[#MDEV-22152] REPLICATION MASTER ADMIN privilege not given to former SUPER users upon upgrade

[MDEV-22152] REPLICATION MASTER ADMIN privilege not given to former SUPER users upon upgrade Created: 2020-04-05 Updated: 2022-01-25 Resolved: 2020-06-11
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System
Affects Version/s:	10.5
Fix Version/s:	N/A

Type:

Bug

Priority:

Major

Reporter:

Elena Stepanova

Assignee:

Unassigned

Resolution:

Not a Bug

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-21743~~	Split up SUPER privilege to smaller p...	Closed
relates to	~~MDEV-23610~~	Slave user can't run "SHOW SLAVE STAT...	Closed
relates to	~~MDEV-27611~~	CLONE - Slave user can't run "SHOW SL...	Closed

Description

In the scope of ~~MDEV-21743~~ a number of new privileges were introduced, mainly in order to split SUPER privilege. Upon upgrade from previous versions these privileges are added to users which had SUPER before; except for REPLICATION MASTER ADMIN privilege. It is currently given only to users which had SUPER and REPLICATION SLAVE.

For now, it doesn't affect anything, because for the sake of backward compatibility SUPER still has the capabilities it had before. However, as I understand, the new privileges are given to former SUPER users in order to deprecate/decommission SUPER in future, at which point it will become important: without getting REPLICATION MASTER ADMIN, former SUPER users will lose the ability to set global replication-related variables.

At the same time, adding REPLICATION MASTER ADMIN to former SUPER users will bring inconsistency. There is one capability which REPLICATION MASTER ADMIN has but SUPER users didn't before and as of 10.5.2 still don't: SHOW SLAVE HOSTS.

To summarize,

if we don't add REPLICATION MASTER ADMIN to SUPER users upon upgrade, it is all right now, but in future versions SUPER users will lose a capability which they had before upgrade;
if we do add REPLICATION MASTER ADMIN to SUPER users upon upgrade, it will (already now) give SUPER users a capability which they didn't have before.

I'm not sure which outcome is desired.

Comments

Comment by Alexander Barkov [ 2020-06-11 ]

From my understanding, in the final patch version there should not be problems like "With this set of privileges i was able to do THAT, but after upgrade I cannot do THAT any more.

REPLICATION MASTER ADMIN is given to users who had both SUPER and REPLICATION SLAVE at the same time before the upgrade.

Replication related variables now check for either REPLICATION MASTER ADMIN or SUPER.

Comment by Elena Stepanova [ 2020-06-11 ]

Just for clarification – this report never claimed a problem "With this set of privileges i was able to do THAT, but after upgrade I cannot do THAT any more". It specifically said "For now, it doesn't affect anything, <...> in future, <...> former SUPER users will lose the ability to set global replication-related variables".

The options were to postpone dealing with it until it becomes a real problem, or to handle it now. The first one was chosen, it's fine by me. Maybe SUPER will never be decommissioned at all, or some other changes will make it a non-issue.

Generated at Thu Feb 08 09:12:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-22152] REPLICATION MASTER ADMIN privilege not given to former SUPER users upon upgrade Created: 2020-04-05 Updated: 2022-01-25 Resolved: 2020-06-11