File: gr_roles.test

package info (click to toggle)
mysql-8.0 8.0.43-3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,273,924 kB
  • sloc: cpp: 4,684,605; ansic: 412,450; pascal: 108,398; java: 83,641; perl: 30,221; cs: 27,067; sql: 26,594; sh: 24,181; python: 21,816; yacc: 17,169; php: 11,522; xml: 7,388; javascript: 7,076; makefile: 2,194; lex: 1,075; awk: 670; asm: 520; objc: 183; ruby: 97; lisp: 86
file content (207 lines) | stat: -rw-r--r-- 8,300 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 
###############################################################################
# Validate if granting privileges with 'Roles' works with group_replication

# 0.Test uses 2 servers: server1, server2
# 1.Verify that ROLES are replicated successfully.
#   1.1 Create role, user on server1.
#   1.2 Grant privileges to roles and grant roles to users.
# 2.Verify execution of GR commands is successful by the user when
#   different privileges are granted by roles.
#   2.1 Error as user does not have privilege to execute command.
#   2.2 Assign SYSTEM_VARIABLES_ADMIN privilege to user by enabling the role
#       and test that command is executed successfully.
# 3.Verify that ROLES on replication users used in 'CHANGE MASTER TO' work
#   as expected for GR.
#   3.1 Error in START GR as master_user used in CHM does not have privilege.
#   3.2 Assign REPLICATION_SLAVE privilege to user by enabling the role and
#       test that start group_replication succeeds.
# 4.Verify that Activating the role by 'ALTER USER' is successful on
#    all GR members.
# 5.Clean Up.
###############################################################################
--source include/have_group_replication_xcom_communication_stack.inc
--source include/not_have_privilege_checks_user.inc
--source include/have_group_replication_plugin.inc
--let $rpl_server_count= 2
--let $rpl_skip_group_replication_start= 1
--source include/group_replication.inc

# Test 1 : ROLES are replicated successfully

# Create role, user on server1
CREATE ROLE 'gr_user','gr_recovery_user';
# Grant privileges to roles and grant roles to users.
GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'gr_user';
GRANT REPLICATION SLAVE ON *.* TO 'gr_recovery_user';
CREATE USER 'alpha' IDENTIFIED BY 'alpha';
GRANT gr_user TO alpha;

--echo # Check that 'gr_user' role is assigned to 'alpha' user
--let $wait_condition=SELECT FROM_USER='gr_user' FROM mysql.role_edges WHERE TO_USER='alpha'
--source include/wait_condition_or_abort.inc

# Test 2 : Verify execution of GR commands is successful by the user when
#          different privileges are granted by roles.

# 'alpha' user is not granted any privileges, it will be denied to set GR related
# variables or START GROUP_REPLICATION
--echo [connection alpha]
connect(alpha_con, localhost, alpha, alpha);
--disable_query_log
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
--eval SET GLOBAL group_replication_group_name= "$group_replication_group_name"
--enable_query_log

--error ER_SPECIFIC_ACCESS_DENIED_ERROR
SET GLOBAL group_replication_bootstrap_group= 1;

--error ER_SPECIFIC_ACCESS_DENIED_ERROR
START GROUP_REPLICATION;

--disconnect alpha_con
--let $rpl_connection_name= server1
--source include/rpl_connection.inc

# Enable 'gr_user' ROLE for USER 'alpha'
ALTER USER alpha DEFAULT ROLE 'gr_user';

--echo # Check that 'gr_user' role is enabled for 'alpha' user
--let $wait_condition= SELECT DEFAULT_ROLE_USER='gr_user' FROM mysql.default_roles WHERE USER='alpha'
--source include/wait_condition_or_abort.inc

--let $wait_condition= SELECT FROM_USER='gr_user' FROM mysql.role_edges WHERE TO_USER='alpha';
--source include/wait_condition_or_abort.inc

--echo [connection alpha]
connect(alpha_con, localhost, alpha, alpha,*NO-ONE*);
SELECT CURRENT_ROLE();

# Execution of commands should be successful.
--replace_result $group_replication_group_name GROUP_REPLICATION_GROUP_NAME
--eval SET GLOBAL group_replication_group_name= "$group_replication_group_name"
SET GLOBAL group_replication_bootstrap_group= 1;

--error ER_SPECIFIC_ACCESS_DENIED_ERROR
START GROUP_REPLICATION;

--disconnect alpha_con

--let $rpl_connection_name= server1
--source include/rpl_connection.inc

GRANT GROUP_REPLICATION_ADMIN ON *.* TO 'gr_user';

--echo [connection alpha]
connect(alpha_con, localhost, alpha, alpha,*NO-ONE*);
START GROUP_REPLICATION;
SET GLOBAL group_replication_bootstrap_group= 0;

--disconnect alpha_con

--let $rpl_connection_name= server1
--source include/rpl_connection.inc
--echo # Wait until server1 is ONLINE
--let $wait_condition= SELECT COUNT(*) = 1 FROM performance_schema.replication_group_members WHERE member_state='ONLINE'
--source include/wait_condition_or_abort.inc

# Test 3 : Verify that ROLES on replication users used in 'CHANGE MASTER TO' work
#          as expected for GR.
--let $rpl_connection_name= server2
--source include/rpl_connection.inc

SET @group_replication_recovery_retry_count_save= @@GLOBAL.group_replication_recovery_retry_count;
SET @group_replication_recovery_reconnect_interval_save= @@GLOBAL.group_replication_recovery_reconnect_interval;

set sql_log_bin=0;
call mtr.add_suppression(".*Replica I/O for channel 'group_replication_recovery': Source command COM_REGISTER_REPLICA failed.*");
call mtr.add_suppression(".*Replica I/O thread couldn't register on source");
call mtr.add_suppression("Maximum number of retries when*");
call mtr.add_suppression("Fatal error during the incremental recovery process of Group Replication. The server will leave the group.");
call mtr.add_suppression("Skipping leave operation: concurrent attempt to leave the group is on-going.");
call mtr.add_suppression("There was an error when connecting to the donor*");
call mtr.add_suppression("For details please check performance_schema.replication_connection_status table and error log messages of Replica I/O for channel group_replication_recovery.");
call mtr.add_suppression("The server was automatically set into read only mode after an error was detected.");
set sql_log_bin=1;

# Execute CHM where master_user='alpha'
--replace_result $group_replication_group_name GROUP_REPLICATION_GROUP_NAME
--eval SET GLOBAL group_replication_group_name= "$group_replication_group_name"

SET GLOBAL group_replication_recovery_retry_count= 1;
--echo # Set the reconnect interval to one. To prevent timeout on recovery.
SET GLOBAL group_replication_recovery_reconnect_interval= 1;

CHANGE REPLICATION SOURCE TO SOURCE_USER='alpha', SOURCE_PASSWORD='alpha' FOR CHANNEL 'group_replication_recovery';

# START GR on server2 will fail
--let $group_replication_start_member_state= ERROR
--source include/start_group_replication.inc

# Error ER_REPLICA_SOURCE_COM_FAILURE : as USER 'alpha' doesn't have
# REPLICATION_SLAVE_ADMIN privilege
--let $grep_pattern= Source command COM_REGISTER_REPLICA failed
--let $grep_file= $MYSQLTEST_VARDIR/log/mysqld.2.err
--let $grep_output= boolean
--source include/grep_pattern.inc

--let $grep_pattern= Replica I/O thread couldn't register on source
--let $grep_file= $MYSQLTEST_VARDIR/log/mysqld.2.err
--let $grep_output= boolean
--source include/grep_pattern.inc

--source include/stop_group_replication.inc

# Test 4 : Verify that Activating the role by 'ALTER USER' is successful on
#          all GR members.
--let $rpl_connection_name= server1
--source include/rpl_connection.inc
# Enable 'REPLICATION_SLAVE_ADMIN' for 'alpha'
GRANT gr_recovery_user TO alpha;
ALTER USER alpha DEFAULT ROLE ALL;

--echo # Check that all roles assigned to 'alpha' user are enabled
SELECT DEFAULT_ROLE_USER FROM mysql.default_roles WHERE USER='alpha';
SELECT FROM_USER FROM mysql.role_edges WHERE TO_USER='alpha';

--echo [connection alpha]
connect(alpha_con, localhost, alpha, alpha,*NO-ONE*);
SELECT CURRENT_ROLE();
SHOW GRANTS;

# Creation of new database fails
--error ER_DBACCESS_DENIED_ERROR
CREATE DATABASE newtest;

--disconnect alpha_con

--let $rpl_connection_name= server2
--source include/rpl_connection.inc
--let $group_replication_start_member_state= ONLINE
--source include/start_group_replication.inc

GRANT ALL ON newtest.* TO gr_recovery_user;

--echo [connection alpha]
connect(alpha_con, localhost, alpha, alpha,*NO-ONE*,$SLAVE_MYPORT,$SLAVE_MYSOCK);

# Replicate data
CREATE DATABASE newtest;
use newtest;
CREATE TABLE t1(a INT PRIMARY KEY);
INSERT INTO t1 VALUES (1),(2);
UPDATE t1 SET a=4 WHERE a=1;
DELETE FROM t1;

# Cleanup
--let $rpl_connection_name= server2
--source include/rpl_connection.inc

SET GLOBAL group_replication_recovery_retry_count= @group_replication_recovery_retry_count_save;
SET GLOBAL group_replication_recovery_reconnect_interval= @group_replication_recovery_reconnect_interval_save;

DROP TABLE newtest.t1;
DROP DATABASE newtest;
DROP ROLE gr_user, gr_recovery_user;
DROP USER alpha;

--source include/group_replication_end.inc