From 3f4cd9ae077af69135efcb6adfd673ed09bf2f79 Mon Sep 17 00:00:00 2001 From: Evan Elias Date: Mon, 20 Jul 2020 15:20:26 -0400 Subject: [PATCH] MariaDB 10.5: new BINLOG ADMIN priv allows setting sql_log_bin This commit adjusts the logic behind Instance.CanSkipBinlog() to account for MariaDB 10.5's new BINLOG ADMIN privilege. Users with this privilege are able to set the session sql_log_bin variable without having SUPER. This privilege should not be confused with MySQL 8.0's similarly-named BINLOG_ADMIN priv (note the underscore), which does NOT allow manipulation of sql_log_bin. --- instance.go | 8 +++++++- instance_test.go | 3 ++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/instance.go b/instance.go index 77fde89..e4408d7 100644 --- a/instance.go +++ b/instance.go @@ -254,7 +254,13 @@ func (instance *Instance) hydrateFlavorAndVersion() { instance.flavor = ParseFlavor(versionString, versionComment) } -var reSkipBinlog = regexp.MustCompile(`(?:ALL PRIVILEGES ON \*\.\*|SUPER|SESSION_VARIABLES_ADMIN|SYSTEM_VARIABLES_ADMIN)[,\s]`) +// Regular expression defining privileges that allow use of setting session +// variable sql_log_bin. Note that SESSION_VARIABLES_ADMIN and +// SYSTEM_VARIABLES_ADMIN are from MySQL 8.0+. Meanwhile BINLOG ADMIN is from +// MariaDB 10.5+ as per https://jira.mariadb.org/browse/MDEV-21957; note the +// space in the name (not to be confused with BINLOG_ADMIN with an underscore, +// which is a MySQL 8.0 privilege which does NOT control sql_log_bin!) +var reSkipBinlog = regexp.MustCompile(`(?:ALL PRIVILEGES ON \*\.\*|SUPER|SESSION_VARIABLES_ADMIN|SYSTEM_VARIABLES_ADMIN|BINLOG ADMIN)[,\s]`) // CanSkipBinlog returns true if instance.User has privileges necessary to // set sql_log_bin=0. If an error occurs in checking grants, this method returns diff --git a/instance_test.go b/instance_test.go index 3002a8c..257f80e 100644 --- a/instance_test.go +++ b/instance_test.go @@ -291,7 +291,7 @@ func (s TengoIntegrationSuite) TestInstanceCanSkipBinlog(t *testing.T) { noBinlogSkipGrants := []string{ "GRANT USAGE ON *.* TO `foo`@`%`", "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `foo`@`%`", - "GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SET_USER_ID,SYSTEM_USER,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `foo`@`%`", + "GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SET_USER_ID,SYSTEM_USER,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `foo`@`%`", "GRANT ALL PRIVILEGES ON `blarg`.* TO `foo`@`%`", "GRANT PROXY ON ''@'' TO 'foo'@'%' WITH GRANT OPTION", } @@ -306,6 +306,7 @@ func (s TengoIntegrationSuite) TestInstanceCanSkipBinlog(t *testing.T) { "GRANT ALL PRIVILEGES ON *.* TO `foo`@`%`", "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `foo`@`%`", "GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `foo`@`%`", + "GRANT BINLOG ADMIN ON *.* TO 'foo'@'%'", // MariaDB 10.5+, not to be confused with MySQL 8.0's BINLOG_ADMIN with an underscore! "GRANT SUPER ON *.* TO 'foo'@'%'", } for n, grant := range binlogSkipGrants {