Description
Bug Report
Please answer these questions before submitting your issue. Thanks!
1. Minimal reproduce step (Required)
% mysql -h 127.0.0.1 -P4000 -u root
mysql> create user 'jack'@'%' identified by 'tidb';
Query OK, 0 rows affected (0.01 sec)
mysql> grant connection_admin on *.* to 'jack'@'%';
Query OK, 0 rows affected (0.01 sec)
mysql> exit
% mysql -h 127.0.0.1 -P4000 -u jack -p
mysql> ALTER INSTANCE RELOAD TLS;
ERROR 1227 (42000): SUPER
mysql> exit
% mysql -h 127.0.0.1 -P4000 -u root
mysql> grant super on *.* to 'jack'@'%';
Query OK, 0 rows affected (0.01 sec)
mysql> exit
% mysql -h 127.0.0.1 -P4000 -u jack -p
mysql> ALTER INSTANCE RELOAD TLS;
Query OK, 0 rows affected (0.58 sec)
mysql> exit2. What did you expect to see? (Required)
There is no Tidb document explain what privilege is required to run ALTER INSTANCE RELOAD TLS.
Per mysql document: https://dev.mysql.com/doc/refman/8.0/en/alter-instance.html
ALTER INSTANCE RELOAD TLS
This action reconfigures a TLS context from the current values of the system variables that define the context. It also updates the status variables that reflect the active context values. This action requires the CONNECTION_ADMIN privilege.
3. What did you see instead (Required)
But in TiDB, only CONNECTION_ADMIN is not enough. SUPER is required to run this command.
There are 2 issues here:
- It is not compatible with mysql.
- DBA have to grant SUPER privilege, give database user to much privileges.
4. What is your TiDB version? (Required)
tidb_version(): Release Version: v7.5.0
Edition: Community
Git Commit Hash: 069631e
Git Branch: heads/refs/tags/v7.5.0
UTC Build Time: 2023-11-24 08:50:14
GoVersion: go1.21.3
Race Enabled: false
Check Table Before Drop: false
Store: tikv