Bug #52127 | Inconsistencies between how TRIGGERS work, and what the manual states | ||
---|---|---|---|
Submitted: | 17 Mar 2010 8:28 | Modified: | 15 Apr 2010 23:48 |
Reporter: | Roel Van de Paar | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Documentation | Severity: | S2 (Serious) |
Version: | 5.1.42, 5.1, 5.6.99 | OS: | Any |
Assigned to: | Paul DuBois | CPU Architecture: | Any |
[17 Mar 2010 8:28]
Roel Van de Paar
[17 Mar 2010 8:28]
Roel Van de Paar
There are likely more inconsistencies than the ones above, but have not done a full scan (yet).
[17 Mar 2010 9:19]
Roel Van de Paar
Detailed test results: --- user1 / binlog turned OFF / log_bin_trust_function_creators OFF --- user2 / binlog turned OFF / log_bin_trust_function_creators OFF --- user3 / binlog turned OFF / log_bin_trust_function_creators OFF trig1: ERROR 1227 (42000): Access denied; you need the SUPER privilege for this operation trig2: Query OK, 0 rows affected (0.01 sec) --- user4 / binlog turned OFF / log_bin_trust_function_creators OFF trig1: Query OK, 0 rows affected (0.01 sec) trig2: Query OK, 0 rows affected (0.01 sec) --- user1 / binlog turned ON / log_bin_trust_function_creators OFF --- user2 / binlog turned ON / log_bin_trust_function_creators OFF --- user3 / binlog turned ON / log_bin_trust_function_creators OFF trig1: ERROR 1419 (HY000): You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable) trig2: ERROR 1419 (HY000): You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable) --- user4 / binlog turned ON / log_bin_trust_function_creators OFF trig1: Query OK, 0 rows affected (0.01 sec) trig2: Query OK, 0 rows affected (0.01 sec) --- user1 / binlog turned OFF / log_bin_trust_function_creators ON --- user2 / binlog turned OFF / log_bin_trust_function_creators ON --- user3 / binlog turned OFF / log_bin_trust_function_creators ON trig1: ERROR 1227 (42000): Access denied; you need the SUPER privilege for this operation trig2: Query OK, 0 rows affected (0.01 sec) --- user4 / binlog turned OFF / log_bin_trust_function_creators ON trig1: Query OK, 0 rows affected (0.01 sec) trig2: Query OK, 0 rows affected (0.01 sec) --- user1 / binlog turned ON / log_bin_trust_function_creators ON --- user2 / binlog turned ON / log_bin_trust_function_creators ON --- user3 / binlog turned ON / log_bin_trust_function_creators ON trig1: ERROR 1227 (42000): Access denied; you need the SUPER privilege for this operation trig2: Query OK, 0 rows affected (0.01 sec) --- user4 / binlog turned ON / log_bin_trust_function_creators ON trig1: Query OK, 0 rows affected (0.01 sec) trig2: Query OK, 0 rows affected (0.01 sec) Summary as per the table above.
[17 Mar 2010 9:45]
Sveta Smirnova
Thank you for the report. Inconsistencies verified as described: one still need SUPER privilege independently of log_bin_trust_function_creators. It is good to replace "SUPER is not required" to "SUPER is not required unless you need ..." Or add a note about SUPER sometimes required.
[17 Mar 2010 16:54]
Paul DuBois
If, regardless of log_bin_trust_function_creators, SUPER is still required to create triggers, that would appear to be a bug. The TRIGGER privilege was created to *avoid* having to grant SUPER to users who need to create triggers.
[17 Mar 2010 19:05]
Sveta Smirnova
Paul, SUPER required only for cases described at http://dev.mysql.com/doc/refman/5.1/en/create-trigger.html: ----<q>---- If you specify the DEFINER clause, these rules determine the legal DEFINER user values: * If you do not have the SUPER privilege, the only legal user value is your own account, either specified literally or by using CURRENT_USER. You cannot set the definer to some other account. * If you have the SUPER privilege, you can specify any syntactically legal account name. If the account does not actually exist, a warning is generated. ----</q>----
[27 Mar 2010 2:44]
Roel Van de Paar
o The first two documentation items listed were not addressed. o For the last documentation item, how about the following instead: CREATE TRIGGER requires the TRIGGER privilege for the table associated with the trigger. Furthermore, the SUPER privilege is required if a DEFINER clause is specified in the trigger, or if binary logging is enabled and log_bin_trust_function_creators is turned off (even when no DEFINER clause is specified). (Before MySQL 5.1.6, there is no TRIGGER privilege and this statement requires the SUPER privilege in all cases.)
[15 Apr 2010 23:48]
Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products. For: http://dev.mysql.com/doc/refman/5.1/en/stored-programs-logging.html 'The current conditions on the use of stored functions in MySQL 5.1 can be summarized as follows. These conditions do not apply to stored procedures or Event Scheduler events and they do not apply unless binary logging is enabled. To create or alter a stored function, you must have the SUPER privilege, in addition to the CREATE ROUTINE or ALTER ROUTINE privilege that is normally required. Changed second part to: To create or alter a stored function, you must have the SUPER privilege, in addition to the CREATE ROUTINE or ALTER ROUTINE privilege that is normally required. (Depending on the DEFINER value in the function definition, SUPER might be required regardless of whether binary logging is enabled. See Section 12.1.15, "CREATE PROCEDURE and CREATE FUNCTION Syntax".) For: http://dev.mysql.com/doc/refman/5.1/en/stored-programs-logging.html 'If binary logging is not enabled, log_bin_trust_function_creators does not apply and SUPER is not required for function creation.' = not correct, as per the above 'If binary logging is not enabled, log_bin_trust_function_creators does not apply.' = correct Changed (both instances) to: If binary logging is not enabled, log_bin_trust_function_creators does not apply. SUPER is not required for function creation unless, as described previously, the DEFINER value in the function definition requires it. For: [...] Triggers are similar to stored functions, so the preceding remarks regarding functions also apply to triggers' With the preceding changes, that statement needs no changes. For: http://dev.mysql.com/doc/refman/5.1/en/create-trigger.html 'CREATE TRIGGER requires the TRIGGER privilege for the table associated with the trigger. (Before MySQL 5.1.6, this statement requires the SUPER privilege.)' Changed to: CREATE TRIGGER requires the TRIGGER privilege for the table associated with the trigger. The statement might also require the SUPER privilege, depending on the DEFINER value (as described later in this section), or if binary logging is enabled (as described in in Section 19.6, "Binary Logging of Stored Programs"). (Before MySQL 5.1.6, there is no TRIGGER privilege and this statement requires the SUPER privilege in all cases.)