[MDEV-33006] Missing required privilege CONNECTION ADMIN Created: 2023-12-12  Updated: 2023-12-13  Resolved: 2023-12-13

Status: Closed
Project: MariaDB Server
Component/s: Backup, Documentation, Replication
Affects Version/s: 10.11.4
Fix Version/s: 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3

Type: Bug Priority: Major
Reporter: Tim van Dijen Assignee: Daniel Black
Resolution: Fixed Votes: 0
Labels: None
Environment:

RedHat 8.9

Issue Links:
Problem/Incident
is caused by MDEV-23607 Warning: missing required privilege R... Closed

 Description   

Maybe this is just a documentation glitch, but when I set up a backup-user with the privileges as described here and then run mariabackup under this user, I see `Missing required privilege CONNECTION ADMIN`.

Now, I don't mind adding this privilege for the backup-user, but the fact that the documentation doesn't mention this makes me wonder if I'm doing something wrong..

Now because I'm running a Galera-cluster using mariabackup as SST-method, and SST-documentation states that "The user account that performs the backup for the SST needs to have the same privileges as Mariabackup, which are the RELOAD , PROCESS, LOCK TABLES and REPLICATION CLIENT global privileges.", I'm wondering if I also should be adding the `CONNECTION ADMIN` privilege to the SST-user..

.. or am I just chasing a red herring, since everything seems to be running smooth? It's all a bit confusing to me.

 Comments   
Comment by Sergei Golubchik [ 2023-12-12 ]

According to the code

extra/mariabackup/xtrabackup.cc

 
if (!opt_no_lock && (opt_kill_long_queries_timeout || opt_kill_long_query_type)) {
 
	check_result |= check_privilege(
 
		granted_privileges,
 
		"CONNECTION ADMIN", "*", "*",
 
		PRIVILEGE_WARNING);

it needs CONNECTION ADMIN privilege to kill long queries. Which is used if you have not specified --no-lock and specified --kill-long-queries-timeout or --kill-long-query-type.

Comment by Daniel Black [ 2023-12-13 ]

SST page updated to have BINLOG MONITOR instead of REPLICATION client for 10.5+ per MDEV-23607.

As the SST doesn't use the options serg listed above, no CONNECTION ADMIN is needed for SST.

CONNECTION ADMIN documented on mariadb-overview page per requirements.

--kill-log-query-type being an enum could be 0 for "ALL", but the CONNECTION ADMIN appears to be required. Fixing now.

Thanks for the bug report.

Comment by Daniel Black [ 2023-12-13 ]

Given docs are fixed, I'm repurposing this task to fix the bug noticed in the highlighted code, about it not giving a "missing required privileges CONNECTION ADMIN" warning.

https://github.com/MariaDB/server/pull/2929

Generated at Thu Feb 08 10:35:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.