WL#6236: Allow SHOW MASTER LOGS and SHOW BINARY LOGS with REPLICATION CLIENT

Currently SHOW MASTER LOGS and SHOW BINARY LOGS require the SUPER privilege. Monitoring tools (such as MEM) often want to check this output - for instance MEM generates the SUM of the sizes of the logs reported here, and puts that in the Replication overview within the MEM Dashboard. However, because of the SUPER requirement, these tools often have an account that holds open the connection whilst monitoring, and can lock out administrators when the server gets overloaded and reaches max_connections - there is already another SUPER privileged account connected, the "monitor". As SHOW MASTER STATUS, and all other replication related statements, return with either REPLICATION CLIENT or SUPER privileges, this worklog is to make SHOW MASTER LOGS and SHOW BINARY LOGS be consistent with this as well, and allow both of these commands with either SUPER or REPLICATION CLIENT. This allows monitoring tools to not require a SUPER privilege any more, so is safer in overloaded situations, as well as being more secure, as lighter privileges can be given to users of such tools or scripts.

WL#6236: Allow SHOW MASTER LOGS and SHOW BINARY LOGS with REPLICATION CLIENT
Currently SHOW MASTER LOGS and SHOW BINARY LOGS require the SUPER privilege. Monitoring tools (such as MEM) often want to check this output - for instance MEM generates the SUM of the sizes of the logs reported here, and puts that in the Replication overview within the MEM Dashboard. However, because of the SUPER requirement, these tools often have an account that holds open the connection whilst monitoring, and can lock out administrators when the server gets overloaded and reaches max_connections - there is already another SUPER privileged account connected, the "monitor". As SHOW MASTER STATUS, and all other replication related statements, return with either REPLICATION CLIENT or SUPER privileges, this worklog is to make SHOW MASTER LOGS and SHOW BINARY LOGS be consistent with this as well, and allow both of these commands with either SUPER or REPLICATION CLIENT. This allows monitoring tools to not require a SUPER privilege any more, so is safer in overloaded situations, as well as being more secure, as lighter privileges can be given to users of such tools or scripts.
a9a7e6ea · Nuno Carvalho · 81058259 · a9a7e6ea · a9a7e6ea · a9a7e6ea
Commit a9a7e6ea authored Apr 18, 2012 by Nuno Carvalho
3 changed files
--- a/mysql-test/suite/binlog/r/binlog_grant.result
+++ b/mysql-test/suite/binlog/r/binlog_grant.result
@@ -26,3 +26,7 @@ ERROR 42000: Access denied; you need the SUPER privilege for this operation
 **** Clean up ****
 set global binlog_format = @saved_binlog_format;
 drop user mysqltest_1@localhost;
+GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
+SHOW MASTER LOGS;
+SHOW BINARY LOGS;
+DROP USER 'mysqltest_1'@'localhost';
--- a/mysql-test/suite/binlog/t/binlog_grant.test
+++ b/mysql-test/suite/binlog/t/binlog_grant.test
@@ -58,3 +58,22 @@ disconnect root;
 connection default;
 set global binlog_format = @saved_binlog_format;
 drop user mysqltest_1@localhost;
+
+
+# Testing if REPLICATION CLIENT privilege is enough to execute
+# SHOW MASTER LOGS and SHOW BINARY.
+GRANT REPLICATION CLIENT ON *.* TO 'mysqltest_1'@'localhost';
+--connect(rpl,localhost,mysqltest_1,,)
+
+--connection rpl
+# We are only interested if the following commands succeed and not on
+# their output.
+--disable_result_log
+SHOW MASTER LOGS;
+SHOW BINARY LOGS;
+--enable_result_log
+
+# clean up
+--disconnect rpl
+connection default;
+DROP USER 'mysqltest_1'@'localhost';
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3057,7 +3057,7 @@ end_with_restore_list:
    goto error;
 #else
    {
-      if (check_global_access(thd, SUPER_ACL))
+      if (check_global_access(thd, SUPER_ACL | REPL_CLIENT_ACL))
 	goto error;
      res = show_binlogs(thd);
      break;