MDEV-28294: set default role bypasses Replicate_Wild_Ignore_Table: mysql.%bb-10.4-MDEV-28294

Problem:
========
When replicating SET DEFAULT ROLE, the pre-update check (i.e. that
in set_var_default_role::check()) tries to validate the existence of
the given rules/user even when the targeted tables are ignored. When
previously issued CREATE USER/ROLE commands are ignored by the
replica because of the replication filtering rules, this results in
an error because the targeted data does not exist.

Solution:
========
Before checking that the given roles/user exist of a SET DEFAULT
ROLE command, first ensure that the mysql.user and
mysql.roles_mapping tables are not excluded by replication filters.

Reviewed By:
============
Andrei Elkin <andrei.elkin@mariadb.com>
Sergei Golubchik <serg@mariadb.com>

3 files changed, 216 insertions, 14 deletions

diff --git a/mysql-test/suite/rpl/r/rpl_filter_set_var_missing_data.result b/mysql-test/suite/rpl/r/rpl_filter_set_var_missing_data.result
new file mode 100644
index 00000000000..e232edae1ed
--- /dev/null
+++ b/mysql-test/suite/rpl/r/rpl_filter_set_var_missing_data.result
@@ -0,0 +1,55 @@
+include/master-slave.inc
+[connection master]
+#
+# Set replica to ignore system mysql tables
+connection slave;
+include/stop_slave.inc
+SET @@GLOBAL.replicate_wild_ignore_table="mysql.%";
+include/start_slave.inc
+#
+# Execute grant-based commands on primary which modify mysql system
+# tables
+connection master;
+CREATE ROLE journalist;
+CREATE USER testuser@localhost IDENTIFIED by '';
+GRANT journalist to testuser@localhost;
+#
+# Execute SET commands which use the previous user/role data
+SET DEFAULT ROLE journalist for testuser@localhost;
+SET PASSWORD for testuser@localhost= PASSWORD('123');
+include/save_master_gtid.inc
+#
+# Verify primary's grant tables have the correct user/role data
+select count(*)=1 from mysql.user where User='testuser';
+count(*)=1
+1
+select count(*)=1 from mysql.roles_mapping where User='testuser';
+count(*)=1
+1
+#
+# Ensure that the replica receives all of the primary's events without
+# error
+connection slave;
+include/sync_with_master_gtid.inc
+Last_SQL_Error = 
+Last_SQL_Errno = 0
+#
+# Verify that the replica did not execute the master's commands
+select count(*)=0 from mysql.user where User='testuser';
+count(*)=0
+1
+select count(*)=0 from mysql.roles_mapping where User='testuser';
+count(*)=0
+1
+#
+# Clean up
+connection master;
+DROP ROLE journalist;
+DROP USER testuser@localhost;
+include/save_master_gtid.inc
+connection slave;
+include/sync_with_master_gtid.inc
+include/stop_slave.inc
+SET @@GLOBAL.replicate_wild_ignore_table="";
+include/start_slave.inc
+include/rpl_end.inc
diff --git a/mysql-test/suite/rpl/t/rpl_filter_set_var_missing_data.test b/mysql-test/suite/rpl/t/rpl_filter_set_var_missing_data.test
new file mode 100644
index 00000000000..25efb6ed662
--- /dev/null
+++ b/mysql-test/suite/rpl/t/rpl_filter_set_var_missing_data.test
@@ -0,0 +1,83 @@
+#
+# Purpose:
+#   This test ensures that the SET DEFAULT ROLE and SET PASSWORD commands can
+# be ignored by replica filter rules. MDEV-28294 exposed a bug in which
+# SET DEFAULT ROLE would check for the existence of the given roles/user even
+# when the targeted tables are ignored, resulting in errors if the targeted
+# data does not exist. More specifically, when previously issued
+# CREATE USER/ROLE commands are ignored by the replica because of the
+# replication filtering rules, SET DEFAULT ROLE would result in an error
+# because the targeted data does not exist.
+#
+# Methodology:
+#   Using a replica configured with replicate_wild_ignore_table="mysql.%",
+# execute SET DEFAULT ROLE and SET PASSWORD on the primary and ensure that the
+# replica neither errors nor executes the commands which the primary sends.
+#
+# References:
+#   MDEV-28294: set default role bypasses Replicate_Wild_Ignore_Table: mysql.%
+#
+
+source include/master-slave.inc;
+source include/have_binlog_format_mixed.inc;
+
+--echo #
+--echo # Set replica to ignore system mysql tables
+connection slave;
+let $old_filter= query_get_value(SHOW SLAVE STATUS, Replicate_Wild_Ignore_Table, 1);
+source include/stop_slave.inc;
+SET @@GLOBAL.replicate_wild_ignore_table="mysql.%";
+source include/start_slave.inc;
+
+--echo #
+--echo # Execute grant-based commands on primary which modify mysql system
+--echo # tables
+connection master;
+CREATE ROLE journalist;
+CREATE USER testuser@localhost IDENTIFIED by '';
+GRANT journalist to testuser@localhost;
+
+--echo #
+--echo # Execute SET commands which use the previous user/role data
+SET DEFAULT ROLE journalist for testuser@localhost;
+SET PASSWORD for testuser@localhost= PASSWORD('123');
+--source include/save_master_gtid.inc
+
+--echo #
+--echo # Verify primary's grant tables have the correct user/role data
+select count(*)=1 from mysql.user where User='testuser';
+select count(*)=1 from mysql.roles_mapping where User='testuser';
+
+--echo #
+--echo # Ensure that the replica receives all of the primary's events without
+--echo # error
+connection slave;
+--source include/sync_with_master_gtid.inc
+let $error= query_get_value(SHOW SLAVE STATUS, Last_SQL_Error, 1);
+--echo Last_SQL_Error = $error
+let $errno= query_get_value(SHOW SLAVE STATUS, Last_SQL_Errno, 1);
+--echo Last_SQL_Errno = $errno
+
+--echo #
+--echo # Verify that the replica did not execute the master's commands
+select count(*)=0 from mysql.user where User='testuser';
+select count(*)=0 from mysql.roles_mapping where User='testuser';
+
+--echo #
+--echo # Clean up
+
+# The master has to drop the role/user combination while the slave still has
+# its filters active; otherwise, the slave would try to drop users/roles that
+# were never replicated.
+--connection master
+DROP ROLE journalist;
+DROP USER testuser@localhost;
+--source include/save_master_gtid.inc
+
+--connection slave
+--source include/sync_with_master_gtid.inc
+source include/stop_slave.inc;
+--eval SET @@GLOBAL.replicate_wild_ignore_table="$old_filter"
+source include/start_slave.inc;
+
+--source include/rpl_end.inc
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 8c52318c498..980b4c30cb2 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1814,10 +1814,17 @@ class Grant_tables
  public:
   Grant_tables() : p_user_table(&m_user_table_json) { }
 
-  int open_and_lock(THD *thd, int which_tables, enum thr_lock_type lock_type)
+  /**
+    An auxiliary to build a list of involved tables.
+
+    @retval  0 Success
+    @retval -1 A my_error reported error
+   */
+  int build_table_list(THD *thd, TABLE_LIST** ptr_first,
+                       int which_tables, enum thr_lock_type lock_type,
+                       TABLE_LIST *tables)
   {
-    DBUG_ENTER("Grant_tables::open_and_lock");
-    TABLE_LIST tables[USER_TABLE+1], *first= NULL;
+    DBUG_ENTER("Grant_tables::build_table_list");
 
     DBUG_ASSERT(which_tables); /* At least one table must be opened. */
     /*
@@ -1842,12 +1849,23 @@ class Grant_tables
         tl->updating= lock_type >= TL_WRITE_ALLOW_WRITE;
         if (i >= FIRST_OPTIONAL_TABLE)
           tl->open_strategy= TABLE_LIST::OPEN_IF_EXISTS;
-        tl->next_global= tl->next_local= first;
-        first= tl;
+        tl->next_global= tl->next_local= *ptr_first;
+        *ptr_first= tl;
       }
       else
         tl->table= NULL;
     }
+    DBUG_RETURN(0);
+  }
+
+  int open_and_lock(THD *thd, int which_tables, enum thr_lock_type lock_type)
+  {
+    DBUG_ENTER("Grant_tables::open_and_lock");
+
+    TABLE_LIST tables[USER_TABLE+1], *first= NULL;
+
+    if (build_table_list(thd, &first, which_tables, lock_type, tables))
+      DBUG_RETURN(-1);
 
     uint counter;
     int res= really_open(thd, first, &counter);
@@ -1916,6 +1934,48 @@ class Grant_tables
   inline const Roles_mapping_table& roles_mapping_table() const
   { return m_roles_mapping_table; }
 
+#ifdef HAVE_REPLICATION
+  /**
+    Checks if the tables targeted by a grant command should be ignored because
+    of the configured replication filters
+
+    @retval 1 Tables are excluded for replication
+    @retval 0 tables are included for replication
+  */
+  int rpl_ignore_tables(THD *thd, TABLE_LIST* tables, int which_tables= 0,
+                        enum thr_lock_type lock_type= TL_IGNORE)
+  {
+    DBUG_ENTER("Grant_tables::rpl_ignore_tables");
+
+    if (!(thd->slave_thread && !thd->spcont))
+      DBUG_RETURN(0);
+
+    TABLE_LIST all_tables[USER_TABLE+1];
+
+    if (!tables)
+    {
+      int rc __attribute__((unused))=
+        build_table_list(thd, &tables, which_tables, lock_type, all_tables);
+
+      DBUG_ASSERT(!rc);  // Grant_tables must be already initialized
+      DBUG_ASSERT(tables);
+    }
+
+    if (tables->lock_type >= TL_WRITE_ALLOW_WRITE)
+    {
+      /*
+        GRANT and REVOKE are applied the slave in/exclusion rules as they are
+        some kind of updates to the mysql.% tables.
+      */
+      Rpl_filter *rpl_filter= thd->system_thread_info.rpl_sql_info->rpl_filter;
+
+      if (rpl_filter->is_on() && !rpl_filter->tables_ok(0, tables))
+        DBUG_RETURN(1);
+    }
+    DBUG_RETURN(0);
+  }
+#endif
+
  private:
 
   /* Before any operation is possible on grant tables, they must be opened.
@@ -1929,16 +1989,9 @@ class Grant_tables
   {
     DBUG_ENTER("Grant_tables::really_open:");
 #ifdef HAVE_REPLICATION
-    if (tables->lock_type >= TL_WRITE_ALLOW_WRITE &&
-        thd->slave_thread && !thd->spcont)
+    if (rpl_ignore_tables(thd, tables))
     {
-      /*
-        GRANT and REVOKE are applied the slave in/exclusion rules as they are
-        some kind of updates to the mysql.% tables.
-      */
-      Rpl_filter *rpl_filter= thd->system_thread_info.rpl_sql_info->rpl_filter;
-      if (rpl_filter->is_on() && !rpl_filter->tables_ok(0, tables))
-        DBUG_RETURN(1);
+      DBUG_RETURN(1);
     }
 #endif
     if (open_tables(thd, &tables, counter, MYSQL_LOCK_IGNORE_TIMEOUT))
@@ -3940,6 +3993,17 @@ int acl_check_set_default_role(THD *thd, const char *host, const char *user,
                                const char *role)
 {
   DBUG_ENTER("acl_check_set_default_role");
+#ifdef HAVE_REPLICATION
+  /*
+    If the roles_mapping table is excluded by the replication filter, we return
+    successful without validating the user/role data because the command will
+    be ignored in a later call to `acl_set_default_role()` for a graceful exit.
+  */
+  Grant_tables tables;
+  TABLE_LIST* first= NULL;
+  if (tables.rpl_ignore_tables(thd, first, Table_roles_mapping, TL_WRITE))
+    DBUG_RETURN(0);
+#endif
   DBUG_RETURN(check_alter_user(thd, host, user) ||
               check_user_can_set_role(thd, user, host, NULL, role, NULL));
 }