Bug #109023 Leak REPL_SLAVE_ACL privilege error is ambiguous
Submitted: 8 Nov 2022 4:24 Modified: 8 Nov 2022 7:49
Reporter: peng gao Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.7,8.0.31 OS:Any
Assigned to: CPU Architecture:Any

[8 Nov 2022 4:24] peng gao 
Description:
Hi 

  When slave or MGR recovery channel lack REPL_SLAVE_ACL privilege the error is ER_ACCESS_DENIED_ERROR,
  
  MGR recovery channel user lack REPL_SLAVE_ACL privilege,
  
  2022-11-07T22:30:01.777653+08:00 74 [ERROR] [MY-013120] [Repl] Slave I/O for channel '': Master command COM_REGISTER_SLAVE failed: Access denied for user 'mysql_innodb_cluster_3570435201'@'%' (using password: YES) (Errno: 1045), Error_code: MY-013120

  But,I think the this error use ER_SPECIFIC_ACCESS_DENIED_ERROR is better. 
  Like show slave status lack REPL_CLIENT_ACL  privilege,
   
  Access denied; you need (at least one of) the SUPER, REPLICATION CLIENT privilege(s) for this operation
  
  Because errors are easily misled as password errors rather than lack of permission.
Thanks.

How to repeat:
  1、master: create user test@'%' identifed by 'Test123$'; 
  2、slave:  change master use user test
  3、slave:  start slave

Suggested fix:
use check_global_access to check REPL_SLAVE_ACL global privileges.
[8 Nov 2022 7:49] MySQL Verification Team 
Hello peng gao,

Thank you for the report and feedback.

regards,
Umesh