Bug #12726 GRANTS are not replicated using RBR, causes execution issues on slave
Submitted: 22 Aug 2005 15:35 Modified: 28 Sep 2005 11:46
Reporter: Jonathan Miller Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Replication Severity:S2 (Serious)
Version:5.0-wl1012 OS:Linux (Linux)
Assigned to: Mats Kindahl CPU Architecture:Any

[22 Aug 2005 15:35] Jonathan Miller 
Description:
Consider the following test case:

# Includes
-- source include/have_binlog_format_row.inc
-- source include/not_embedded.inc
-- source include/master-slave.inc

# Begin clean up test section
connection master;
--disable_warnings
DROP PROCEDURE IF EXISTS test.p1;
DROP PROCEDURE IF EXISTS test.p2;
DROP PROCEDURE IF EXISTS test.p3;

# Begin test section 1
# Create user user1 with no particular access rights
grant usage on *.* to user1@localhost;
flush privileges;

SELECT CURRENT_USER();
SELECT USER();
CREATE PROCEDURE test.p1 () SQL SECURITY INVOKER SELECT CURRENT_USER(), USER();
CREATE PROCEDURE test.p2 () SQL SECURITY DEFINER CALL test.p1();
CREATE PROCEDURE test.p3 () SQL SECURITY INVOKER CALL test.p1();
GRANT EXECUTE ON PROCEDURE p1 TO user1@localhost;
GRANT EXECUTE ON PROCEDURE p2 TO user1@localhost;
GRANT EXECUTE ON PROCEDURE p3 TO user1@localhost;

let $message=<********  Master user1 p3 & p2 calls *******>;
--source include/show_msg.inc
connect (muser1,localhost,user1,,);
connection muser1;
SELECT CURRENT_USER();
SELECT USER();
CALL test.p3();
CALL test.p2();

let $message=<********  Slave user1 p3 & p2 calls *******>;
--source include/show_msg.inc
connect (suser1,127.0.0.1,user1,,test,$SLAVE_MYPORT,);
connection suser1;
SELECT CURRENT_USER();
SELECT USER();
sleep 3;
#CALL test.p3();  <--- Commented out due to failing in RBR, pass in SBR
#CALL test.p2();  <--- Commented out due to failing in RBR, pass in SBR

connection master;

#show binlog events;

# lets cleanup
DROP PROCEDURE IF EXISTS test.p1;
DROP PROCEDURE IF EXISTS test.p3;
DROP PROCEDURE IF EXISTS test.p2;

********** RESULTS FROM STATEMENT BASED **********************************
 <********  Master user1 p3 & p2 calls *******>
+ ----------------------------------------------
+ SELECT CURRENT_USER();
+ CURRENT_USER()
+ user1@localhost
+ SELECT USER();
+ USER()
+ user1@localhost
+ CALL test.p3();
+ CURRENT_USER()        USER()
+ user1@localhost       user1@localhost
+ CALL test.p2();
+ CURRENT_USER()        USER()
+ root@localhost        user1@localhost
+
+ <********  Slave user1 p3 & p2 calls *******>
+ ---------------------------------------------
+ SELECT CURRENT_USER();
+ CURRENT_USER()
+ user1@localhost
+ SELECT USER();
+ USER()
+ user1@localhost
+ CALL test.p3();
+ CURRENT_USER()        USER()
+ user1@localhost       user1@localhost
+ CALL test.p2();
+ CURRENT_USER()        USER()
+ user1@localhost       user1@localhost

--------------- BIN LOG -------------------------
+ Log_name      Pos     Event_type      Server_id       End_log_pos     Info
+ master-bin.000001     4       Format_desc     1       102     Server ver: 5.0.12-beta-log, Binlog ver: 4
+ master-bin.000001     102     Query   1       202     use `test`; grant usage on *.* to user1@localhost
+ master-bin.000001     202     Query   1       281     use `test`; flush privileges
+ master-bin.000001     281     Query   1       422     use `test`; CREATE PROCEDURE test.p1 () SQL SECURITY INVOKER SELECT CURRENT_USER(), USER()
+ master-bin.000001     422     Query   1       548     use `test`; CREATE PROCEDURE test.p2 () SQL SECURITY DEFINER CALL test.p1()
+ master-bin.000001     548     Query   1       674     use `test`; CREATE PROCEDURE test.p3 () SQL SECURITY INVOKER CALL test.p1()
+ master-bin.000001     674     Query   1       793     use `test`; GRANT EXECUTE ON PROCEDURE p1 TO user1@localhost
+ master-bin.000001     793     Query   1       912     use `test`; GRANT EXECUTE ON PROCEDURE p2 TO user1@localhost
+ master-bin.000001     912     Query   1       1031    use `test`; GRANT EXECUTE ON PROCEDURE p3 TO user1@localhost
+ master-bin.000001     1031    Query   1       1116    use `test`; CALL test.p3()
+ master-bin.000001     1116    Query   1       1201    use `test`; CALL test.p2()

********** RESULTS FROM ROW BASED **********************************
Errors are (from /home/ndbdev/jmiller/mysql5.0/mysql-test/var/log/mysqltest-time) :
/home/ndbdev/jmiller/mysql5.0/client/.libs/lt-mysqltest: At line 53: query 'CALL test.p3()' failed: 1370: execute command denied to user ''@'localhost' for routine 'test.p3'

+ <********  Master user1 p3 & p2 calls *******>
+ ----------------------------------------------
+ SELECT CURRENT_USER();
+ CURRENT_USER()
+ user1@localhost
+ SELECT USER();
+ USER()
+ user1@localhost
+ CALL test.p3();
+ CURRENT_USER()        USER()
+ user1@localhost       user1@localhost
+ CALL test.p2();
+ CURRENT_USER()        USER()
+ root@localhost        user1@localhost
+
+ <********  Slave user1 p3 & p2 calls *******>
+ ---------------------------------------------
+ SELECT CURRENT_USER();
+ CURRENT_USER()
+ @localhost
+ SELECT USER();
+ USER()

--------------- BIN LOG -------------------------
+ Log_name      Pos     Event_type      Server_id       End_log_pos     Info
+ master-bin.000001     4       Format_desc     1       102     Server ver: 5.0.12-beta-log, Binlog ver: 4
+ master-bin.000001     102     Query   1       181     use `test`; flush privileges
+ master-bin.000001     181     Query   1       322     use `test`; CREATE PROCEDURE test.p1 () SQL SECURITY INVOKER SELECT CURRENT_USER(), USER()
+ master-bin.000001     322     Query   1       448     use `test`; CREATE PROCEDURE test.p2 () SQL SECURITY DEFINER CALL test.p1()
+ master-bin.000001     448     Query   1       574     use `test`; CREATE PROCEDURE test.p3 () SQL SECURITY INVOKER CALL test.p1()
+ master-bin.000001     574     Query   1       659     use `test`; CALL test.p3()
+ master-bin.000001     659     Query   1       744     use `test`; CALL test.p2()

############### NOTE ###############
I assume that this would have issues with all security, not just stored procedures. The grant calls should be passed to slave replicating that database from the master.

How to repeat:
see above
[20 Sep 2005 13:56] Guilhem Bichot 
We should re-check this one, because the way SP calls are binlogged changed somewhere in August.
[22 Sep 2005 21:36] Jonathan Miller 
Guilhem,

The test that causes this is rpl_row_sp012.test. As you stated, it show that the GRANT didn't create user1 on slave or didn't implicitely cause a FLUSH PRIVILEGES on slave. I am not sure that I could break it down much more, but is easly reproduce with the above test case.

Let me know,
Thanks,
JBM
[26 Sep 2005 13:55] Guilhem Bichot 
Assigned to Mats with his approval.
[28 Sep 2005 11:46] Mats Kindahl 
The slave didn't have enough time to replicate the grants before the functions were executed.