MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables

mysql-test/suite/sys_vars/r/connect_timeout_grant.result

+SET @global=@@global.connect_timeout;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET connect_timeout" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL connect_timeout=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET connect_timeout" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL connect_timeout=10;
+SET connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET connect_timeout" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL connect_timeout=10;
+SET connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION connect_timeout=10;
+ERROR HY000: Variable 'connect_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.connect_timeout=@global;

mysql-test/suite/sys_vars/r/disconnect_on_expired_password_grant.result

+SET @global=@@global.disconnect_on_expired_password;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET disconnect_on_expired_password" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL disconnect_on_expired_password=1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET disconnect_on_expired_password" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL disconnect_on_expired_password=1;
+SET disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET disconnect_on_expired_password" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL disconnect_on_expired_password=1;
+SET disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION disconnect_on_expired_password=1;
+ERROR HY000: Variable 'disconnect_on_expired_password' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.disconnect_on_expired_password=@global;

mysql-test/suite/sys_vars/r/extra_max_connections_grant.result

+SET @global=@@global.extra_max_connections;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET extra_max_connections" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL extra_max_connections=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET extra_max_connections" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL extra_max_connections=10;
+SET extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET extra_max_connections" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL extra_max_connections=10;
+SET extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION extra_max_connections=10;
+ERROR HY000: Variable 'extra_max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.extra_max_connections=@global;

mysql-test/suite/sys_vars/r/init_connect_grant.result

+SET @global=@@global.init_connect;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET init_connect" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL init_connect="SET @xxx=1";
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET init_connect" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL init_connect="SET @xxx=1";
+SET init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET init_connect" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL init_connect="SET @xxx=1";
+SET init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION init_connect="SET @xxx=1";
+ERROR HY000: Variable 'init_connect' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.init_connect=@global;

mysql-test/suite/sys_vars/r/max_connect_errors_grant.result

+SET @global=@@global.max_connect_errors;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET max_connect_errors" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connect_errors=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_connect_errors" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connect_errors=10;
+SET max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_connect_errors" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connect_errors=10;
+SET max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connect_errors=10;
+ERROR HY000: Variable 'max_connect_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_connect_errors=@global;

mysql-test/suite/sys_vars/r/max_connections_grant.result

+SET @global=@@global.max_connections;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET max_connections" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connections=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_connections" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connections=10;
+SET max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_connections" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_connections=10;
+SET max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_connections=10;
+ERROR HY000: Variable 'max_connections' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_connections=@global;

mysql-test/suite/sys_vars/r/max_password_errors_grant.result

+SET @global=@@global.max_password_errors;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET max_password_errors" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_password_errors=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_password_errors" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_password_errors=10;
+SET max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET max_password_errors" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL max_password_errors=10;
+SET max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION max_password_errors=10;
+ERROR HY000: Variable 'max_password_errors' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.max_password_errors=@global;

mysql-test/suite/sys_vars/r/proxy_protocol_networks_grant.result

+SET @global=@@global.proxy_protocol_networks;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET proxy_protocol_networks" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL proxy_protocol_networks="";
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET proxy_protocol_networks" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL proxy_protocol_networks="";
+SET proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET proxy_protocol_networks" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL proxy_protocol_networks="";
+SET proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION proxy_protocol_networks="";
+ERROR HY000: Variable 'proxy_protocol_networks' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.proxy_protocol_networks=@global;

mysql-test/suite/sys_vars/r/secure_auth_grant.result

+SET @global=@@global.secure_auth;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET secure_auth" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL secure_auth=1;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET secure_auth" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL secure_auth=1;
+SET secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET secure_auth" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL secure_auth=1;
+SET secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION secure_auth=1;
+ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.secure_auth=@global;

mysql-test/suite/sys_vars/r/slow_launch_time_grant.result

+SET @global=@@global.slow_launch_time;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET slow_launch_time" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL slow_launch_time=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET slow_launch_time" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL slow_launch_time=10;
+SET slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET slow_launch_time" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL slow_launch_time=10;
+SET slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION slow_launch_time=10;
+ERROR HY000: Variable 'slow_launch_time' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.slow_launch_time=@global;

mysql-test/suite/sys_vars/r/thread_pool_idle_timeout_grant.result

+SET @global=@@global.thread_pool_idle_timeout;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET thread_pool_idle_timeout" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_idle_timeout=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_idle_timeout" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_idle_timeout=10;
+SET thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_idle_timeout" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_idle_timeout=10;
+SET thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_idle_timeout=10;
+ERROR HY000: Variable 'thread_pool_idle_timeout' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.thread_pool_idle_timeout=@global;

mysql-test/suite/sys_vars/r/thread_pool_max_threads_grant.result

+SET @global=@@global.thread_pool_max_threads;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET thread_pool_max_threads" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_max_threads=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_max_threads" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_max_threads=10;
+SET thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_max_threads" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_max_threads=10;
+SET thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_max_threads=10;
+ERROR HY000: Variable 'thread_pool_max_threads' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.thread_pool_max_threads=@global;

mysql-test/suite/sys_vars/r/thread_pool_oversubscribe_grant.result

+SET @global=@@global.thread_pool_oversubscribe;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET thread_pool_oversubscribe" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_oversubscribe=10;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_oversubscribe" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_oversubscribe=10;
+SET thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_oversubscribe" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_oversubscribe=10;
+SET thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_oversubscribe=10;
+ERROR HY000: Variable 'thread_pool_oversubscribe' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.thread_pool_oversubscribe=@global;

mysql-test/suite/sys_vars/r/thread_pool_stall_limit_grant.result

+SET @global=@@global.thread_pool_stall_limit;
+#
+# MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+#
+# Test that "SET thread_pool_stall_limit" is not allowed without CONNECTION ADMIN or SUPER
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_stall_limit=400;
+ERROR 42000: Access denied; you need (at least one of) the SUPER, CONNECTION ADMIN privilege(s) for this operation
+SET thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_stall_limit" is allowed with CONNECTION ADMIN
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_stall_limit=400;
+SET thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+# Test that "SET thread_pool_stall_limit" is allowed with SUPER
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+connect user1,localhost,user1,,;
+connection user1;
+SET GLOBAL thread_pool_stall_limit=400;
+SET thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION thread_pool_stall_limit=400;
+ERROR HY000: Variable 'thread_pool_stall_limit' is a GLOBAL variable and should be set with SET GLOBAL
+disconnect user1;
+connection default;
+DROP USER user1@localhost;
+SET @@global.thread_pool_stall_limit=@global;

mysql-test/suite/sys_vars/t/connect_timeout_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.connect_timeout;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET connect_timeout" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION connect_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET connect_timeout" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION connect_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET connect_timeout" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET connect_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION connect_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.connect_timeout=@global;

mysql-test/suite/sys_vars/t/disconnect_on_expired_password_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.disconnect_on_expired_password;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET disconnect_on_expired_password" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION disconnect_on_expired_password=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET disconnect_on_expired_password" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION disconnect_on_expired_password=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET disconnect_on_expired_password" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET disconnect_on_expired_password=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION disconnect_on_expired_password=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.disconnect_on_expired_password=@global;

mysql-test/suite/sys_vars/t/extra_max_connections_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.extra_max_connections;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET extra_max_connections" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION extra_max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET extra_max_connections" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION extra_max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET extra_max_connections" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET extra_max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION extra_max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.extra_max_connections=@global;

mysql-test/suite/sys_vars/t/init_connect_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.init_connect;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET init_connect" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET SESSION init_connect="SET @xxx=1";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET init_connect" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET SESSION init_connect="SET @xxx=1";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET init_connect" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET init_connect="SET @xxx=1";
+--error ER_GLOBAL_VARIABLE
+SET SESSION init_connect="SET @xxx=1";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.init_connect=@global;

mysql-test/suite/sys_vars/t/max_connect_errors_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.max_connect_errors;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET max_connect_errors" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connect_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_connect_errors" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connect_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_connect_errors" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connect_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connect_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.max_connect_errors=@global;

mysql-test/suite/sys_vars/t/max_connections_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.max_connections;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET max_connections" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_connections" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_connections" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET max_connections=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_connections=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.max_connections=@global;

mysql-test/suite/sys_vars/t/max_password_errors_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.max_password_errors;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET max_password_errors" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_password_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_password_errors" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_password_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET max_password_errors" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET max_password_errors=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION max_password_errors=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.max_password_errors=@global;

mysql-test/suite/sys_vars/t/proxy_protocol_networks_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.proxy_protocol_networks;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET proxy_protocol_networks" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET SESSION proxy_protocol_networks="";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET proxy_protocol_networks" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET SESSION proxy_protocol_networks="";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET proxy_protocol_networks" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET proxy_protocol_networks="";
+--error ER_GLOBAL_VARIABLE
+SET SESSION proxy_protocol_networks="";
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.proxy_protocol_networks=@global;

mysql-test/suite/sys_vars/t/secure_auth_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.secure_auth;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET secure_auth" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION secure_auth=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET secure_auth" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION secure_auth=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET secure_auth" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET secure_auth=1;
+--error ER_GLOBAL_VARIABLE
+SET SESSION secure_auth=1;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.secure_auth=@global;

mysql-test/suite/sys_vars/t/slow_launch_time_grant.test

+--source include/not_embedded.inc
+
+SET @global=@@global.slow_launch_time;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET slow_launch_time" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION slow_launch_time=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET slow_launch_time" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION slow_launch_time=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET slow_launch_time" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET slow_launch_time=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION slow_launch_time=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.slow_launch_time=@global;

mysql-test/suite/sys_vars/t/thread_pool_idle_timeout_grant.test

+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+SET @global=@@global.thread_pool_idle_timeout;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET thread_pool_idle_timeout" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_idle_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_idle_timeout" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_idle_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_idle_timeout" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_idle_timeout=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_idle_timeout=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.thread_pool_idle_timeout=@global;

mysql-test/suite/sys_vars/t/thread_pool_max_threads_grant.test

+# uint global
+--source include/not_embedded.inc
+
+SET @global=@@global.thread_pool_max_threads;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET thread_pool_max_threads" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_max_threads=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_max_threads" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_max_threads=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_max_threads" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_max_threads=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_max_threads=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.thread_pool_max_threads=@global;

mysql-test/suite/sys_vars/t/thread_pool_oversubscribe_grant.test

+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+SET @global=@@global.thread_pool_oversubscribe;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET thread_pool_oversubscribe" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_oversubscribe=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_oversubscribe" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_oversubscribe=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_oversubscribe" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_oversubscribe=10;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_oversubscribe=10;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.thread_pool_oversubscribe=@global;

mysql-test/suite/sys_vars/t/thread_pool_stall_limit_grant.test

+# uint global
+--source include/not_embedded.inc
+
+SET @global=@@global.thread_pool_stall_limit;
+
+--echo #
+--echo # MDEV-21961 Bind CONNECTION ADMIN to a number of global system variables
+--echo #
+
+--echo # Test that "SET thread_pool_stall_limit" is not allowed without CONNECTION ADMIN or SUPER
+
+CREATE USER user1@localhost;
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE CONNECTION ADMIN, SUPER ON *.* FROM user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SET GLOBAL thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_stall_limit=400;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_stall_limit" is allowed with CONNECTION ADMIN
+
+CREATE USER user1@localhost;
+GRANT CONNECTION ADMIN ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_stall_limit=400;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+--echo # Test that "SET thread_pool_stall_limit" is allowed with SUPER
+
+CREATE USER user1@localhost;
+GRANT SUPER ON *.* TO user1@localhost;
+--connect(user1,localhost,user1,,)
+--connection user1
+SET GLOBAL thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET thread_pool_stall_limit=400;
+--error ER_GLOBAL_VARIABLE
+SET SESSION thread_pool_stall_limit=400;
+--disconnect user1
+--connection default
+DROP USER user1@localhost;
+
+SET @@global.thread_pool_stall_limit=@global;

sql/privilege.h

@@ -345,6 +345,41 @@ constexpr privilege_t PRIV_IGNORE_MAX_PASSWORD_ERRORS= CONNECTION_ADMIN_ACL | SU
 // Was SUPER_ACL prior to 10.5.2
 constexpr privilege_t PRIV_KILL_OTHER_USER_PROCESS= CONNECTION_ADMIN_ACL | SUPER_ACL;
 
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_CONNECT_TIMEOUT=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_DISCONNECT_ON_EXPIRED_PASSWORD=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_EXTRA_MAX_CONNECTIONS=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_INIT_CONNECT=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECTIONS=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_CONNECT_ERRORS=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_MAX_PASSWORD_ERRORS=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_PROXY_PROTOCOL_NETWORKS=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SECURE_AUTH=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_SLOW_LAUNCH_TIME=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+
+// Was SUPER_ACL prior to 10.5.2
+constexpr privilege_t PRIV_SET_SYSTEM_GLOBAL_VAR_THREAD_POOL=
+  CONNECTION_ADMIN_ACL | SUPER_ACL;
+
 
 /*
   Binary log related privileges that are checked regardless