MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade

f991c416 · Alexander Barkov · d3bdc30c · f991c416 · f991c416 · f991c416
Commit f991c416 authored Mar 27, 2020 by Alexander Barkov
4 changed files
--- a/mysql-test/main/mysql_upgrade_to_100502.result
+++ b/mysql-test/main/mysql_upgrade_to_100502.result
+#
+#  MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade
+#
+DROP VIEW mysql.user_bak;
+FLUSH PRIVILEGES;
+CREATE USER user_all@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user_all@localhost WITH GRANT OPTION;
+SHOW GRANTS FOR user_all@localhost;
+Grants for user_all@localhost
+GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
+CREATE USER user_super@localhost;
+GRANT SUPER ON *.* TO user_super@localhost;
+SHOW GRANTS FOR user_super@localhost;
+Grants for user_super@localhost
+GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super`@`localhost`
+CREATE USER user_super_replslave@localhost;
+GRANT SUPER, REPLICATION SLAVE ON *.* TO user_super_replslave@localhost;
+SHOW GRANTS FOR user_super_replslave@localhost;
+Grants for user_super_replslave@localhost
+GRANT SUPER, REPLICATION SLAVE, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super_replslave`@`localhost`
+# mysql_upgrade --force --silent 2>&1
+FLUSH PRIVILEGES;
+#
+# Should get ALL PRIVILEGES WITH GRANT OPTION
+#
+SHOW GRANTS FOR user_all@localhost;
+Grants for user_all@localhost
+GRANT ALL PRIVILEGES ON *.* TO `user_all`@`localhost` WITH GRANT OPTION
+#
+# Should automatically get all new 10.5.2 priveleges that were splitted from SUPER
+#
+SHOW GRANTS FOR user_super@localhost;
+Grants for user_super@localhost
+GRANT SUPER, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super`@`localhost`
+#
+# Should automatically get all new 10.5.2 priveleges that were splitted from SUPER, plus REPLICATION MASTER ADMIN
+#
+SHOW GRANTS FOR user_super_replslave@localhost;
+Grants for user_super_replslave@localhost
+GRANT SUPER, REPLICATION SLAVE, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `user_super_replslave`@`localhost`
+SELECT
+json_value(Priv, '$.version_id'),
+json_value(Priv, '$.access'),
+user
+FROM
+mysql.global_priv
+WHERE
+host='localhost'
+AND
+user LIKE 'user_%';
+json_value(Priv, '$.version_id')	json_value(Priv, '$.access')	user
+NULL	1073741823	user_all
+NULL	32768	user_super
+NULL	557056	user_super_replslave
+DROP TABLE mysql.global_priv;
+RENAME TABLE mysql.global_priv_bak TO mysql.global_priv;
+FLUSH PRIVILEGES;
--- a/mysql-test/main/mysql_upgrade_to_100502.test
+++ b/mysql-test/main/mysql_upgrade_to_100502.test
+-- source include/mysql_upgrade_preparation.inc
+-- source include/have_working_dns.inc
+-- source include/have_innodb.inc
+-- source include/have_partition.inc
+let $MYSQLD_DATADIR= `select @@datadir`;
+
+
+--echo #
+--echo #  MDEV-22057 REPLICATION MASTER ADMIN is missing in root account after upgrade
+--echo #
+
+--source include/switch_to_mysql_user.inc
+DROP VIEW mysql.user_bak;
+FLUSH PRIVILEGES;
+
+CREATE USER user_all@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user_all@localhost WITH GRANT OPTION;
+SHOW GRANTS FOR user_all@localhost;
+
+CREATE USER user_super@localhost;
+GRANT SUPER ON *.* TO user_super@localhost;
+SHOW GRANTS FOR user_super@localhost;
+
+CREATE USER user_super_replslave@localhost;
+GRANT SUPER, REPLICATION SLAVE ON *.* TO user_super_replslave@localhost;
+SHOW GRANTS FOR user_super_replslave@localhost;
+
+
+--echo # mysql_upgrade --force --silent 2>&1
+--exec $MYSQL_UPGRADE --force --silent 2>&1
+--remove_file $MYSQLD_DATADIR/mysql_upgrade_info
+FLUSH PRIVILEGES;
+
+--echo #
+--echo # Should get ALL PRIVILEGES WITH GRANT OPTION
+--echo #
+SHOW GRANTS FOR user_all@localhost;
+
+--echo #
+--echo # Should automatically get all new 10.5.2 priveleges that were splitted from SUPER
+--echo #
+SHOW GRANTS FOR user_super@localhost;
+
+--echo #
+--echo # Should automatically get all new 10.5.2 priveleges that were splitted from SUPER, plus REPLICATION MASTER ADMIN
+--echo #
+SHOW GRANTS FOR user_super_replslave@localhost;
+
+SELECT
+  json_value(Priv, '$.version_id'),
+  json_value(Priv, '$.access'),
+  user
+FROM
+  mysql.global_priv
+WHERE
+  host='localhost'
+AND
+  user LIKE 'user_%';
+
+DROP TABLE mysql.global_priv;
+RENAME TABLE mysql.global_priv_bak TO mysql.global_priv;
+FLUSH PRIVILEGES;
--- a/mysql-test/main/system_mysql_db_error_log.result
+++ b/mysql-test/main/system_mysql_db_error_log.result
@@ -90,7 +90,7 @@ host='localhost' and user='good_version_id_100400';
 FLUSH PRIVILEGES;
 SHOW GRANTS FOR good_version_id_100400@localhost;
 Grants for good_version_id_100400@localhost
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, BINLOG ADMIN, BINLOG REPLAY ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
+GRANT ALL PRIVILEGES ON *.* TO `good_version_id_100400`@`localhost` WITH GRANT OPTION
 GRANT REPLICATION MASTER ADMIN ON *.* TO good_version_id_100400@localhost;
 SHOW GRANTS FOR good_version_id_100400@localhost;
 Grants for good_version_id_100400@localhost

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1525,8 +1525,26 @@ class User_table_json: public User_table
    }
    else // 100501 or earlier
    {
+      /*
+        Address changes in SUPER and REPLICATION SLAVE made in 10.5.2.
+        This also covers a special case: if the user had ALL PRIVILEGES before
+        the upgrade, it gets ALL PRIVILEGES after the upgrade.
+      */
      if (access & SUPER_ACL)
+      {
+        if (access & REPL_SLAVE_ACL)
+        {
+          /*
+            The user could do both before the upgrade:
+            - set global variables       (because of SUPER_ACL)
+            - execute "SHOW SLAVE HOSTS" (because of REPL_SLAVE_ACL)
+            Grant all new privileges that were splitted from SUPER (in 10.5.2),
+            and REPLICATION MASTER ADMIN, so it still can do "SHOW SLAVE HOSTS".
+          */
+          access|= REPL_MASTER_ADMIN_ACL;
+        }
        access|= GLOBAL_SUPER_ADDED_SINCE_USER_TABLE_ACLS;
+      }
    }

    if (orig_access & ~mask)