mariadbdatabase-replicationmariadb-10.3mariadb-10.6

Can't Grant SLAVE MONITOR to user on MariaDB 10.6 Primary

We recently replaced an old MariaDB 10.3 primary with one of it's replicas which is running 10.6.x. Hoping that this would resolve a weird Primary/replica issue that we have had since creating the replicas.

The Struggle: Per the MariaDB documentation in order for a user to have access to SHOW REPLICA STATUS (formerly SHOW SLAVE STATUS) in MariaDB 10.3 that user needed the REPLICATION CLIENT privilege. Furthermore REPLICATION CLIENT was renamed to BINLOG MONITOR in mariadb 10.5.2 and this Privilege does show up as BINLOG MONITOR when granting the REPLICATION CLIENT privilege on versions of 10.5.2 or newer. However, according to the mariadb kb (and confirmed by my experience) "Unlike REPLICATION CLIENT prior to MariaDB 10.5, SHOW REPLICA STATUS isn't included in this privilege, and REPLICA MONITOR is required". This has created a bit of a headache for me.

The old problem: Due to the cups and ball trick MDB has decided to play with the SHOW REPLICA STATUS privilege I couldn't grant REPLICA MONITOR on the old primary without getting an error (because that privilege doesn't exist on 10.3) and REPLICATION CLIENT wasn't sufficient on the replicas (because SHOW REPLICA STATUS was moved to REPLICA MONITOR). This lead me to EOL the old primary and promote one of the 10.6 replicas to primary.

The new problem (or just the old problem persisting): The problem however is the new primary which is running 10.6 is behaving almost exactly like the old primary (which, again was on 10.3). The only difference is when I grant REPLICA MONITOR now I don't get an error but the grant doesn't stick. I can FLUSH PRIVILEGES and SHOW GRANTS... on the user but it isn't there.

So the question is what would cause a mariadb 10.6 Primary to behave like the former 10.3 primary in this scenario? is there some config or system variable I am unaware of?

FWIW the machine was rebooted a few times during the fail-over process but if that is the fix it can be done again. I have also tried granting SLAVE MONITOR which is the former version of REPLICA MONITOR but it doesn't stick either. I also tried granting BINLOG MONITOR which does stick but as I've already covered isn't sufficient on 10.6.

Solution

  • After upgrading from 10.3, run mariadb-upgrade. This will change the table structure of MariaDB to be able to handle the the privilege changes made in 10.5 The upgrade will also migrate to an equivalent grant.