MDEV-23607 MariaBackup - align required GRANTS to cmd optionsbb-10.5-danielblack-MDEV-23607

Since the 10.5 split of the privileges, the required GRANTs
for various mariabackup operations has changed.

In the addition of tests, a number of mappings where incorrect:

The option --lock-ddl-per-table didn't require connection admin.

The option --safe-slave-backup requires SLAVE MONITOR even without
the --no-lock option.

Change MySQL server -> MariaDB server in code/information messages.

4 files changed, 84 insertions, 15 deletions

diff --git a/extra/mariabackup/backup_mysql.cc b/extra/mariabackup/backup_mysql.cc
index 7a629e7265c..d23ca6b1a14 100644
--- a/extra/mariabackup/backup_mysql.cc
+++ b/extra/mariabackup/backup_mysql.cc
@@ -126,7 +126,7 @@ xb_mysql_connect()
 	mysql_options(connection, MYSQL_OPT_PROTOCOL, &opt_protocol);
 	mysql_options(connection,MYSQL_SET_CHARSET_NAME, "utf8");
 
-	msg("Connecting to MySQL server host: %s, user: %s, password: %s, "
+	msg("Connecting to MariaDB server host: %s, user: %s, password: %s, "
 	       "port: %s, socket: %s", opt_host ? opt_host : "localhost",
 	       opt_user ? opt_user : "not set",
 	       opt_password ? "set" : "not set",
@@ -153,7 +153,7 @@ xb_mysql_connect()
 				opt_password,
 				"" /*database*/, opt_port,
 				opt_socket, 0)) {
-		msg("Failed to connect to MySQL server: %s.", mysql_error(connection));
+		msg("Failed to connect to MariaDB server: %s.", mysql_error(connection));
 		mysql_close(connection);
 		return(NULL);
 	}
@@ -342,7 +342,7 @@ check_server_version(unsigned long version_number,
 }
 
 /*********************************************************************//**
-Receive options important for XtraBackup from MySQL server.
+Receive options important for XtraBackup from MariaDB server.
 @return	true on success. */
 bool get_mysql_vars(MYSQL *connection)
 {
@@ -1837,8 +1837,8 @@ static std::string make_local_paths(const char *data_file_path)
 bool write_backup_config_file()
 {
 	int rc= backup_file_printf("backup-my.cnf",
-		"# This MySQL options file was generated by innobackupex.\n\n"
-		"# The MySQL server\n"
+		"# This MariaDB options file was generated by innobackupex.\n\n"
+		"# The MariaDB server\n"
 		"[mysqld]\n"
 		"innodb_checksum_algorithm=%s\n"
 		"innodb_data_file_path=%s\n"
@@ -1923,7 +1923,7 @@ flush_changed_page_bitmaps()
 
 
 /*********************************************************************//**
-Deallocate memory, disconnect from MySQL server, etc.
+Deallocate memory, disconnect from MariaDB server, etc.
 @return	true on success. */
 void
 backup_cleanup()
diff --git a/extra/mariabackup/xtrabackup.cc b/extra/mariabackup/xtrabackup.cc
index da2ae65447b..2c4da11c860 100644
--- a/extra/mariabackup/xtrabackup.cc
+++ b/extra/mariabackup/xtrabackup.cc
@@ -6200,22 +6200,28 @@ static bool check_all_privileges()
 	}
 
 	/* KILL ... */
-	if ((!opt_no_lock && (opt_kill_long_queries_timeout || opt_lock_ddl_per_table))
-		/* START SLAVE SQL_THREAD */
-		/* STOP SLAVE SQL_THREAD */
-		|| opt_safe_slave_backup) {
+	if (!opt_no_lock && (opt_kill_long_queries_timeout || opt_kill_long_query_type)) {
 		check_result |= check_privilege(
 			granted_privileges,
-			"SUPER", "*", "*",
+			"CONNECTION ADMIN", "*", "*",
+			PRIVILEGE_WARNING);
+	}
+
+	/* START SLAVE SQL_THREAD */
+	/* STOP SLAVE SQL_THREAD */
+	if (opt_safe_slave_backup) {
+		check_result |= check_privilege(
+			granted_privileges,
+			"REPLICATION SLAVE ADMIN", "*", "*",
 			PRIVILEGE_WARNING);
 	}
 
 	/* SHOW MASTER STATUS */
 	/* SHOW SLAVE STATUS */
 	if (opt_galera_info || opt_slave_info
-		|| (opt_no_lock && opt_safe_slave_backup)) {
+		|| opt_safe_slave_backup) {
 		check_result |= check_privilege(granted_privileges,
-			"REPLICATION CLIENT", "*", "*",
+			"SLAVE MONITOR", "*", "*",
 			PRIVILEGE_WARNING);
 	}
 
diff --git a/mysql-test/suite/mariabackup/backup_grants.result b/mysql-test/suite/mariabackup/backup_grants.result
index ed793e7ff1a..56899f8d9c0 100644
--- a/mysql-test/suite/mariabackup/backup_grants.result
+++ b/mysql-test/suite/mariabackup/backup_grants.result
@@ -3,4 +3,12 @@ FOUND 1 /missing required privilege RELOAD/ in backup.log
 FOUND 1 /missing required privilege PROCESS/ in backup.log
 FOUND 1 /GRANT USAGE ON/ in backup.log
 GRANT RELOAD, PROCESS on *.* to backup@localhost;
+NOT FOUND /missing required privilege REPLICA MONITOR/ in backup.log
+GRANT REPLICA MONITOR ON *.* TO backup@localhost;
+REVOKE REPLICA MONITOR ON *.* FROM backup@localhost;
+GRANT CONNECTION ADMIN ON *.* TO backup@localhost;
+FOUND 1 /missing required privilege REPLICATION SLAVE ADMIN/ in backup.log
+NOT FOUND /missing required privilege REPLICA MONITOR/ in backup.log
+GRANT REPLICATION SLAVE ADMIN ON *.* TO backup@localhost;
+GRANT REPLICA MONITOR ON *.* TO backup@localhost;
 DROP USER backup@localhost;
diff --git a/mysql-test/suite/mariabackup/backup_grants.test b/mysql-test/suite/mariabackup/backup_grants.test
index eadeedd9b5f..894ae73aeb9 100644
--- a/mysql-test/suite/mariabackup/backup_grants.test
+++ b/mysql-test/suite/mariabackup/backup_grants.test
@@ -25,7 +25,62 @@ GRANT RELOAD, PROCESS on *.* to backup@localhost;
 --disable_result_log
 exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf  --backup -ubackup --target-dir=$targetdir;
 --enable_result_log
+rmdir $targetdir;
 
-DROP USER backup@localhost;
-# Cleanup
+# MDEV-23607 Warning: missing required privilege REPLICATION CLIENT
+# --slave-info and galera info require REPLICA MONITOR
+--disable_result_log
+error 1;
+exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup --slave-info  --target-dir=$targetdir > $MYSQLTEST_VARDIR/tmp/backup.log;
+--enable_result_log
+rmdir $targetdir;
+
+--let SEARCH_PATTERN=  missing required privilege REPLICA MONITOR
+--source include/search_pattern_in_file.inc
+
+GRANT REPLICA MONITOR ON *.* TO backup@localhost;
+--disable_result_log
+exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup --slave-info --target-dir=$targetdir;
+--enable_result_log
+rmdir $targetdir;
+REVOKE REPLICA MONITOR ON *.* FROM backup@localhost;
+
+# TODO need a query that would delay a BACKUP STAGE START/ BACKUP STAGE BLOCK_COMMIT longer than the kill-long-queries-timeout
+#--send SELECT SLEEP(9) kill_me
+## kill-long-query-type=(not empty) requires CONNECTION ADMIN
+#--disable_result_log
+#error 1;
+#--exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup  --kill-long-query-type=all --kill-long-queries-timeout=4 --target-dir=$targetdir > $MYSQLTEST_VARDIR/tmp/backup.log;
+#--reap
+#--enable_result_log
+#rmdir $targetdir;
+#
+#--let SEARCH_PATTERN=  missing required privilege CONNECTION ADMIN
+#--source include/search_pattern_in_file.inc
+
+GRANT CONNECTION ADMIN ON *.* TO backup@localhost;
+--disable_result_log
+exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup  --kill-long-query-type=all --kill-long-queries-timeout=1 --target-dir=$targetdir;
+--enable_result_log
+rmdir $targetdir;
+
+# --safe-slave-backup requires REPLICATION SLAVE ADMIN, and REPLICA MONITOR
+--disable_result_log
+error 1;
+exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup --safe-slave-backup --target-dir=$targetdir > $MYSQLTEST_VARDIR/tmp/backup.log;
+--enable_result_log
 rmdir $targetdir;
+
+--let SEARCH_PATTERN=  missing required privilege REPLICATION SLAVE ADMIN
+--source include/search_pattern_in_file.inc
+--let SEARCH_PATTERN=  missing required privilege REPLICA MONITOR
+--source include/search_pattern_in_file.inc
+
+GRANT REPLICATION SLAVE ADMIN ON *.* TO backup@localhost;
+GRANT REPLICA MONITOR ON *.* TO backup@localhost;
+--disable_result_log
+exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup -ubackup --safe-slave-backup --target-dir=$targetdir;
+--enable_result_log
+rmdir $targetdir;
+
+DROP USER backup@localhost;