Hi, Oleksandr! On Apr 20, Oleksandr Byelkin wrote:
+ +CREATE TEMPORARY TABLE tmp_user_sys LIKE global_priv; +INSERT INTO tmp_user_sys (Host,User,Priv) VALUES ('localhost','mariadb.sys','{"access":512,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0}'); +INSERT INTO global_priv SELECT * FROM tmp_user_sys WHERE NOT @had_sys_user; +DROP TABLE tmp_user_sys;
1. This could've been simply INSERT IGNORE, I suspect
Nope, the idea is do not insert more than needed.
Why would INSERT IGNORE insert more than needed?
I thought you propose insert ignore instead of where clause, in any case I do not see why it should help.
I mean, instead of four lines above, I think, one can simply do INSERT IGNORE global_priv (Host,User,Priv) VALUES ('localhost','mariadb.sys','{"access":512,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0}');
2. why access:512 ? It's FILE_ACL, iirc.
Because LOAD used in tests and so in reality probably, so we need FILE_ACL
We need FILE_ACL, but why mariadb.sys account needs it? mysql.user is a read-only view of the mysql.global_priv table, its owner doesn't need FILE or INSERT/UPDATE/DELETE.
As I told we somewhere in test suite (not main, but I don't remember exactly) test which require the permission otherwise I would not return and add more rights.
Where? The view is clearly not insertable-into, so INSERT privilege is meaningless. Some fields are updateable, and one can delele from it. This was more accidental than intentional, but ok, let's not change it in 10.4. And why does it need FILE privilege? The view owner cannot possibly do any LOAD DATA. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org