Commit faab0d31 authored by Alexander Barkov's avatar Alexander Barkov

MDEV-22012 Allow SET TIMESTAMP for users with GRANT BINLOG REPLAY when...

MDEV-22012 Allow SET TIMESTAMP for users with GRANT BINLOG REPLAY when --secure-timestamp=replication
parent 02fe9975
...@@ -7,13 +7,40 @@ source include/master-slave.inc; ...@@ -7,13 +7,40 @@ source include/master-slave.inc;
connection slave; connection slave;
select @@secure_timestamp; select @@secure_timestamp;
### SUPER --echo ### ALL PRIVILEGES
disable_abort_on_error;
set timestamp=1234567890.101112;
enable_abort_on_error;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
set timestamp=default;
--echo ### SUPER
create user foo@127.0.0.1;
grant super on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
disable_abort_on_error; disable_abort_on_error;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
enable_abort_on_error; enable_abort_on_error;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
--echo ### BINLOG REPLAY
create user foo@127.0.0.1;
grant binlog replay on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
disable_abort_on_error;
set timestamp=1234567890.101112;
enable_abort_on_error;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### non-privileged user --echo ### non-privileged user
create user foo@127.0.0.1; create user foo@127.0.0.1;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT; connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
disable_abort_on_error; disable_abort_on_error;
...@@ -23,6 +50,7 @@ select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged'; ...@@ -23,6 +50,7 @@ select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged';
disconnect con2; disconnect con2;
connection slave; connection slave;
drop user foo@127.0.0.1; drop user foo@127.0.0.1;
set timestamp=default;
### replication ### replication
connection master; connection master;
......
...@@ -4,10 +4,37 @@ connection slave; ...@@ -4,10 +4,37 @@ connection slave;
select @@secure_timestamp; select @@secure_timestamp;
@@secure_timestamp @@secure_timestamp
NO NO
### ALL PRIVILEGES
set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
ALL PRIVILEGES
EDITABLE
set timestamp=default;
### SUPER
create user foo@127.0.0.1;
grant super on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
SUPER SUPER
EDITABLE EDITABLE
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### BINLOG REPLAY
create user foo@127.0.0.1;
grant binlog replay on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
BINLOG REPLAY
EDITABLE
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### non-privileged user
create user foo@127.0.0.1; create user foo@127.0.0.1;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT; connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
...@@ -17,6 +44,7 @@ EDITABLE ...@@ -17,6 +44,7 @@ EDITABLE
disconnect con2; disconnect con2;
connection slave; connection slave;
drop user foo@127.0.0.1; drop user foo@127.0.0.1;
set timestamp=default;
connection master; connection master;
set time_zone='+00:00'; set time_zone='+00:00';
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
......
...@@ -4,21 +4,49 @@ connection slave; ...@@ -4,21 +4,49 @@ connection slave;
select @@secure_timestamp; select @@secure_timestamp;
@@secure_timestamp @@secure_timestamp
REPLICATION REPLICATION
### ALL PRIVILEGES
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
ERROR HY000: The MariaDB server is running with the --secure-timestamp=REPLICATION option so it cannot execute this statement select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
ALL PRIVILEGES
EDITABLE
set timestamp=default;
### SUPER
create user foo@127.0.0.1;
grant super on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112;
ERROR 42000: Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
SUPER SUPER
READONLY READONLY
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### BINLOG REPLAY
create user foo@127.0.0.1;
grant binlog replay on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
BINLOG REPLAY
EDITABLE
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### non-privileged user
create user foo@127.0.0.1; create user foo@127.0.0.1;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT; connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
ERROR HY000: The MariaDB server is running with the --secure-timestamp=REPLICATION option so it cannot execute this statement ERROR 42000: Access denied; you need (at least one of) the BINLOG REPLAY privilege(s) for this operation
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'non-privileged';
non-privileged non-privileged
READONLY READONLY
disconnect con2; disconnect con2;
connection slave; connection slave;
drop user foo@127.0.0.1; drop user foo@127.0.0.1;
set timestamp=default;
connection master; connection master;
set time_zone='+00:00'; set time_zone='+00:00';
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
......
...@@ -4,10 +4,37 @@ connection slave; ...@@ -4,10 +4,37 @@ connection slave;
select @@secure_timestamp; select @@secure_timestamp;
@@secure_timestamp @@secure_timestamp
SUPER SUPER
### ALL PRIVILEGES
set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
ALL PRIVILEGES
EDITABLE
set timestamp=default;
### SUPER
create user foo@127.0.0.1;
grant super on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
SUPER SUPER
EDITABLE EDITABLE
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### BINLOG REPLAY
create user foo@127.0.0.1;
grant binlog replay on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112;
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
BINLOG REPLAY
EDITABLE
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### non-privileged user
create user foo@127.0.0.1; create user foo@127.0.0.1;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT; connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
...@@ -18,6 +45,7 @@ READONLY ...@@ -18,6 +45,7 @@ READONLY
disconnect con2; disconnect con2;
connection slave; connection slave;
drop user foo@127.0.0.1; drop user foo@127.0.0.1;
set timestamp=default;
connection master; connection master;
set time_zone='+00:00'; set time_zone='+00:00';
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
......
...@@ -4,11 +4,40 @@ connection slave; ...@@ -4,11 +4,40 @@ connection slave;
select @@secure_timestamp; select @@secure_timestamp;
@@secure_timestamp @@secure_timestamp
YES YES
### ALL PRIVILEGES
set timestamp=1234567890.101112;
ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'ALL PRIVILEGES';
ALL PRIVILEGES
READONLY
set timestamp=default;
### SUPER
create user foo@127.0.0.1;
grant super on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER'; select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'SUPER';
SUPER SUPER
READONLY READONLY
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### BINLOG REPLAY
create user foo@127.0.0.1;
grant binlog replay on *.* TO `foo`@`127.0.0.1`;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112;
ERROR HY000: The MariaDB server is running with the --secure-timestamp=YES option so it cannot execute this statement
select if(now(6) > 20100101, 'READONLY', 'EDITABLE') as 'BINLOG REPLAY';
BINLOG REPLAY
READONLY
disconnect con2;
connection slave;
drop user foo@127.0.0.1;
set timestamp=default;
### non-privileged user
create user foo@127.0.0.1; create user foo@127.0.0.1;
connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT; connect con2,127.0.0.1,foo,,test,$SLAVE_MYPORT;
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
...@@ -19,6 +48,7 @@ READONLY ...@@ -19,6 +48,7 @@ READONLY
disconnect con2; disconnect con2;
connection slave; connection slave;
drop user foo@127.0.0.1; drop user foo@127.0.0.1;
set timestamp=default;
connection master; connection master;
set time_zone='+00:00'; set time_zone='+00:00';
set timestamp=1234567890.101112; set timestamp=1234567890.101112;
......
...@@ -4598,10 +4598,7 @@ bool Sys_var_timestamp::on_check_access_session(THD *thd) const ...@@ -4598,10 +4598,7 @@ bool Sys_var_timestamp::on_check_access_session(THD *thd) const
case SECTIME_SUPER: case SECTIME_SUPER:
return check_global_access(thd, SUPER_ACL | BINLOG_REPLAY_ACL); return check_global_access(thd, SUPER_ACL | BINLOG_REPLAY_ACL);
case SECTIME_REPL: case SECTIME_REPL:
/*
Perhaps we eventually should do this here:
return check_global_access(thd, BINLOG_REPLAY_ACL); return check_global_access(thd, BINLOG_REPLAY_ACL);
*/
case SECTIME_YES: case SECTIME_YES:
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment