Hi, Scott, In MariaDB it's SUPER privilege. Starting from 10.5 there are fine-grained privilege for various activities, see https://mariadb.com/kb/en/grant/#global-privileges But there is no one "system_variables_admin" privilege. Different system variables are protected by different privileges, for example, @@gtid_binlog_state is protected by the REPLICATION MASTER ADMIN privilege. SUPER is still left to control access to global variables that don't have a dedicated privilege. This includes all plugin variables too. Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org On Apr 06, Scott Canaan wrote:
We are on MariaDB 10.5.18. There is a requirement to send all syslog data to a central syslog server. In the past, we did it using a login called ITS_READ. It has limited privs on purpose, but used to be able to execute the SET GLOBAL statements that we needed. Those statements are:
SET GLOBAL server_audit_output_type=SYSLOG; SET GLOBAL server_audit_logging=1; SET GLOBAL server_audit_syslog_facility=LOG_LOCAL2; SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl";
Now, it doesn't have the privs needed to do that. In looking online, I found that there is a "new" privilege (in MySQL 8), called system_variables_admin that allows the user to execute SET GLOBAL statements. However, when I try to grant that privilege, I get an error:
MariaDB [(none)]> grant system_variables_admin to 'ITS_READ'@'localhost'; ERROR 1959 (OP000): Invalid role specification `system_variables_admin`
It seems that the only other option is to grant the SUPER privilege, which we don't want to do.
How do I get around this, or do I just tell the sysadmins they can't have the syslog data?
Scott Canaan '88