[MDEV-29596] Separate SUPER and READ ONLY ADMIN privileges Created: 2022-09-21  Updated: 2023-08-07  Resolved: 2022-09-29

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: 10.11.1

Type: Task Priority: Critical
Reporter: Michael Widenius Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: Preview_10.11

Issue Links:
PartOf
is part of MDEV-29547 prepare 10.11.0 preview releases Closed
Problem/Incident
causes MDEV-29632 SUPER users created before 10.11 shou... Closed
causes MDEV-29641 Help topics say SUPER is required to ... Open
Relates
relates to MDEV-9458 FR: Super read-only mode Closed
relates to MDEV-29668 SUPER should not allow actions that h... Closed

 Description   

Remove READ ONLY ADMIN from the SUPER privilege

The benefit of this is that one can remove the READ ONLY ADMIN privilege
from all users and this way ensure that no one can do any changes on
any non-temporary tables.

This is good option to use on slaves when one wants to ensure that the
slave is kept identical to the master.

 Comments   
Comment by Michael Widenius [ 2022-09-21 ]

Pushed to bb-10.11-MDEV-29596

Comment by Elena Stepanova [ 2022-09-27 ]

I have no objections against pushing it as of bb-10.11-MDEV-29596 07581249 (that is, with the fix for MDEV-29632 in addition to the preview commit) into main 10.11 and releasing with 10.11.1.

Documentation and help topics will need to be updated to reflect the change in SUPER capabilities, but as explained in MDEV-29641, it is usually done asynchronously with releases, so it cannot be a blocker for the feature.

Note: In OM=>NS replication, if a user with SUPER privilege is created on the master, it will have READ_ONLY ADMIN privilege, while the replicated user on the replica will not. I don't consider it a bug and the scenario is probably of a low importance, I will leave it to the documentation team to decide whether it should be mentioned anywhere (FYI greenman).

Generated at Thu Feb 08 10:09:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.