WL#12820: Extend GRANT syntax to cover partial revokes information
Affects: Server-8.0
—
Status: Complete
WL#12098 introduced concept of partial revokes associated with global privileges grants. In an HA environment, grants and revoke require knowledge of grantor's context to be able to replicate the effect of the grant uniformly across different nodes. This is done by adding grantor's information in binary log's query log event header. Secondary nodes use this information to set required context and replay grant/revoke. However, for tools like mysqlbinlog, there is no way to set grantor's context because it uses a regular libmysqlclient connection. This impacts point in time recovery using mysqlbinlog because grants can not be replayed reliably. This worklog aims at introducing extensions to GRANT/REVOKE syntax such that partial revoke information is passed as a part of SQL itself. Feature will make sure that rewritten GRANT/REVOKE are not dependent on grantor's information and can be replayed uniformly on any node.
Definition
==========
User: User executing GRANT statement.
Grantor: Authorization ID that is a part of new syntax extension.
Active_roles: Authorization IDs treated as active roles for Grantor - Also
explicitly specified as a part of new syntax extension.
Functional Requirements
=======================
FR1: Server should support an extension to GRANT syntax to specify information
about grantor and active roles information. New extension:
[AS user
[WITH ROLE
DEFAULT
| NONE
| ALL
| ALL EXCEPT role [, role ] ...]
| role [, role ] ...]
]
Complete GRANT syntax should look like following:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_or_role [, user_or_role] ...
[WITH GRANT OPTION]
[AS user
[WITH ROLE
DEFAULT
| NONE
| ALL
| ALL EXCEPT role [, role ] ...]
| role [, role ] ...]
]
Purpose of the new syntax extension is to make sure that restrictions
associated with Grantor (and Active_roles) are applied to grantee
even if statement is executed by User - who may have superior set of
privileges.
FR2: In order to specify new extension, following privilege restrictions apply:
1. User must have ability to grant all privileges mentioned
in GRANT statement
2. If --partial_revoke is set to ON and if User has restrictions
associated with privileges being granted through GRANT statement,
Grantor along with all Active_roles set, must also have same
or more restrictions.
FR3: The new extension should work only for global privilege grants i.e. if
priv_level is *.*.
FR3.1: Exception to FR3 is GRANT PROXY. New extension will not be supported
for proxy grants.
FR4: Effect on query logging:
1. If --partial_revokes is set to ON, while rewriting GRANT to
binary log, information about Grantor and Active_roles
should be added to binary log.
2. GRANT must not be rewritten for any other logs
e.g. general log, audit log etc.
FR5: Impact on replication:
1. Please see point 1 of FR4 for impact on binary log.
2. Changes introduced to binary log query event header by
WL#12098 must be reverted because they are no longer needed.
FR6: Incompatibility warnings introduced by while setting --partial_revokes
should be removed as they are no longer required. These were introduced
by WL#12098.
HLS1: GRANT will support new clause as mentioned in FR1. LEX will be
updated to contain information about new clause in GRANT statement.
Parser will be changed to support new clause for:
GRANT ... TO ...
GRANT ALL ON *.* TO ...
A special case of GRANT ... AS ... is when user executing the
GRANT statement is same as user in AS clause - either by specifying
user name explicitly or using CURRENT_USER(). A usecase for such
usage is - a user who has activated many roles wants to make sure
that only a subset of roles play part while granting privileges
to grantee. This may be required in order to pass a stricter set
of permission through e.g. restriction list.
HLS2: Rationale for FR2.
The main use-case for the syntax extension is to make sure that
information related to restrictions is available in binary log
in SQL format so that mysqlbinlog can extract and execute it.
The fundamental assumption here is: PITR through mysqlbinlog
would typically use a user account that has privileges
higher than regular users to make sure that ALL statements in
binary logs are replayed without any problem.
In case of PITR with --partial-revokes=ON, GRANT can cause a user
to have more privileges than the actual grant executed by regular
user with restriction list. This is because restrictions are
are passed from grantor to grantee.
If we do not check for privileges mentioned in point 1 and 2
of FR2, user may be able perform privilege escalation through new
statement because while intended use is for mysqlbinlog, it still
is a valid SQL that can be explicitly executed.
Hence, User executing GRANT must have superior privilege set then
user/role combination specified in AS ... part. Note that, only
privileges being granted through the statement are of interest at
this point. We do not care of about difference wrt other privileges
because they do not play any role in given GRANT statement.
HLS3: Rationale for FR5
WL#12098 introduced new flag - ACTIVE_ROLES for query event header of
binary log. As per FR4, new extension will be used to capture
invoker's context while rewriting query for binary log. Hence, there
is no need to pass same information again through ACTIVE_ROLES and
subsequently use it on slave side. Since both: WL#12098 and WL#12820
are meant for same MRU, we can safely revert these changes without
any customer visible impact.
HLS4: If --partial_revokes is set to ON, when GRANT is rewritten to binary log,
it will always contain complete list of roles. We will not use keywords
like NONE/DEFAULT/ALL. If user has explicitly specified GRANT ... AS ...
query using NONE/DEFAULT/ALL, it will be logged as it is.
HLS5: Impact on replication
- In case of OLD->NEW setup, behavior should be compatible.
- In case of NEW->OLD setup, behavior is incompatible if extension
proposed in FR1 is used.
HLS6: No impact on UPGRADE
Copyright (c) 2000, 2025, Oracle Corporation and/or its affiliates. All rights reserved.