Hi everyone.
It seems I found a bug in CEV mechanism. Or at least it looks like a bug - I need your advice here.
Situation:
I need to change password to user that has SYSTEM_USER privilege. But I as a user who wants to change that password - have no such permissions. When I try to execute such request on pxc1
node - it fails with next error:
Access denied; you need (at least one of) the SYSTEM_USER privilege(s) for this operation, Error_code: 1227;
Meantime, cluster initiates CEV:
2022-06-15T20:15:51.603942Z 0 [Note] [MY-000000] [Galera] Member 0(pxc-uc-node2) initiates vote on 5c78866e-de52-11ec-8c63-db0e768e920f:454158114,eaaf6466ca51fa98: Access denied; you need (at least one of)
the SYSTEM_USER privilege(s) for this operation, Error_code: 1227;
2022-06-15T20:15:51.604022Z 0 [Note] [MY-000000] [Galera] Votes over 5c78866e-de52-11ec-8c63-db0e768e920f:454158114:
eaaf6466ca51fa98: 1/2
Waiting for more votes.
2022-06-15T20:15:51.604097Z 1 [Note] [MY-000000] [Galera] Got vote request for seqno 5c78866e-de52-11ec-8c63-db0e768e920f:454158114
2022-06-15T20:15:51.604409Z 0 [Note] [MY-000000] [Galera] Member 1(pxc-uc-node3) responds to vote on 5c78866e-de52-11ec-8c63-db0e768e920f:454158114,0000000000000000: Success
2022-06-15T20:15:51.604443Z 0 [Note] [MY-000000] [Galera] Votes over 5c78866e-de52-11ec-8c63-db0e768e920f:454158114:
0000000000000000: 1/2
eaaf6466ca51fa98: 1/2
Winner: 0000000000000000
2022-06-15T20:15:51.604486Z 1 [Note] [MY-000000] [Galera] Vote 0 (success) on 5c78866e-de52-11ec-8c63-db0e768e920f:454158114 is consistent with group. Continue.
2022-06-15T20:15:52.613398Z 0 [Note] [MY-000000] [Galera] Deferred close timer started for socket with remote endpoint: ssl://xx.xxx.xxx.229:4567
2022-06-15T20:15:52.613472Z 0 [Note] [MY-000000] [Galera] forgetting 1868705a-8ded (ssl://xx.xxx.xxx.229:4567)
2022-06-15T20:15:52.613526Z 0 [Note] [MY-000000] [Galera] Node cb87eba3-9645 state primary
2022-06-15T20:15:52.613586Z 0 [Note] [MY-000000] [Galera] Current view of cluster as seen by this node
As you can see, cluster kicks pxc1
node, since all other nodes executed this request correctly. This happens probably due to fact that cluster node uses it’s internal user (like ‘mysql.pxc.internal.session’ or so), that actually HAS SYSTEM_USER permissions, and therefore executes query correctly.
Seconds try to execute same statement will kick pxc2
node respectively. So, in two tries you are getting cluster with only pxc3
node on board.
This is awkward. Or am I doing something wrong in this case? It looks like a bug in CEV. Thanks.