Hi, Scott, In MariaDB it's SUPER privilege.
Starting from 10.5 there are fine-grained privilege for various activities, see https://mariadb.com/kb/en/grant/#global-privileges But there is no one "system_variables_admin" privilege. Different system variables are protected by different privileges, for example, @@gtid_binlog_state is protected by the REPLICATION MASTER ADMIN privilege. SUPER is still left to control access to global variables that don't have a dedicated privilege. This includes all plugin variables too. Regards, Sergei VP of MariaDB Server Engineering and secur...@mariadb.org On Apr 06, Scott Canaan wrote: > We are on MariaDB 10.5.18. There is a requirement to send all syslog > data to a central syslog server. In the past, we did it using a login > called ITS_READ. It has limited privs on purpose, but used to be able > to execute the SET GLOBAL statements that we needed. Those statements > are: > > SET GLOBAL server_audit_output_type=SYSLOG; > SET GLOBAL server_audit_logging=1; > SET GLOBAL server_audit_syslog_facility=LOG_LOCAL2; > SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl"; > > Now, it doesn't have the privs needed to do that. In looking online, > I found that there is a "new" privilege (in MySQL 8), called > system_variables_admin that allows the user to execute SET GLOBAL > statements. However, when I try to grant that privilege, I get an > error: > > MariaDB [(none)]> grant system_variables_admin to 'ITS_READ'@'localhost'; > ERROR 1959 (OP000): Invalid role specification `system_variables_admin` > > It seems that the only other option is to grant the SUPER privilege, > which we don't want to do. > > How do I get around this, or do I just tell the sysadmins they can't > have the syslog data? > > Scott Canaan '88 _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp