/mysqld.sock' --datadir '/data/maria/' --binlog '/data/logs/mariadb-bin' --gtid 'd7a81744-d48f-11e7-abeb-9efa07dcbffd:863845639' --gtid-domain-id '0''
Feb 11 00:50:38 maria3 mysqld[26260]: 2019-02-11 0:50:38 12 [Note] WSREP: sst_donor_thread signaled with 0
Feb 11 00:50:38 maria3 mysqld[26260]: WSREP_SST: [INFO] Logging all stderr of SST/Innobackupex to syslog (20190211 00:50:38.513)
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Streaming with xbstream
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Using socat as streamer
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Using /tmp/tmp.VNQEQmWK7T as innobackupex temporary directory
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Streaming GTID file before SST
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Evaluating mbstream -c ${INFO_FILE} | pigz --fast | socat -u stdio TCP:maria1:4444 ; RC=( ${PIPESTATUS[@]} )
Feb 11 00:50:38 maria3 -wsrep-sst-donor: Sleeping before data transfer for SST
Feb 11 00:50:39 maria3 mysqld[26260]: 2019-02-11 0:50:39 0 [Note] WSREP: (e565f0f1, 'ssl://0.0.0.0:4567') turning message relay requesting off
Feb 11 00:50:48 maria3 -wsrep-sst-donor: Streaming the backup to joiner at maria1 4444
Feb 11 00:50:48 maria3 -wsrep-sst-donor: Evaluating mariabackup --innobackupex $tmpopts $INNOEXTRA --galera-info --stream=$sfmt $itmpdir 2> >(logger -p daemon.err -t -in
nobackupex-backup) | pigz --fast | socat -u stdio TCP:maria1:4444; RC=( ${PIPESTATUS[@]} )
Feb 11 00:50:48 maria3 -innobackupex-backup: 190211 00:50:48 innobackupex: Starting the backup operation
Feb 11 00:50:48 maria3 -innobackupex-backup:
Feb 11 00:50:48 maria3 -innobackupex-backup: IMPORTANT: Please check that the backup run completes successfully.
Feb 11 00:50:48 maria3 -innobackupex-backup: At the end of a successful backup run innobackupex
Feb 11 00:50:48 maria3 -innobackupex-backup: prints "completed OK!".
Feb 11 00:50:48 maria3 -innobackupex-backup:
Feb 11 00:50:48 maria3 -innobackupex-backup: 190211 00:50:48 Connecting to MySQL server host: localhost, user: galeraSST, password: set, port: 3306, socket: /var/run/mysqld/m
ysqld.sock
Feb 11 00:50:48 maria3 -innobackupex-backup: Using server version 10.3.12-MariaDB-1:10.3.12+maria~bionic-log
Feb 11 00:50:48 maria3 -innobackupex-backup: Error: missing required privilege PROCESS on .
Feb 11 00:50:48 maria3 -wsrep-sst-donor: mariabackup finished with error: 1. Check /data/maria//innobackup.backup.log
Feb 11 00:50:48 maria3 -wsrep-sst-donor: Cleanup after exit with status:22
Feb 11 00:50:48 maria3 -wsrep-sst-donor: Cleaning up temporary directories
Feb 11 00:50:48 maria3 mysqld[26260]: 2019-02-11 0:50:48 0 [ERROR] WSREP: Failed to read from: wsrep_sst_mariabackup --role 'donor' --address 'maria1:4444/xtrabackup_sst//1' --socket '/var/run/mysqld/mysqld.sock' --datadir '/data/maria/' --binlog '/data/logs/mariadb-bin' --gtid 'd7a81744-d48f-11e7-abeb-9efa07dcbffd:863845639' --gtid-domain-id '0'
Feb 11 00:50:48 maria3 mysqld[26260]: 2019-02-11 0:50:48 0 [ERROR] WSREP: Process completed with error: wsrep_sst_mariabackup --role 'donor' --address 'maria1:4444/xtrabackup_sst//1' --socket '/var/run/mysqld/mysqld.sock' --datadir '/data/maria/' --binlog '/data/logs/mariadb-bin' --gtid 'd7a81744-d48f-11e7-abeb-9efa07dcbffd:863845639' --gtid-domain-id '0': 22 (Invalid argument)
Feb 11 00:50:48 maria3 mysqld[26260]: 2019-02-11 0:50:48 0 [ERROR] WSREP: Command did not run: wsrep_sst_mariabackup --role 'donor' --address 'maria1:4444/xtrabackup_sst//1' --socket '/var/run/mysqld/mysqld.sock' --datadir '/data/maria/' --binlog '/data/logs/mariadb-bin' --gtid 'd7a81744-d48f-11e7-abeb-9efa07dcbffd:863845639' --gtid-domain-id '0'
Feb 11 00:50:48 maria3 mysqld[26260]: 2019-02-11 0:50:48 0 [Warning] WSREP: 2.0 (maria3): State transfer to 1.0 (maria1) failed: -22 (Invalid argument)
Feb 11 00:50:48 maria3 mysqld[26260]: 2019-02-11 0:50:48 0 [Note] WSREP: Shifting DONOR/DESYNCED -> JOINED (TO: 863845666)

 Comments   
Comment by Konstantin Vasserman [ 2019-03-12 ]

I have since been able to replicate the problem on a stand-alone node without Galera and SST involved. After upgrading from 10.2 to 10.3, nightly mariabackup tool started throwing the same error about PROCESS privilege being missing from the user. Granting the user ALL privileges fixed the issue.

Comment by Jan Lindström (Inactive) [ 2019-03-13 ]

Can you provide output from show grants for sst user and user executing the sst.

Comment by Konstantin Vasserman [ 2019-03-13 ]

Unfortunately, I didn't snapshot the privileges before I set the user to GRANT ALL PRIVILEGES. However, I'm pretty certain that the original privileges were set as recommended by your documentation:

GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'mariabackup'@'localhost';

Did this list of required privileges change between 10.2 and 10.3?

Comment by Jan Lindström (Inactive) [ 2019-03-13 ]

In my understanding similar access rights should be granted for user used on sst i.e. on your case galeraSST

Comment by Konstantin Vasserman [ 2019-03-13 ]

So it now happened to us on both a Galera SST AND a stand-alone node. In both cases it complained about PROCESS privilege not being set. But in both cases, the user had PROCESS privilege and only when we gave the user ALL privileges mariabackup started working.

Comment by Geoff Montee (Inactive) [ 2019-03-13 ]

Hi kvasserman,

What is your value of wsrep_sst_auth?

https://mariadb.com/kb/en/library/mariabackup-sst-method/#authentication-and-privileges

As jplindst pointed out, you've provided the privileges of the 'mariabackup'@'localhost' user, but your output suggests that the SST was using the galeraSST user instead:

Feb 11 00:50:48 maria3 -innobackupex-backup: 190211 00:50:48 Connecting to MySQL server host: localhost, user: galeraSST, password: set, port: 3306, socket: /var/run/mysqld/mysqld.sock

Comment by Konstantin Vasserman [ 2019-03-13 ]

wsrep_sst_auth=galeraSST:<password reducted>

as I have explained galeraSST user had PROCESS privilege, but mariabackup failed with the above error until I gave that user ALL privileges.

It then happened on a completely different server that is not a Galera node and SST was not involved. The same issue, the user already had PROCESS privilege, but mariabackup failed complaining that the user doesn't have it, until I gave that user ALL privileges.

Comment by Konstantin Vasserman [ 2019-03-13 ]

In both cases, problem happened after upgrade from 10.2 to 10.3

Comment by Vladislav Vaintroub [ 2019-03-13 ]

Can you , for diagnostic purposes, paste the output for following command, for the galeraSST user?
SHOW GRANTS FOR 'galeraSST'@'localhost'

Comment by Konstantin Vasserman [ 2019-03-13 ]

You don't believe me that it NOW has ALL privileges and is working with this configuration? Here it is:

GRANT ALL PRIVILEGES ON . TO 'galeraSST'@'localhost' IDENTIFIED BY PASSWORD '*XXXXXXXXXX'

Since I had to give the user all privileges to make it work, I don't have the old privileges. But they were set as per your documentation.

Comment by Vladislav Vaintroub [ 2019-03-13 ]

I believe you that all privileges work, however we do have a unit test that tests just required privileges.

So either the parsing went somehow wrong, or something else was fishy in your case, but it is hard to tell what, without obtaining original GRANT, where mariabackup would fail.

Here is the test, it succeeds if RELOAD and PROCESS are granted on all databases
and it fails otherwise
https://github.com/MariaDB/server/blob/10.4/mysql-test/suite/mariabackup/backup_grants.test

Comment by Konstantin Vasserman [ 2019-03-13 ]

I know, it's unfortunate that I didn't save the old GRANTs but I'm pretty sure they were:

GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'galeraSST'@'localhost' .....

Comment by Geoff Montee (Inactive) [ 2019-03-13 ]

I just did a manual test with mariabackup and mysqld from 10.3.13 using the privileges in the documentation, and that worked:

$ sudo mariabackup --backup \
 
>    --target-dir=/home/ec2-user/backup/ \
 
>    --user=mariabackup --password=mypassword
 
[00] 2019-03-13 17:41:03 Connecting to MySQL server host: localhost, user: mariabackup, password: set, port: not set, socket: not set
 
[00] 2019-03-13 17:41:03 Using server version 10.3.13-MariaDB-log
 
[00] 2019-03-13 17:41:03 mariabackup based on MariaDB server 10.3.13-MariaDB Linux (x86_64)
 
[00] 2019-03-13 17:41:03 uses posix_fadvise().
 
[00] 2019-03-13 17:41:03 cd to /var/lib/mysql/
 
...
 
[00] 2019-03-13 17:41:05 completed OK!
 
$ mysql -u root --execute "SHOW GRANTS FOR 'mariabackup'@'localhost'"
 
+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
| Grants for mariabackup@localhost                                                                                                                              |
 
+---------------------------------------------------------------------------------------------------------------------------------------------------------------+
 
| GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'mariabackup'@'localhost' IDENTIFIED BY PASSWORD '*FABE5482D5AADF36D028AC443D117BE1180B9725' |
 
+---------------------------------------------------------------------------------------------------------------------------------------------------------------+

Comment by Konstantin Vasserman [ 2019-03-13 ]

Did you create user in 10.2 and then upgraded to 10.3? Because this is when I got the error: after upgrading to 10.3. It worked well in 10.2.

Comment by Vladislav Vaintroub [ 2019-05-02 ]

There is really not enough info to process it, thus I added some code to dump current grants in mariabackup output, in case it ends with "Insufficient privileges".

If bug reappears, or will be reproducible somehow, this will make fixing it easy.

Generated at Thu Feb 08 08:44:55 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.