From b8fad8c6bffbc7e43796fffe607b23075cfc3e2b Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 21 Apr 2021 12:51:39 +0200 Subject: [PATCH] MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant --- mysql-test/main/grant_slave_monitor.result | 20 ++++++++++++++++++++ mysql-test/main/grant_slave_monitor.test | 16 ++++++++++++++++ sql/privilege.h | 3 +++ sql/sql_acl.cc | 13 +++++++++---- 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/mysql-test/main/grant_slave_monitor.result b/mysql-test/main/grant_slave_monitor.result index ea0b7d8094c..68df790074a 100644 --- a/mysql-test/main/grant_slave_monitor.result +++ b/mysql-test/main/grant_slave_monitor.result @@ -53,3 +53,23 @@ ERROR 42000: Access denied; you need (at least one of) the SLAVE MONITOR privile disconnect con1; connection default; DROP USER user1@localhost; +# +# MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant +# +insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'), +('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'), +('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}'); +flush privileges; +show grants for foo7@bar; +Grants for foo7@bar +GRANT ALL PRIVILEGES ON *.* TO `foo7`@`bar` WITH GRANT OPTION +show grants for foo8@bar; +Grants for foo8@bar +GRANT ALL PRIVILEGES ON *.* TO `foo8`@`bar` WITH GRANT OPTION +show grants for foo9@bar; +Grants for foo9@bar +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `foo9`@`bar` WITH GRANT OPTION +drop user foo7@bar, foo8@bar, foo9@bar; +# +# End of 10.5 tests +# diff --git a/mysql-test/main/grant_slave_monitor.test b/mysql-test/main/grant_slave_monitor.test index 7dacaa36aee..af4399b7150 100644 --- a/mysql-test/main/grant_slave_monitor.test +++ b/mysql-test/main/grant_slave_monitor.test @@ -99,3 +99,19 @@ SHOW RELAYLOG EVENTS; --connection default DROP USER user1@localhost; + +--echo # +--echo # MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant +--echo # +insert mysql.global_priv values ('bar', 'foo7', '{"access":274877906943,"version_id":100507,"plugin":"mysql_native_password","authentication_string":""}'), + ('bar', 'foo8', '{"access":274877906943,"version_id":100508,"plugin":"mysql_native_password","authentication_string":""}'), + ('bar', 'foo9', '{"access":274877906943,"version_id":100509,"plugin":"mysql_native_password","authentication_string":""}'); +flush privileges; +show grants for foo7@bar; +show grants for foo8@bar; +show grants for foo9@bar; +drop user foo7@bar, foo8@bar, foo9@bar; + +--echo # +--echo # End of 10.5 tests +--echo # diff --git a/sql/privilege.h b/sql/privilege.h index a2e75003c11..3e4c2526c6c 100644 --- a/sql/privilege.h +++ b/sql/privilege.h @@ -121,6 +121,9 @@ constexpr privilege_t ALL_KNOWN_ACL_100502= ALL_KNOWN_BITS(LAST_100502_ACL); // A combination of all bits defined in 10.5.8 constexpr privilege_t ALL_KNOWN_ACL_100508= ALL_KNOWN_BITS(LAST_100508_ACL); +// unfortunately, SLAVE_MONITOR_ACL was added in 10.5.9, but also in 10.5.8-5 +// let's stay compatible with that branch too. +constexpr privilege_t ALL_KNOWN_ACL_100509= ALL_KNOWN_ACL_100508; // A combination of all bits defined as of the current version constexpr privilege_t ALL_KNOWN_ACL= ALL_KNOWN_BITS(LAST_CURRENT_ACL); diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index bba875d883c..a7fbdefd073 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1531,13 +1531,18 @@ class User_table_json: public User_table { privilege_t mask= ALL_KNOWN_ACL_100304; ulonglong orig_access= access; - if (version_id >= 100508) + if (version_id >= 100509) { - mask= ALL_KNOWN_ACL_100508; + mask= ALL_KNOWN_ACL_100509; } - else if (version_id >= 100502 && version_id < 100508) + else if (version_id >= 100502) { - mask= ALL_KNOWN_ACL_100502; + if (version_id >= 100508) + mask= ALL_KNOWN_ACL_100508; + else + mask= ALL_KNOWN_ACL_100502; + if (access & REPL_SLAVE_ADMIN_ACL) + access|= SLAVE_MONITOR_ACL; } else // 100501 or earlier {