[MDEV-28294] set default role bypasses Replicate_Wild_Ignore_Table: mysql.% Created: 2022-04-12  Updated: 2022-09-27  Resolved: 2022-08-22

Status: Closed
Project: MariaDB Server
Component/s: Replication
Affects Version/s: 10.6.7, 10.2, 10.3, 10.4, 10.5, 10.7, 10.8, 10.9
Fix Version/s: 10.9.2, 10.3.37, 10.4.27, 10.5.18, 10.6.10, 10.7.6, 10.8.5

Type: Bug Priority: Critical
Reporter: Allen Lee (Inactive) Assignee: Brandon Nesterenko
Resolution: Fixed Votes: 1
Labels: None


 Description   

Replicate_Wild_Ignore_Table: mysql.% can't make bypass SET DEFAULT ROLE '<role>' FOR 'user';

On master

MariaDB [(none)]> create user testuser@'%';
 
Query OK, 0 rows affected (0.002 sec)
 
 
 
MariaDB [(none)]> CREATE ROLE journalist;
 
Query OK, 0 rows affected (0.002 sec)
 
 
 
MariaDB [(none)]> grant journalist to testuser@'%';
 
Query OK, 0 rows affected (0.001 sec)
 
 
 
MariaDB [(none)]> select * from mysql.roles_mapping;
 
+-----------+----------+-----------------------+--------------+
 
| Host      | User     | Role                  | Admin_option |
 
+-----------+----------+-----------------------+--------------+
 
| localhost | root     | role_workflow_portals | Y            |
 
| localhost | root     | journalist            | Y            |
 
| %         | testuser | journalist            | N            |
 
+-----------+----------+-----------------------+--------------+
 
3 rows in set (0.001 sec)
 
 
 
MariaDB [(none)]> SET DEFAULT ROLE journalist for testuser@'%';
 
Query OK, 0 rows affected (0.001 sec)

on slave:

MariaDB [(none)]> show slave status\G
 
*************************** 1. row ***************************
 
                Slave_IO_State: Waiting for master to send event
 
                   Master_Host: 192.168.254.14
 
                   Master_User: repl
 
                   Master_Port: 3306
 
                 Connect_Retry: 60
 
               Master_Log_File: m2-bin.000005
 
           Read_Master_Log_Pos: 1077
 
                Relay_Log_File: mariadb-relay-bin.000002
 
                 Relay_Log_Pos: 1220
 
         Relay_Master_Log_File: m2-bin.000005
 
              Slave_IO_Running: Yes
 
             Slave_SQL_Running: No
 
               Replicate_Do_DB: 
           Replicate_Ignore_DB: 
            Replicate_Do_Table: 
        Replicate_Ignore_Table: 
       Replicate_Wild_Do_Table: 
   Replicate_Wild_Ignore_Table: mysql.%
 
                    Last_Errno: 1959
 
                    Last_Error: Error 'Invalid role specification `journalist`' on query. Default database: ''. Query: 'SET DEFAULT ROLE 'journalist' FOR 'testuser'@'%''
 
                  Skip_Counter: 0
 
           Exec_Master_Log_Pos: 924
 
               Relay_Log_Space: 1684
 
               Until_Condition: None
 
                Until_Log_File: 
                 Until_Log_Pos: 0
 
            Master_SSL_Allowed: No
 
            Master_SSL_CA_File: 
            Master_SSL_CA_Path: 
               Master_SSL_Cert: 
             Master_SSL_Cipher: 
                Master_SSL_Key: 
         Seconds_Behind_Master: NULL
 
 Master_SSL_Verify_Server_Cert: No
 
                 Last_IO_Errno: 0
 
                 Last_IO_Error: 
                Last_SQL_Errno: 1959
 
                Last_SQL_Error: Error 'Invalid role specification `journalist`' on query. Default database: ''. Query: 'SET DEFAULT ROLE 'journalist' FOR 'testuser'@'%''
 
   Replicate_Ignore_Server_Ids: 
              Master_Server_Id: 3
 
                Master_SSL_Crl: 
            Master_SSL_Crlpath: 
                    Using_Gtid: Slave_Pos
 
                   Gtid_IO_Pos: 3-3-5,0-3-2
 
       Replicate_Do_Domain_Ids: 
   Replicate_Ignore_Domain_Ids: 
                 Parallel_Mode: optimistic
 
                     SQL_Delay: 0
 
           SQL_Remaining_Delay: NULL
 
       Slave_SQL_Running_State: 
              Slave_DDL_Groups: 5
 
Slave_Non_Transactional_Groups: 0
 
    Slave_Transactional_Groups: 0

MTR test case for reproducing

source include/master-slave.inc;
 
 
call mtr.add_suppression("Slave: Invalid role specification `journalist` Error_code: 1959");
 
 
connection master;
 
SET @@GLOBAL.replicate_wild_ignore_table="mysql.%";
 
 
connection slave;
 
source include/stop_slave.inc;
 
SET @@GLOBAL.replicate_wild_ignore_table="mysql.%";
 
source include/start_slave.inc;
 
 
connection master;
 
CREATE ROLE journalist;
 
CREATE USER testuser@localhost IDENTIFIED by '';
 
 
GRANT journalist to testuser@localhost;
 
 
SELECT  * from mysql.roles_mapping;
 
 
SET DEFAULT ROLE journalist for testuser@localhost;
 
 
connection slave;
 
--let $slave_sql_errno= 1959
 
--let $slave_timeout=5
 
source include/wait_for_slave_sql_error.inc;
 
 
let $error= query_get_value(SHOW SLAVE STATUS, Last_SQL_Error, 1);
 
--echo Last_SQL_Error = $error
 
let $errno= query_get_value(SHOW SLAVE STATUS, Last_SQL_Errno, 1);
 
--echo Last_SQL_Errno = $errno
 
let $repl_wild_filter= query_get_value(SHOW SLAVE STATUS, Replicate_Wild_Ignore_Table, 1);
 
--echo Replicate_Wild_Ignore_Table = $repl_wild_filter
 
 
# Clean up
 
source include/stop_slave_io.inc;
 
SET @@GLOBAL.replicate_wild_ignore_table="";
 
RESET SLAVE;
 
--let $rpl_only_running_threads= 1
 
 
connection master;
 
SET @@GLOBAL.replicate_wild_ignore_table="";
 
DROP ROLE journalist;
 
DROP USER testuser@localhost;
 
 
--source include/rpl_end.inc

Reproduced with:
10.2 9b2d36660bbb4f93c6b9e0761c91d57d47f59196
10.3 b208030ef5b4274fd66cc9667a2dc96f6e63db81
10.4 d16c3aca3c3ecd1050b2527c213f4fdf1959d9e2
10.5 1a66e3f861a722689a39f83919d1f1a5466f64bf
10.6 cad792c6862546a13b83f05209e7842a95bdc5fa
10.7 9e314fcf6e666ce6fdbdd8ca1ae23d6c4b389b21
10.8 6948abb94c6739101320d12ddec1d2daae929cc2
10.9 72a125058527126ae31c02851db0d1ca186706f7

 Comments   
Comment by Brandon Nesterenko [ 2022-04-27 ]

Hi Andrei! This is ready for (preliminary) review.

My analysis:
When replicating SET DEFAULT ROLE, the pre-update check (i.e. that in set_var_default_role::check()) tries to validate the existence of the given rules/user even when the targeted tables are ignored. When previously issued CREATE USER/ROLE commands are ignored by the replica because of the replication filtering rules, this results in an error because the targeted data does not exist.

The fix adds logic to check that the mysql.user and mysql.roles_mapping tables are not excluded by replication filters before checking that the exact rules/user exist from the SET DEFAULT ROLE command.

Patch: fe6631e

Comment by Andrei Elkin [ 2022-04-28 ]

Reviewed a poc commit.

Comment by Brandon Nesterenko [ 2022-04-29 ]

Hi Andrei!

This is ready for review.

Commit: 960223d (Patch based on pre-exec filtering logic)
New commit based on poc: a25fc24

Comment by Andrei Elkin [ 2022-08-19 ]

Agreed with the patch.

Comment by Andrei Elkin [ 2022-08-22 ]

Closing on the behalf of Brandon.

Comment by Andrei Elkin [ 2022-08-24 ]

For mergers, reviewers: the actual 10.4 merge branch is bb-10.4-MDEV-28294, not bb-10.4-MDEV-28294-merge that was created ago on the base of the initial patch version.

bnestere, when you're back, could you please review the merge work.

Generated at Thu Feb 08 09:59:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.