recursive privilege propagation for roles.

functions for traversing the role graph in either direction.
merging of global, database, table, column, routine privileges.
debug status variables for counting number of privilege merges.
tests.

mysql-test/include/acl_roles_recursive.inc

+#
+# This file tests how privilege are propagated through a complex role graph.
+# Here's a graph
+#
+# role1 ->- role2 -->- role4 -->- role6 ->- role8
+#                \               /     \
+#                 \->- role5 ->-/       \->- role9 ->- role10 ->- foo@localhost
+#                     /     \               /
+#           role3 ->-/       \->- role7 ->-/
+#
+# privilege checks verify that grants/revokes are propagated correctly
+# from the role1 to role10. additionally debug status variables verify
+# that propagation doesn't do unnecessary work (only touches the
+# smallest possible number of nodes and doesn't merge privileges that
+# didn't change)
+#
+create user foo@localhost;
+create role role1;
+create role role2;
+create role role3;
+create role role4;
+create role role5;
+create role role6;
+create role role7;
+create role role8;
+create role role9;
+create role role10;
+
+grant role1 to role2;
+grant role2 to role4;
+grant role2 to role5;
+grant role3 to role5;
+grant role4 to role6;
+grant role5 to role6;
+grant role5 to role7;
+grant role6 to role8;
+grant role6 to role9;
+grant role7 to role9;
+grant role9 to role10;
+grant role10 to foo@localhost;
+
+# try to create a cycle
+--error ER_CANNOT_GRANT_ROLE
+grant role10 to role2;
+
+connect (foo, localhost, foo);
+--sorted_result
+show grants;
+--sorted_result
+select * from information_schema.applicable_roles;
+
+show status like 'debug%';
+
+#
+# global privileges
+#
+connection default;
+grant select on *.* to role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role role10;
+select count(*) from mysql.roles_mapping;
+--sorted_result
+show grants;
+--sorted_result
+select * from information_schema.enabled_roles;
+
+connection default;
+revoke select on *.* from role1;
+show status like 'debug%';
+connection foo;
+# global privileges are cached in the THD, changes don't take effect immediately
+select count(*) from mysql.roles_mapping;
+set role none;
+set role role10;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role none;
+
+#
+# database privileges
+#
+connection default;
+grant select on mysql.* to role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role role10;
+select count(*) from mysql.roles_mapping;
+--sorted_result
+show grants;
+
+connection default;
+revoke select on mysql.* from role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role none;
+
+#
+# table privileges
+#
+
+connection default;
+grant select on mysql.roles_mapping to role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role role10;
+select count(*) from mysql.roles_mapping;
+--sorted_result
+show grants;
+
+connection default;
+revoke select on mysql.roles_mapping from role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role none;
+
+#
+# column privileges
+#
+
+connection default;
+grant select(User) on mysql.roles_mapping to role1;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(*) from mysql.roles_mapping;
+set role role10;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select count(concat(User,Host,Role)) from mysql.roles_mapping;
+select count(concat(User)) from mysql.roles_mapping;
+--sorted_result
+show grants;
+
+connection default;
+grant select(Host) on mysql.roles_mapping to role3;
+show status like 'debug%';
+connection foo;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select count(concat(User,Host,Role)) from mysql.roles_mapping;
+select count(concat(User,Host)) from mysql.roles_mapping;
+--sorted_result
+show grants;
+
+connection default;
+revoke select(User) on mysql.roles_mapping from role1;
+show status like 'debug%';
+connection foo;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select count(concat(User,Host)) from mysql.roles_mapping;
+select count(concat(Host)) from mysql.roles_mapping;
+
+connection default;
+revoke select(Host) on mysql.roles_mapping from role3;
+show status like 'debug%';
+connection foo;
+--error ER_TABLEACCESS_DENIED_ERROR
+select count(concat(Host)) from mysql.roles_mapping;
+set role none;
+
+#
+# routine privileges
+#
+
+connection default;
+create procedure pr1() select "pr1";
+create function fn1() returns char(10) return "fn1";
+grant execute on procedure test.pr1 to role1;
+show status like 'debug%';
+connection foo;
+--error ER_PROCACCESS_DENIED_ERROR
+call pr1();
+set role role10;
+call pr1();
+--error ER_PROCACCESS_DENIED_ERROR
+select fn1();
+
+connection default;
+grant execute on function test.fn1 to role5;
+show status like 'debug%';
+connection foo;
+select fn1();
+
+connection default;
+revoke execute on procedure test.pr1 from role1;
+show status like 'debug%';
+connection foo;
+--error ER_PROCACCESS_DENIED_ERROR
+call pr1();
+select fn1();
+
+connection default;
+revoke execute on function test.fn1 from role5;
+show status like 'debug%';
+connection foo;
+--error ER_PROCACCESS_DENIED_ERROR
+select fn1();
+set role none;
+
+connection default;
+drop procedure pr1;
+drop function fn1;
+
+#
+# test shortcuts
+#
+
+grant select on mysql.roles_mapping to role3;
+show status like 'debug%';
+# this grant only propagates to roles role2 and role4,
+# and tries to propagate to role5, discovering that it already has it
+grant select on mysql.roles_mapping to role1;
+show status like 'debug%';
+# this only tries to propagate to role5 and exits early
+revoke select on mysql.roles_mapping from role3;
+show status like 'debug%';
+# propagates to all 8 roles, normally
+revoke select on mysql.roles_mapping from role1;
+show status like 'debug%';
+
+grant select on mysql.* to role1;
+show status like 'debug%';
+# only entries for `test` are merged, not for `mysql`
+grant select on test.* to role1;
+show status like 'debug%';
+revoke select on mysql.* from role1;
+show status like 'debug%';
+revoke select on test.* from role1;
+show status like 'debug%';
+
+#
+# cleanup
+#
+
+connection default;
+drop user foo@localhost;
+drop role role1;
+drop role role2;
+drop role role3;
+drop role role4;
+drop role role5;
+drop role role6;
+drop role role7;
+drop role role8;
+drop role role9;
+drop role role10;
+

mysql-test/r/acl_roles_recursive.result

+create user foo@localhost;
+create role role1;
+create role role2;
+create role role3;
+create role role4;
+create role role5;
+create role role6;
+create role role7;
+create role role8;
+create role role9;
+create role role10;
+grant role1 to role2;
+grant role2 to role4;
+grant role2 to role5;
+grant role3 to role5;
+grant role4 to role6;
+grant role5 to role6;
+grant role5 to role7;
+grant role6 to role8;
+grant role6 to role9;
+grant role7 to role9;
+grant role9 to role10;
+grant role10 to foo@localhost;
+grant role10 to role2;
+ERROR HY000: Cannot grant role 'role10' to: 'role2'.
+show grants;
+Grants for foo@localhost
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT role10 TO 'foo'@'localhost'
+select * from information_schema.applicable_roles;
+GRANTEE	ROLE_NAME	IS_GRANTABLE
+foo@localhost	role10	NO
+role10	role9	NO
+role2	role1	NO
+role4	role2	NO
+role5	role2	NO
+role5	role3	NO
+role6	role4	NO
+role6	role5	NO
+role7	role5	NO
+role9	role6	NO
+role9	role7	NO
+show status like 'debug%';
+Variable_name	Value
+grant select on *.* to role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role role10;
+select count(*) from mysql.roles_mapping;
+count(*)
+22
+show grants;
+Grants for foo@localhost
+GRANT SELECT ON *.* TO 'role1'
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT USAGE ON *.* TO 'role10'
+GRANT USAGE ON *.* TO 'role2'
+GRANT USAGE ON *.* TO 'role3'
+GRANT USAGE ON *.* TO 'role4'
+GRANT USAGE ON *.* TO 'role5'
+GRANT USAGE ON *.* TO 'role6'
+GRANT USAGE ON *.* TO 'role7'
+GRANT USAGE ON *.* TO 'role9'
+GRANT role1 TO 'role2'
+GRANT role10 TO 'foo'@'localhost'
+GRANT role2 TO 'role4'
+GRANT role2 TO 'role5'
+GRANT role3 TO 'role5'
+GRANT role4 TO 'role6'
+GRANT role5 TO 'role6'
+GRANT role5 TO 'role7'
+GRANT role6 TO 'role9'
+GRANT role7 TO 'role9'
+GRANT role9 TO 'role10'
+select * from information_schema.enabled_roles;
+ROLE_NAME
+role1
+role10
+role2
+role3
+role4
+role5
+role6
+role7
+role9
+revoke select on *.* from role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+count(*)
+22
+set role none;
+set role role10;
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role none;
+grant select on mysql.* to role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role role10;
+select count(*) from mysql.roles_mapping;
+count(*)
+22
+show grants;
+Grants for foo@localhost
+GRANT SELECT ON `mysql`.* TO 'role1'
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT USAGE ON *.* TO 'role1'
+GRANT USAGE ON *.* TO 'role10'
+GRANT USAGE ON *.* TO 'role2'
+GRANT USAGE ON *.* TO 'role3'
+GRANT USAGE ON *.* TO 'role4'
+GRANT USAGE ON *.* TO 'role5'
+GRANT USAGE ON *.* TO 'role6'
+GRANT USAGE ON *.* TO 'role7'
+GRANT USAGE ON *.* TO 'role9'
+GRANT role1 TO 'role2'
+GRANT role10 TO 'foo'@'localhost'
+GRANT role2 TO 'role4'
+GRANT role2 TO 'role5'
+GRANT role3 TO 'role5'
+GRANT role4 TO 'role6'
+GRANT role5 TO 'role6'
+GRANT role5 TO 'role7'
+GRANT role6 TO 'role9'
+GRANT role7 TO 'role9'
+GRANT role9 TO 'role10'
+revoke select on mysql.* from role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role none;
+grant select on mysql.roles_mapping to role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role role10;
+select count(*) from mysql.roles_mapping;
+count(*)
+22
+show grants;
+Grants for foo@localhost
+GRANT SELECT ON `mysql`.`roles_mapping` TO 'role1'
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT USAGE ON *.* TO 'role1'
+GRANT USAGE ON *.* TO 'role10'
+GRANT USAGE ON *.* TO 'role2'
+GRANT USAGE ON *.* TO 'role3'
+GRANT USAGE ON *.* TO 'role4'
+GRANT USAGE ON *.* TO 'role5'
+GRANT USAGE ON *.* TO 'role6'
+GRANT USAGE ON *.* TO 'role7'
+GRANT USAGE ON *.* TO 'role9'
+GRANT role1 TO 'role2'
+GRANT role10 TO 'foo'@'localhost'
+GRANT role2 TO 'role4'
+GRANT role2 TO 'role5'
+GRANT role3 TO 'role5'
+GRANT role4 TO 'role6'
+GRANT role5 TO 'role6'
+GRANT role5 TO 'role7'
+GRANT role6 TO 'role9'
+GRANT role7 TO 'role9'
+GRANT role9 TO 'role10'
+revoke select on mysql.roles_mapping from role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role none;
+grant select(User) on mysql.roles_mapping to role1;
+show status like 'debug%';
+Variable_name	Value
+select count(*) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role role10;
+select count(concat(User,Host,Role)) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'Host' in table 'roles_mapping'
+select count(concat(User)) from mysql.roles_mapping;
+count(concat(User))
+22
+show grants;
+Grants for foo@localhost
+GRANT SELECT (User) ON `mysql`.`roles_mapping` TO 'role1'
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT USAGE ON *.* TO 'role1'
+GRANT USAGE ON *.* TO 'role10'
+GRANT USAGE ON *.* TO 'role2'
+GRANT USAGE ON *.* TO 'role3'
+GRANT USAGE ON *.* TO 'role4'
+GRANT USAGE ON *.* TO 'role5'
+GRANT USAGE ON *.* TO 'role6'
+GRANT USAGE ON *.* TO 'role7'
+GRANT USAGE ON *.* TO 'role9'
+GRANT role1 TO 'role2'
+GRANT role10 TO 'foo'@'localhost'
+GRANT role2 TO 'role4'
+GRANT role2 TO 'role5'
+GRANT role3 TO 'role5'
+GRANT role4 TO 'role6'
+GRANT role5 TO 'role6'
+GRANT role5 TO 'role7'
+GRANT role6 TO 'role9'
+GRANT role7 TO 'role9'
+GRANT role9 TO 'role10'
+grant select(Host) on mysql.roles_mapping to role3;
+show status like 'debug%';
+Variable_name	Value
+select count(concat(User,Host,Role)) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'Role' in table 'roles_mapping'
+select count(concat(User,Host)) from mysql.roles_mapping;
+count(concat(User,Host))
+22
+show grants;
+Grants for foo@localhost
+GRANT SELECT (Host) ON `mysql`.`roles_mapping` TO 'role3'
+GRANT SELECT (User) ON `mysql`.`roles_mapping` TO 'role1'
+GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT USAGE ON *.* TO 'role1'
+GRANT USAGE ON *.* TO 'role10'
+GRANT USAGE ON *.* TO 'role2'
+GRANT USAGE ON *.* TO 'role3'
+GRANT USAGE ON *.* TO 'role4'
+GRANT USAGE ON *.* TO 'role5'
+GRANT USAGE ON *.* TO 'role6'
+GRANT USAGE ON *.* TO 'role7'
+GRANT USAGE ON *.* TO 'role9'
+GRANT role1 TO 'role2'
+GRANT role10 TO 'foo'@'localhost'
+GRANT role2 TO 'role4'
+GRANT role2 TO 'role5'
+GRANT role3 TO 'role5'
+GRANT role4 TO 'role6'
+GRANT role5 TO 'role6'
+GRANT role5 TO 'role7'
+GRANT role6 TO 'role9'
+GRANT role7 TO 'role9'
+GRANT role9 TO 'role10'
+revoke select(User) on mysql.roles_mapping from role1;
+show status like 'debug%';
+Variable_name	Value
+select count(concat(User,Host)) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'User' in table 'roles_mapping'
+select count(concat(Host)) from mysql.roles_mapping;
+count(concat(Host))
+22
+revoke select(Host) on mysql.roles_mapping from role3;
+show status like 'debug%';
+Variable_name	Value
+select count(concat(Host)) from mysql.roles_mapping;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
+set role none;
+create procedure pr1() select "pr1";
+create function fn1() returns char(10) return "fn1";
+grant execute on procedure test.pr1 to role1;
+show status like 'debug%';
+Variable_name	Value
+call pr1();
+ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
+set role role10;
+call pr1();
+pr1
+pr1
+select fn1();
+ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.fn1'
+grant execute on function test.fn1 to role5;
+show status like 'debug%';
+Variable_name	Value
+select fn1();
+fn1()
+fn1
+revoke execute on procedure test.pr1 from role1;
+show status like 'debug%';
+Variable_name	Value
+call pr1();
+ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
+select fn1();
+fn1()
+fn1
+revoke execute on function test.fn1 from role5;
+show status like 'debug%';
+Variable_name	Value
+select fn1();
+ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.fn1'
+set role none;
+drop procedure pr1;
+drop function fn1;
+grant select on mysql.roles_mapping to role3;
+show status like 'debug%';
+Variable_name	Value
+grant select on mysql.roles_mapping to role1;
+show status like 'debug%';
+Variable_name	Value
+revoke select on mysql.roles_mapping from role3;
+show status like 'debug%';
+Variable_name	Value
+revoke select on mysql.roles_mapping from role1;
+show status like 'debug%';
+Variable_name	Value
+grant select on mysql.* to role1;
+show status like 'debug%';
+Variable_name	Value
+grant select on test.* to role1;
+show status like 'debug%';
+Variable_name	Value
+revoke select on mysql.* from role1;
+show status like 'debug%';
+Variable_name	Value
+revoke select on test.* from role1;
+show status like 'debug%';
+Variable_name	Value
+drop user foo@localhost;
+drop role role1;
+drop role role2;
+drop role role3;
+drop role role4;
+drop role role5;
+drop role role6;
+drop role role7;
+drop role role8;
+drop role role9;
+drop role role10;

mysql-test/r/acl_roles_set_role-database-recursive.result

-create user 'test_user'@'localhost';
+create user test_user@localhost;
 create role test_role1;
 create role test_role2;
 grant test_role1 to test_user@localhost;
@@ -55,10 +55,29 @@ localhost	root	test_role1	Y
 localhost	root	test_role2	Y
 localhost	test_user	test_role1	N
 localhost	test_user	test_role2	N
-drop user 'test_user'@'localhost';
-revoke select on mysql.* from test_role2;
-delete from mysql.user where user='test_role1';
-delete from mysql.user where user='test_role2';
-delete from mysql.roles_mapping where Role='test_role1';
-delete from mysql.roles_mapping where Role='test_role2';
-flush privileges;
+create role test_role3;
+grant test_role3 to test_role2;
+create role test_role4;
+grant test_role4 to test_role3;
+set role test_role1;
+delete from mysql.user where user='no such user';
+ERROR 42000: DELETE command denied to user 'test_user'@'localhost' for table 'user'
+grant delete on mysql.* to test_role4;
+set role test_role1;
+delete from mysql.user where user='no such user';
+show grants;
+Grants for test_user@localhost
+GRANT DELETE ON `mysql`.* TO 'test_role4'
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role1'
+GRANT USAGE ON *.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role3'
+GRANT USAGE ON *.* TO 'test_role4'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_role1'
+GRANT test_role2 TO 'test_user'@'localhost'
+GRANT test_role3 TO 'test_role2'
+GRANT test_role4 TO 'test_role3'
+drop user test_user@localhost;
+drop role test_role1, test_role2, test_role3, test_role4;

mysql-test/t/acl_roles_recursive.test

+
+source include/not_debug.inc;
+source include/acl_roles_recursive.inc;
+

mysql-test/t/acl_roles_recursive_dbug.test

+#
+# run acl_roles_recursive and count the number of merges
+#
+source include/have_debug.inc;
+
+show status like 'debug%';
+
+set @old_dbug=@@global.debug_dbug;
+set global debug_dbug="+d,role_merge_stats";
+
+source include/acl_roles_recursive.inc; 
+
+set global debug_dbug=@old_dbug;
+

mysql-test/t/acl_roles_set_role-database-recursive.test

 #create a user with no privileges
-create user 'test_user'@'localhost';
+create user test_user@localhost;
 create role test_role1;
 create role test_role2;
 
@@ -37,10 +37,26 @@ select current_user(), current_role();
 select * from mysql.roles_mapping;
 
 change_user 'root';
-drop user 'test_user'@'localhost';
-revoke select on mysql.* from test_role2;
-delete from mysql.user where user='test_role1';
-delete from mysql.user where user='test_role2';
-delete from mysql.roles_mapping where Role='test_role1';
-delete from mysql.roles_mapping where Role='test_role2';
-flush privileges;
+
+create role test_role3;
+grant test_role3 to test_role2;
+create role test_role4;
+grant test_role4 to test_role3;
+
+change_user 'test_user';
+set role test_role1;
+--error ER_TABLEACCESS_DENIED_ERROR
+delete from mysql.user where user='no such user';
+
+change_user 'root';
+grant delete on mysql.* to test_role4;
+
+change_user 'test_user';
+set role test_role1;
+delete from mysql.user where user='no such user';
+--sorted_result
+show grants;
+
+change_user 'root';
+drop user test_user@localhost;
+drop role test_role1, test_role2, test_role3, test_role4;

sql/mysqld.cc

@@ -7183,6 +7183,42 @@ static int show_default_keycache(THD *thd, SHOW_VAR *var, char *buff)
   return 0;
 }
 
+#ifndef DBUG_OFF
+static int debug_status_func(THD *thd, SHOW_VAR *var, char *buff)
+{
+#define add_var(X,Y,Z)                  \
+  v->name= X;                           \
+  v->value= (char*)Y;                   \
+  v->type= Z;                           \
+  v++;
+
+  var->type= SHOW_ARRAY;
+  var->value= buff;
+
+  SHOW_VAR *v= (SHOW_VAR *)buff;
+
+  if (_db_keyword_(0, "role_merge_stats", 1))
+  {
+    static SHOW_VAR roles[]= {
+      {"global",  (char*) &role_global_merges,  SHOW_ULONG},
+      {"db",      (char*) &role_db_merges,      SHOW_ULONG},
+      {"table",   (char*) &role_table_merges,   SHOW_ULONG},
+      {"column",  (char*) &role_column_merges,  SHOW_ULONG},
+      {"routine", (char*) &role_routine_merges, SHOW_ULONG},
+      {NullS, NullS, SHOW_LONG}
+    };
+
+    add_var("role_merges", roles, SHOW_ARRAY);
+  }
+
+  v->name= 0;
+
+#undef add_var
+
+  return 0;
+}
+#endif
+
 #ifdef HAVE_POOL_OF_THREADS
 int show_threadpool_idle_threads(THD *thd, SHOW_VAR *var, char *buff)
 {
@@ -7216,6 +7252,9 @@ SHOW_VAR status_vars[]= {
   {"Created_tmp_disk_tables",  (char*) offsetof(STATUS_VAR, created_tmp_disk_tables), SHOW_LONG_STATUS},
   {"Created_tmp_files",	       (char*) &my_tmp_file_created,	SHOW_LONG},
   {"Created_tmp_tables",       (char*) offsetof(STATUS_VAR, created_tmp_tables), SHOW_LONG_STATUS},
+#ifndef DBUG_OFF
+  {"Debug",                    (char*) &debug_status_func,  SHOW_FUNC},
+#endif
   {"Delayed_errors",           (char*) &delayed_insert_errors,  SHOW_LONG},
   {"Delayed_insert_threads",   (char*) &delayed_insert_threads, SHOW_LONG_NOFLUSH},
   {"Delayed_writes",           (char*) &delayed_insert_writes,  SHOW_LONG},

sql/sql_acl.h

@@ -394,4 +394,9 @@ bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
                                    bool with_grant);
 int acl_setrole(THD *thd, char *rolename, ulonglong access);
 int acl_check_setrole(THD *thd, char *rolename, ulonglong *access);
+
+#ifndef DBUG_OFF
+extern ulong role_global_merges, role_db_merges, role_table_merges,
+             role_column_merges, role_routine_merges;
+#endif
 #endif /* SQL_ACL_INCLUDED */