Bug #109023 Leak REPL_SLAVE_ACL privilege error is ambiguous
Submitted: 8 Nov 2022 4:24 Modified: 8 Nov 2022 7:49
Reporter: peng gao Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.7,8.0.31 OS:Any
Assigned to: CPU Architecture:Any

[8 Nov 2022 4:24] peng gao

  When slave or MGR recovery channel lack REPL_SLAVE_ACL privilege the error is ER_ACCESS_DENIED_ERROR,
  MGR recovery channel user lack REPL_SLAVE_ACL privilege,
  2022-11-07T22:30:01.777653+08:00 74 [ERROR] [MY-013120] [Repl] Slave I/O for channel '': Master command COM_REGISTER_SLAVE failed: Access denied for user 'mysql_innodb_cluster_3570435201'@'%' (using password: YES) (Errno: 1045), Error_code: MY-013120

  But,I think the this error use ER_SPECIFIC_ACCESS_DENIED_ERROR is better. 
  Like show slave status lack REPL_CLIENT_ACL  privilege,
  Access denied; you need (at least one of) the SUPER, REPLICATION CLIENT privilege(s) for this operation
  Because errors are easily misled as password errors rather than lack of permission.

How to repeat:
  1、master: create user test@'%' identifed by 'Test123$'; 
  2、slave:  change master use user test
  3、slave:  start slave

Suggested fix:
use check_global_access to check REPL_SLAVE_ACL global privileges.
[8 Nov 2022 7:49] MySQL Verification Team
Hello peng gao,

Thank you for the report and feedback.