maria-discuss team mailing list archive

[Sergei Golubchik <serg@xxxxxxxxxxx>]

Hi, Scott,

In MariaDB it's SUPER privilege.

Starting from 10.5 there are fine-grained privilege for various
activities, see https://mariadb.com/kb/en/grant/#global-privileges

But there is no one "system_variables_admin" privilege. Different system
variables are protected by different privileges, for example,
@@gtid_binlog_state is protected by the REPLICATION MASTER ADMIN
privilege.

SUPER is still left to control access to global variables that don't
have a dedicated privilege. This includes all plugin variables too.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

On Apr 06, Scott Canaan wrote:
> We are on MariaDB 10.5.18.  There is a requirement to send all syslog
> data to a central syslog server.  In the past, we did it using a login
> called ITS_READ.  It has limited privs on purpose, but used to be able
> to execute the SET GLOBAL statements that we needed.  Those statements
> are:
> 
> SET GLOBAL server_audit_output_type=SYSLOG;
> SET GLOBAL server_audit_logging=1;
> SET GLOBAL server_audit_syslog_facility=LOG_LOCAL2;
> SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl";
> 
> Now, it doesn't have the privs needed to do that.  In looking online,
> I found that there is a "new" privilege (in MySQL 8), called
> system_variables_admin that allows the user to execute SET GLOBAL
> statements.  However, when I try to grant that privilege, I get an
> error:
> 
> MariaDB [(none)]> grant system_variables_admin to 'ITS_READ'@'localhost';
> ERROR 1959 (OP000): Invalid role specification `system_variables_admin`
> 
> It seems that the only other option is to grant the SUPER privilege,
> which we don't want to do.
> 
> How do I get around this, or do I just tell the sysadmins they can't
> have the syslog data?
> 
> Scott Canaan '88