[MDEV-23918] admin privlege required to view contents of relay logs in 10.5 Created: 2020-10-08  Updated: 2022-01-25  Resolved: 2020-11-16

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Replication
Affects Version/s: 10.5.5, 10.5.6
Fix Version/s: 10.5.9

Type: Bug Priority: Major
Reporter: vidyadhar Assignee: Sujatha Sivakumar (Inactive)
Resolution: Fixed Votes: 0
Labels: monitoring, privileges, replication
Environment:

ANY

Issue Links:
Relates
relates to MDEV-23610 Slave user can't run "SHOW SLAVE STAT... Closed
relates to MDEV-27611 CLONE - Slave user can't run "SHOW SL... Closed

 Description   

I completely understand the point that SUPER privilege has been divided in to multiple parts for better privilege management.

Here, we can use "binlog monitor" privilege to view the contents of binary logs. However, when it comes to relay log it require "replication slave admin" privilege. In earlier version, it need "replication slave" privilege to view the contents of relay logs.

https://mariadb.com/kb/en/grant/#replication-slave-admin

It would be nice to consider the same behavior and provide users with "replication slave" privilege to view the relay log contents using "SHOW RELAYLOGS EVENTS" command accordingly

MariaDB [(none)]> select version();
 
+---------------------+
 
| version()           |
 
+---------------------+
 
| 10.4.13-MariaDB-log |
 
+---------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]>
 
MariaDB [(none)]> show relaylog events in 'relaylog.000030';
 
ERROR 1227 (42000): Access denied; you need (at least one of) the REPLICATION SLAVE privilege(s) for this operation
 
MariaDB [(none)]>
 
 
 
MariaDB [(none)]> select version();
 
+----------------+
 
| version()      |
 
+----------------+
 
| 10.5.5-MariaDB |
 
+----------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]> show relaylog events in 'relaylog.000603';
 
ERROR 1227 (42000): Access denied; you need (at least one of) the REPLICATION SLAVE ADMIN privilege(s) for this operation
 
MariaDB [(none)]>



 Comments   
Comment by Sergei Golubchik [ 2020-11-04 ]

sujatha.sivakumar, should this also be in the new REPLICATION CLIENT MONITOR privilege?

That is, does it logically fit into the same group?

Comment by Sujatha Sivakumar (Inactive) [ 2020-11-05 ]

Hello serg

Post MDEV-21743, binary log related SHOW commands are organized like this:

  • BINLOG MONITOR (New Privilege)
    • SHOW BINLOG EVENTS
    • SHOW BINLOG STATUS
    • SHOW BINARY LOGS

Since we are planning to add a new privilege as part of MDEV-23610, for "SHOW REPLICA STATUS"
command we can include "SHOW RELAY LOG EVENTS" command as well.

  • REPLICA MONITOR (Proposed new privilege name)
    • SHOW SLAVE STATUS
    • SHOW RELAYLOG EVENTS
Comment by Sujatha Sivakumar (Inactive) [ 2020-11-16 ]

Fix is implemented as part of MDEV-23610

Generated at Thu Feb 08 09:26:03 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.