Bug #58669 | read_only not enforced on 5.5.x | ||
---|---|---|---|
Submitted: | 2 Dec 2010 18:18 | Modified: | 21 Dec 2010 18:34 |
Reporter: | Leandro Morgado | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Options | Severity: | S1 (Critical) |
Version: | 5.5.6-rc, 5.5.7-rc | OS: | Any |
Assigned to: | Ramil Kalimullin | CPU Architecture: | Any |
Tags: | read_only |
[2 Dec 2010 18:18]
Leandro Morgado
[3 Dec 2010 1:01]
Davi Arnaut
This need to be properly verified. Please give full instructions and test with the latest available version.
[3 Dec 2010 9:04]
Leandro Morgado
This bug has been verified. Simply install 5.5.7-rc, setup replication, create a non SUPER user on the slave and set it to read_only. Watch as the non SUPER user writes all over the slave despite it being read_only.
[3 Dec 2010 9:30]
Leandro Morgado
I've just tested this without replication and still, read_only is not enforced on 5.5.7-rc-log: start server: mysqld --no-defaults --read-only mysql -uroot drop database if exists db; create database db; grant insert on db.* to 'shane'@'localhost'; create table db.t select 1 a; exit mysql -ushane db insert into t set a=5;
[3 Dec 2010 11:02]
Davi Arnaut
Leandro, Thanks, more details are better. So, the read-only option does not work when set from the command-line?
[3 Dec 2010 11:07]
Leandro Morgado
read_only doesn't work either way you set it. Set it from the command line, set it from my.cnf, set it in the mysql> cli. Give it a try and see for yourself.
[3 Dec 2010 11:10]
Davi Arnaut
Seems to work for me: CREATE USER user1@localhost; CREATE DATABASE db1; GRANT ALL PRIVILEGES ON db1.* TO user1@localhost; CREATE TABLE t1 (a INT); INSERT INTO t1 VALUES (1); connect (con1,localhost,user1,,); connection default; SHOW VARIABLES LIKE "%READ_ONLY%"; SELECT * FROM t1; INSERT INTO t1 VALUES (1); SET GLOBAL READ_ONLY=1; connection con1; --error ER_OPTION_PREVENTS_STATEMENT INSERT INTO t1 VALUES (1);
[3 Dec 2010 11:11]
Davi Arnaut
and does not work when set from the command line.
[3 Dec 2010 11:16]
Davi Arnaut
mysql> use test; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> SELECT CURRENT_USER(); +-----------------+ | CURRENT_USER() | +-----------------+ | user1@localhost | +-----------------+ 1 row in set (0.00 sec) mysql> SHOW GLOBAL VARIABLES LIKE "%READ_ONLY%"; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | read_only | OFF | +---------------+-------+ 1 row in set (0.00 sec) mysql> INSERT INTO t1 VALUES (1); Query OK, 1 row affected (0.00 sec) mysql> SHOW GLOBAL VARIABLES LIKE "%READ_ONLY%"; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | read_only | ON | +---------------+-------+ 1 row in set (0.00 sec) mysql> INSERT INTO t1 VALUES (1); ERROR 1290 (HY000): The MySQL server is running with the --read-only option so it cannot execute this statement mysql> SELECT VERSION(); +--------------+ | VERSION() | +--------------+ | 5.5.7-rc-log | +--------------+ 1 row in set (0.00 sec) mysql>
[3 Dec 2010 11:17]
Davi Arnaut
Leandro, There is something seriously wrong if it does not work for you from a regular client. But beware that it won't work if you still feed --read-only from the command line. Are you sure it's not due to the command line?
[3 Dec 2010 11:18]
Leandro Morgado
Try replacing this: GRANT ALL PRIVILEGES ON db1.* TO user1@localhost; With this: GRANT INSERT ON db1.* TO user1@localhost; "This variable is off by default. When it is enabled, the server permits no updates except from users that have the SUPER privilege or (on a slave server) from updates performed by slave threads" http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_read_only
[3 Dec 2010 11:37]
Leandro Morgado
If read_only is set from CLI as: mysql> SET GLOBAL READ_ONLY=1; Then this read_only is enforced with: ERROR 1290 (HY000): The MySQL server is running with the --read-only option so it cannot execute this statement When set from my.cnf/startup option in command line, read_only is ignored.
[3 Dec 2010 11:41]
Davi Arnaut
Verified as described. Thanks!
[3 Dec 2010 13:20]
Davi Arnaut
> Try replacing this: > > GRANT ALL PRIVILEGES ON db1.* TO user1@localhost; > > With this: > > GRANT INSERT ON db1.* TO user1@localhost; For what it's worth and to clear any possible misunderstanding, GRANT ALL PRIVILEGES as given above does not grant SUPER. Super is a global privilege. Quoting from the documentation: "Global privileges are administrative or apply to all databases on a given server. To assign global privileges, use ON *.* syntax [..]" "The [..] and SUPER privileges are administrative and can only be granted globally."
[3 Dec 2010 16:00]
Paul DuBois
Small amplification on previous comment: GRANT ALL does include SUPER, but only for the global level (GRANT ALL ON *.* ...) GRANT ALL _as shown in the example_ does not grant SUPER, because it grants at the database level (ON db1.*) and thus does not include global privileges
[3 Dec 2010 17:19]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/125987 3165 Ramil Kalimullin 2010-12-03 Fix for bug #58669: read_only not enforced on 5.5.x Problem: "read-only" option ignored if it's enabled in the command line (or in the config file). Fix: sync opt_readonly (which is used for checks) with read_only (global var) when all server options are handled. @ mysql-test/r/bug58669.result Fix for bug #58669: read_only not enforced on 5.5.x - test result. @ mysql-test/t/bug58669-master.opt Fix for bug #58669: read_only not enforced on 5.5.x - test case. @ mysql-test/t/bug58669.test Fix for bug #58669: read_only not enforced on 5.5.x - test case. @ sql/mysqld.cc Fix for bug #58669: read_only not enforced on 5.5.x - sync opt_readonly boolean with read_only boolean in the get_options(). @ sql/mysqld.h Fix for bug #58669: read_only not enforced on 5.5.x - sync opt_readonly boolean with read_only boolean in the get_options(). @ sql/sys_vars.cc Fix for bug #58669: read_only not enforced on 5.5.x - sync opt_readonly boolean with read_only boolean in the get_options().
[3 Dec 2010 17:32]
Davi Arnaut
The (rather unacceptable) workaround is to SET GLOBAL READ_ONLY=TRUE at run-time.
[7 Dec 2010 17:10]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/126244 3176 Ramil Kalimullin 2010-12-07 Fix for bug #58669: read_only not enforced on 5.5.x merged from mysql-5.5.8-release tree, revision: ramil@mysql.com-20101203174908-217tdkn150vieha9
[8 Dec 2010 19:41]
Paul DuBois
Noted in 5.5.8 changelog. Setting the read_only system variable at server startup did not work.
[16 Dec 2010 21:47]
Bugs System
Pushed into mysql-trunk 5.6.1 (revid:alexander.nozdrin@oracle.com-20101216181820-7afubgk2fmuv9qsb) (version source revid:alexander.nozdrin@oracle.com-20101216181820-7afubgk2fmuv9qsb) (merge vers: 5.6.1) (pib:23)
[16 Dec 2010 22:32]
Bugs System
Pushed into mysql-5.5 5.5.9 (revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (version source revid:jonathan.perkin@oracle.com-20101216101358-fyzr1epq95a3yett) (merge vers: 5.5.9) (pib:24)
[17 Dec 2010 12:50]
Bugs System
Pushed into mysql-5.5 5.5.9 (revid:georgi.kodinov@oracle.com-20101217124733-p1ivu6higouawv8l) (version source revid:ramil@mysql.com-20101207170854-z1zt6tjphp0ebu1y) (merge vers: 5.5.8) (pib:24)
[17 Dec 2010 12:55]
Bugs System
Pushed into mysql-trunk 5.6.1 (revid:georgi.kodinov@oracle.com-20101217125013-y8pb3az32rtbplc9) (version source revid:anitha.gopi@sun.com-20101210041312-50t9adyhwwybsm6x) (merge vers: 5.6.1) (pib:24)