Bug #78393 START/STOP SLAVE should not require SUPER grants
Submitted: 10 Sep 2015 9:37 Modified: 8 Jun 2020 15:18
Reporter: Jaime Crespo (OCA) Email Updates:
Status: Open Impact on me:
Category:MySQL Server: Replication Severity:S4 (Feature request)
Version:any OS:Any
Assigned to: CPU Architecture:Any
Tags: dump-slave, grants, mysqldump, slave, start, stop, super

[10 Sep 2015 9:37] Jaime Crespo
This is not a bug, this is documented: 
"START SLAVE requires the SUPER privilege."
"STOP SLAVE requires the SUPER privilege."

I understand that the rationale of requiring SUPER privileges to control replication is because executing a CHANGE MASTER can be as destructive as dropping all tables. I am ok with CHANGE MASTER requiring super privileges.

However, I have a case in which it would be a security hole not having separate privileges for start/stop slave:

How to repeat:
I can execute "mysqldump --master-data" with only REPLICATION CLIENT privileges, as we only need to execute SHOW MASTER STATUS.

However, if you perform a backup from a slave, you need to use --dump-slave to have the correct master position, which by itself performs a STOP SLAVE; SHOW SLAVE STATUS; and START SLAVE;, which requires SUPER.

Suggested fix:
A separate GRANTs should be created to be able to stop and start the slave (REPLICATION CONTROL?) or mysqldump should be able to get the master coordinates without stopping the server (maybe using the new performance_schema tables?)
[17 Sep 2015 5:36] jacky leung
+1 In a standard security practice, you want to grant as little as possible. currently we need to grant SUPER for a backup script on replicator to stop slave. 

I think SUPER is granting too much power in this case
[8 Jun 2020 15:18] Jaime Crespo
This was implemented on MySQL 8.0: https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_replication-slave-ad... This can be closed.