[MDEV-29668] SUPER should not allow actions that have fine-grained dedicated privileges Created: 2022-09-29  Updated: 2023-08-07  Resolved: 2023-02-06

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: 11.0.1

Type: Task Priority: Critical
Reporter: Sergei Golubchik Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: Preview_11.0

Issue Links:
Problem/Incident
causes MDEV-30582 GRANT replication from 10.x to 11.x Open
Relates
relates to MDEV-21743 Split up SUPER privilege to smaller p... Closed
relates to MDEV-29596 Separate SUPER and READ ONLY ADMIN pr... Closed

 Description   

After MDEV-21743 the SUPER privilege was split into many fine-grained privileges. But still, according to MDEV-21743

The SUPER privilege as such should still remain as an alias for all these smaller privileges

For example, to set a binlog format one needs either BINLOG ADMIN or SUPER privilege.

This task is about removing SUPER privilege check from all these actions that have a dedicated privilege. For example, one will need to have BINLOG ADMIN to change the binlog format, SUPER will not be sufficient anymore.

When upgrading from an older version everyone having SUPER should automatically get (for example) BINLOG ADMIN.

See how it was done in MDEV-29596

 Comments   
Comment by Alexander Barkov [ 2022-12-13 ]

Hi serg. The patch https://github.com/MariaDB/server/commit/ae4101eb7359f148938e604634685dcf2de93135 is OK to push.

A small cosmetic note:
Consider preserving "--echo # Start of X.Y tests" lines, in this patch and generally.

Comment by Sergei Golubchik [ 2022-12-27 ]

see the final version in the preview-11.0-preview branch

Comment by Alice Sherepa [ 2023-02-06 ]

It is ok to push it to the main branch

Generated at Thu Feb 08 10:10:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.