include/group_replication.inc
Warnings:
Note	####	Sending passwords in plain text without SSL/TLS is extremely insecure.
Note	####	Storing MySQL user name or password information in the master info repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START SLAVE; see the 'START SLAVE Syntax' in the MySQL Manual for more information.
[connection server1]

############################################################
# 1. Create an user which lacks privileges.
[connection server1]
SET GLOBAL group_replication_group_name= "GROUP_REPLICATION_GROUP_NAME";
CREATE USER 'no_priv_user'@localhost IDENTIFIED BY '';
GRANT ALL ON *.* TO 'no_priv_user'@localhost;
REVOKE SUPER, SYSTEM_VARIABLES_ADMIN, SESSION_VARIABLES_ADMIN, GROUP_REPLICATION_ADMIN
ON *.* FROM 'no_priv_user'@localhost;

############################################################
# 2. Expect ER_SPECIFIC_ACCESS_DENIED_ERROR when setting GR
#    global variables since user lacks SUPER or
#    SYSTEM_VARIABLES_ADMIN privileges.
CREATE TABLE gr_vars (id INT PRIMARY KEY AUTO_INCREMENT, var_name VARCHAR(64), var_value VARCHAR(256));
INSERT INTO gr_vars (var_name, var_value)
SELECT * FROM performance_schema.global_variables
WHERE VARIABLE_NAME LIKE '%group_replication%'
 ORDER BY VARIABLE_NAME;
[connection no_priv_user_con]

# Expect ER_SPECIFIC_ACCESS_DENIED_ERROR for global variables.
SET GLOBAL group_replication_allow_local_lower_version_join = @@GLOBAL.group_replication_allow_local_lower_version_join;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_auto_increment_increment = @@GLOBAL.group_replication_auto_increment_increment;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_autorejoin_tries = @@GLOBAL.group_replication_autorejoin_tries;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_bootstrap_group = @@GLOBAL.group_replication_bootstrap_group;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_clone_threshold = @@GLOBAL.group_replication_clone_threshold;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_communication_debug_options = @@GLOBAL.group_replication_communication_debug_options;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_communication_max_message_size = @@GLOBAL.group_replication_communication_max_message_size;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_components_stop_timeout = @@GLOBAL.group_replication_components_stop_timeout;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_compression_threshold = @@GLOBAL.group_replication_compression_threshold;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_consistency = @@GLOBAL.group_replication_consistency;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_enforce_update_everywhere_checks = @@GLOBAL.group_replication_enforce_update_everywhere_checks;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_exit_state_action = @@GLOBAL.group_replication_exit_state_action;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_applier_threshold = @@GLOBAL.group_replication_flow_control_applier_threshold;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_certifier_threshold = @@GLOBAL.group_replication_flow_control_certifier_threshold;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_hold_percent = @@GLOBAL.group_replication_flow_control_hold_percent;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_max_quota = @@GLOBAL.group_replication_flow_control_max_quota;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_member_quota_percent = @@GLOBAL.group_replication_flow_control_member_quota_percent;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_min_quota = @@GLOBAL.group_replication_flow_control_min_quota;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_min_recovery_quota = @@GLOBAL.group_replication_flow_control_min_recovery_quota;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_mode = @@GLOBAL.group_replication_flow_control_mode;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_period = @@GLOBAL.group_replication_flow_control_period;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_flow_control_release_percent = @@GLOBAL.group_replication_flow_control_release_percent;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_force_members = @@GLOBAL.group_replication_force_members;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_group_name = @@GLOBAL.group_replication_group_name;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_group_seeds = @@GLOBAL.group_replication_group_seeds;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_gtid_assignment_block_size = @@GLOBAL.group_replication_gtid_assignment_block_size;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_ip_whitelist = @@GLOBAL.group_replication_ip_whitelist;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_local_address = @@GLOBAL.group_replication_local_address;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_member_expel_timeout = @@GLOBAL.group_replication_member_expel_timeout;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_member_weight = @@GLOBAL.group_replication_member_weight;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_message_cache_size = @@GLOBAL.group_replication_message_cache_size;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_poll_spin_loops = @@GLOBAL.group_replication_poll_spin_loops;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_complete_at = @@GLOBAL.group_replication_recovery_complete_at;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_compression_algorithms = @@GLOBAL.group_replication_recovery_compression_algorithms;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_get_public_key = @@GLOBAL.group_replication_recovery_get_public_key;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_public_key_path = @@GLOBAL.group_replication_recovery_public_key_path;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_reconnect_interval = @@GLOBAL.group_replication_recovery_reconnect_interval;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_retry_count = @@GLOBAL.group_replication_recovery_retry_count;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_ca = @@GLOBAL.group_replication_recovery_ssl_ca;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_capath = @@GLOBAL.group_replication_recovery_ssl_capath;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_cert = @@GLOBAL.group_replication_recovery_ssl_cert;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_cipher = @@GLOBAL.group_replication_recovery_ssl_cipher;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_crl = @@GLOBAL.group_replication_recovery_ssl_crl;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_crlpath = @@GLOBAL.group_replication_recovery_ssl_crlpath;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_key = @@GLOBAL.group_replication_recovery_ssl_key;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_ssl_verify_server_cert = @@GLOBAL.group_replication_recovery_ssl_verify_server_cert;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_use_ssl = @@GLOBAL.group_replication_recovery_use_ssl;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_recovery_zstd_compression_level = @@GLOBAL.group_replication_recovery_zstd_compression_level;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_single_primary_mode = @@GLOBAL.group_replication_single_primary_mode;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_ssl_mode = @@GLOBAL.group_replication_ssl_mode;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_start_on_boot = @@GLOBAL.group_replication_start_on_boot;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_transaction_size_limit = @@GLOBAL.group_replication_transaction_size_limit;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_unreachable_majority_timeout = @@GLOBAL.group_replication_unreachable_majority_timeout;
ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation

# Like most system variables, setting the session value for
# group_replication_consistency requires no special privileges.
SET SESSION group_replication_consistency = @@SESSION.group_replication_consistency;

############################################################
# 3. Grant SYSTEM_VARIABLES_ADMIN and verify setting group
#    replication variables at global scope succeed, except
#    group_replication_consistency which also needs
#    GROUP_REPLICATION_ADMIN privilege.
[connection server1]
GRANT SYSTEM_VARIABLES_ADMIN, SESSION_VARIABLES_ADMIN ON *.* TO 'no_priv_user'@localhost;
[connection no_priv_user_con]

SET GLOBAL group_replication_allow_local_lower_version_join = @@GLOBAL.group_replication_allow_local_lower_version_join;
SET GLOBAL group_replication_auto_increment_increment = @@GLOBAL.group_replication_auto_increment_increment;
SET GLOBAL group_replication_autorejoin_tries = @@GLOBAL.group_replication_autorejoin_tries;
SET GLOBAL group_replication_bootstrap_group = @@GLOBAL.group_replication_bootstrap_group;
SET GLOBAL group_replication_clone_threshold = @@GLOBAL.group_replication_clone_threshold;
SET GLOBAL group_replication_communication_debug_options = @@GLOBAL.group_replication_communication_debug_options;
SET GLOBAL group_replication_communication_max_message_size = @@GLOBAL.group_replication_communication_max_message_size;
SET GLOBAL group_replication_components_stop_timeout = @@GLOBAL.group_replication_components_stop_timeout;
SET GLOBAL group_replication_compression_threshold = @@GLOBAL.group_replication_compression_threshold;
SET GLOBAL group_replication_consistency = @@GLOBAL.group_replication_consistency;
ERROR 42000: Access denied; you need (at least one of) the SUPER or GROUP_REPLICATION_ADMIN privilege(s) for this operation
SET GLOBAL group_replication_enforce_update_everywhere_checks = @@GLOBAL.group_replication_enforce_update_everywhere_checks;
SET GLOBAL group_replication_exit_state_action = @@GLOBAL.group_replication_exit_state_action;
SET GLOBAL group_replication_flow_control_applier_threshold = @@GLOBAL.group_replication_flow_control_applier_threshold;
SET GLOBAL group_replication_flow_control_certifier_threshold = @@GLOBAL.group_replication_flow_control_certifier_threshold;
SET GLOBAL group_replication_flow_control_hold_percent = @@GLOBAL.group_replication_flow_control_hold_percent;
SET GLOBAL group_replication_flow_control_max_quota = @@GLOBAL.group_replication_flow_control_max_quota;
SET GLOBAL group_replication_flow_control_member_quota_percent = @@GLOBAL.group_replication_flow_control_member_quota_percent;
SET GLOBAL group_replication_flow_control_min_quota = @@GLOBAL.group_replication_flow_control_min_quota;
SET GLOBAL group_replication_flow_control_min_recovery_quota = @@GLOBAL.group_replication_flow_control_min_recovery_quota;
SET GLOBAL group_replication_flow_control_mode = @@GLOBAL.group_replication_flow_control_mode;
SET GLOBAL group_replication_flow_control_period = @@GLOBAL.group_replication_flow_control_period;
SET GLOBAL group_replication_flow_control_release_percent = @@GLOBAL.group_replication_flow_control_release_percent;
SET GLOBAL group_replication_force_members = @@GLOBAL.group_replication_force_members;
SET GLOBAL group_replication_group_name = @@GLOBAL.group_replication_group_name;
SET GLOBAL group_replication_group_seeds = @@GLOBAL.group_replication_group_seeds;
SET GLOBAL group_replication_gtid_assignment_block_size = @@GLOBAL.group_replication_gtid_assignment_block_size;
SET GLOBAL group_replication_ip_whitelist = @@GLOBAL.group_replication_ip_whitelist;
SET GLOBAL group_replication_local_address = @@GLOBAL.group_replication_local_address;
SET GLOBAL group_replication_member_expel_timeout = @@GLOBAL.group_replication_member_expel_timeout;
SET GLOBAL group_replication_member_weight = @@GLOBAL.group_replication_member_weight;
SET GLOBAL group_replication_message_cache_size = @@GLOBAL.group_replication_message_cache_size;
SET GLOBAL group_replication_poll_spin_loops = @@GLOBAL.group_replication_poll_spin_loops;
SET GLOBAL group_replication_recovery_complete_at = @@GLOBAL.group_replication_recovery_complete_at;
SET GLOBAL group_replication_recovery_compression_algorithms = @@GLOBAL.group_replication_recovery_compression_algorithms;
SET GLOBAL group_replication_recovery_get_public_key = @@GLOBAL.group_replication_recovery_get_public_key;
SET GLOBAL group_replication_recovery_public_key_path = @@GLOBAL.group_replication_recovery_public_key_path;
SET GLOBAL group_replication_recovery_reconnect_interval = @@GLOBAL.group_replication_recovery_reconnect_interval;
SET GLOBAL group_replication_recovery_retry_count = @@GLOBAL.group_replication_recovery_retry_count;
SET GLOBAL group_replication_recovery_ssl_ca = @@GLOBAL.group_replication_recovery_ssl_ca;
SET GLOBAL group_replication_recovery_ssl_capath = @@GLOBAL.group_replication_recovery_ssl_capath;
SET GLOBAL group_replication_recovery_ssl_cert = @@GLOBAL.group_replication_recovery_ssl_cert;
SET GLOBAL group_replication_recovery_ssl_cipher = @@GLOBAL.group_replication_recovery_ssl_cipher;
SET GLOBAL group_replication_recovery_ssl_crl = @@GLOBAL.group_replication_recovery_ssl_crl;
SET GLOBAL group_replication_recovery_ssl_crlpath = @@GLOBAL.group_replication_recovery_ssl_crlpath;
SET GLOBAL group_replication_recovery_ssl_key = @@GLOBAL.group_replication_recovery_ssl_key;
SET GLOBAL group_replication_recovery_ssl_verify_server_cert = @@GLOBAL.group_replication_recovery_ssl_verify_server_cert;
SET GLOBAL group_replication_recovery_use_ssl = @@GLOBAL.group_replication_recovery_use_ssl;
SET GLOBAL group_replication_recovery_zstd_compression_level = @@GLOBAL.group_replication_recovery_zstd_compression_level;
SET GLOBAL group_replication_single_primary_mode = @@GLOBAL.group_replication_single_primary_mode;
SET GLOBAL group_replication_ssl_mode = @@GLOBAL.group_replication_ssl_mode;
SET GLOBAL group_replication_start_on_boot = @@GLOBAL.group_replication_start_on_boot;
SET GLOBAL group_replication_transaction_size_limit = @@GLOBAL.group_replication_transaction_size_limit;
SET GLOBAL group_replication_unreachable_majority_timeout = @@GLOBAL.group_replication_unreachable_majority_timeout;

############################################################
# 4. Grant GROUP_REPLICATION_ADMIN and verify setting
#    group_replication_consistency at global scope succeeds.
[connection server1]
GRANT GROUP_REPLICATION_ADMIN ON *.* TO 'no_priv_user'@localhost;
[connection no_priv_user_con]
SET GLOBAL group_replication_consistency = @@GLOBAL.group_replication_consistency;

############################################################
# 5. Clean up.
[connection server1]
DROP TABLE gr_vars;
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'no_priv_user'@localhost;
DROP USER 'no_priv_user'@localhost;
FLUSH PRIVILEGES;
include/group_replication_end.inc