WL#12966: Replication with privilege checks

Affects: Server-8.0   —   Status: Complete

EXECUTIVE SUMMARY
=================

Make it possible to enable privilege checks on replication channels,
so that it is possible to replicate securely from untrusted masters.


USER STORIES
============

U1. As a cloud service provider:
    - I need ways to restrict the replication applier threads for a
      channel to a limited set of privileges,
    - so that I can enable the following use cases without giving my
      customers control over the cloud:
      U1.1. Migrate from on-premise or other cloud providers
      U1.2. Have their database on-premise or on another cloud
            provider, but use my service for analytics or backup.

U2. As an operator in an organization with multiple on-premise
    deployments:
    - I need to restrict the replication applier threads for a channel
      to a limited set of privileges,
    - so that I can provide slaves for HA, scale-out, and analytics,
      without giving full privileges on my slaves to the DBAs of the
      deployments.

U3. As an operator of a topology containing multi-source slaves:
    - I need to restrict the replication applier threads for channels
      to different parts of the database,
    - so that I am sure that different channels do not replicate
      conflicting changes.

U4. As an operator of a GR cluster:
    - I need to restrict the GR applier channels so that operations
      which are disallowed for all users are disallowed on the channel,
    - so that even if one node is compromised, it does not allow the
      attacker to perform the disallowed operations on the rest of the
      cluster.

U5. As a cloud server provider or operator in any of the scenarios
    described in U1-U3:
    - I need ways to allow a user to execute the output of mysqlbinlog
      without giving that user arbitrary privileges,
    - so that I can use mysqlbinlog to recover from mistakes or bugs,
      without exposing my deployment to security threats.