MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant

mysql-test/main/grant_slave_monitor.result

@@ -53,3 +53,23 @@ ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privile
 disconnect con1;
 connection default;
 DROP USER user1@localhost;
+#
+# MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant
+#
+insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'),
+('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'),
+('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}');
+flush privileges;
+show grants for foo7@bar;
+Grants for foo7@bar
+GRANT ALL PRIVILEGES ON *.* TO `foo7`@`bar` WITH GRANT OPTION
+show grants for foo8@bar;
+Grants for foo8@bar
+GRANT ALL PRIVILEGES ON *.* TO `foo8`@`bar` WITH GRANT OPTION
+show grants for foo9@bar;
+Grants for foo9@bar
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `foo9`@`bar` WITH GRANT OPTION
+drop user foo7@bar, foo8@bar, foo9@bar;
+#
+# End of 10.5 tests
+#

mysql-test/main/grant_slave_monitor.test

@@ -99,3 +99,19 @@ SHOW RELAYLOG EVENTS;
 
 --connection default
 DROP USER user1@localhost;
+
+--echo #
+--echo # MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant
+--echo #
+insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'),
+                                ('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'),
+                                ('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}');
+flush privileges;
+show grants for foo7@bar;
+show grants for foo8@bar;
+show grants for foo9@bar;
+drop user foo7@bar, foo8@bar, foo9@bar;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #

sql/privilege.h

@@ -121,6 +121,9 @@ constexpr privilege_t ALL_KNOWN_ACL_100502= ALL_KNOWN_BITS(LAST_100502_ACL);
 
 // A combination of all bits defined in 10.5.8
 constexpr privilege_t ALL_KNOWN_ACL_100508= ALL_KNOWN_BITS(LAST_100508_ACL);
+// unfortunately, SLAVE_MONITOR_ACL was added in 10.5.9, but also in 10.5.8-5
+// let's stay compatible with that branch too.
+constexpr privilege_t ALL_KNOWN_ACL_100509= ALL_KNOWN_ACL_100508;
 
 // A combination of all bits defined as of the current version
 constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_BITS(LAST_CURRENT_ACL);

sql/sql_acl.cc

@@ -1531,13 +1531,18 @@ class User_table_json: public User_table
   {
     privilege_t mask= ALL_KNOWN_ACL_100304;
     ulonglong orig_access= access;
-    if (version_id >= 100508)
+    if (version_id >= 100509)
     {
-      mask= ALL_KNOWN_ACL_100508;
+      mask= ALL_KNOWN_ACL_100509;
     }
-    else if (version_id >= 100502 && version_id < 100508)
+    else if (version_id >= 100502)
     {
-      mask= ALL_KNOWN_ACL_100502;
+      if (version_id >= 100508)
+        mask= ALL_KNOWN_ACL_100508;
+      else
+        mask= ALL_KNOWN_ACL_100502;
+      if (access & REPL_SLAVE_ADMIN_ACL)
+        access|= SLAVE_MONITOR_ACL;
     }
     else // 100501 or earlier
     {