Skip to content

Privilege required to run ALTER INSTANCE RELOAD TLS is too high #50680

Open
@mzhang77

Description

@mzhang77

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

% mysql -h 127.0.0.1 -P4000 -u root      

mysql> create user 'jack'@'%' identified by 'tidb';
Query OK, 0 rows affected (0.01 sec)

mysql> grant connection_admin on *.* to 'jack'@'%';
Query OK, 0 rows affected (0.01 sec)

mysql> exit

% mysql -h 127.0.0.1 -P4000 -u jack -p   

mysql> ALTER INSTANCE RELOAD TLS;
ERROR 1227 (42000): SUPER
mysql> exit

% mysql -h 127.0.0.1 -P4000 -u root   

mysql> grant super on *.* to 'jack'@'%';
Query OK, 0 rows affected (0.01 sec)

mysql> exit

% mysql -h 127.0.0.1 -P4000 -u jack -p

mysql> ALTER INSTANCE RELOAD TLS;
Query OK, 0 rows affected (0.58 sec)

mysql> exit

2. What did you expect to see? (Required)

There is no Tidb document explain what privilege is required to run ALTER INSTANCE RELOAD TLS.

Per mysql document: https://dev.mysql.com/doc/refman/8.0/en/alter-instance.html

ALTER INSTANCE RELOAD TLS
This action reconfigures a TLS context from the current values of the system variables that define the context. It also updates the status variables that reflect the active context values. This action requires the CONNECTION_ADMIN privilege.

3. What did you see instead (Required)

But in TiDB, only CONNECTION_ADMIN is not enough. SUPER is required to run this command.

There are 2 issues here:

  1. It is not compatible with mysql.
  2. DBA have to grant SUPER privilege, give database user to much privileges.

4. What is your TiDB version? (Required)

tidb_version(): Release Version: v7.5.0
Edition: Community
Git Commit Hash: 069631e
Git Branch: heads/refs/tags/v7.5.0
UTC Build Time: 2023-11-24 08:50:14
GoVersion: go1.21.3
Race Enabled: false
Check Table Before Drop: false
Store: tikv

Metadata

Metadata

Assignees

No one assigned

    Labels

    compatibility-mysql80This is a compatibility issue with MySQL 8.0(but NOT 5.7)sig/sql-infraSIG: SQL Infratype/feature-requestCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions