Cannot use GRANT ALL anymore on RDS MariaDB 10.5 but can on 10.2

Question

Using the default admin user I created on a new RDS instance with MariaDB engine 10.5 I cannot use the GRANT ALL anymore and instead get "access denied". This works fine on the 10.2 instance I am upgrading from.

mysql> grant all on `database_name`.* to `database_user`@`%`;                             
ERROR 1044 (42000): Access denied for user 'master'@'%' to database 'database_name'

The privileges for the default RDS master user are:

I see a report here asking the same question https://forums.aws.amazon.com/thread.jspa?messageID=950604 (Unable to grant table level privileges - Error 1044).

Answer 1

It appears that in 10.3 there was a new privilege introduced, DELETE HISTORY, which means ALL will not work anymore if the user doesn't have it.

It still works. However, in 10.3 there is a new privilege DELETE HISTORY which your sys_dbcreator is missing, so it doesn't have ALL on the database level anymore, and thus cannot grant it.

The only way to do this is to manually specify all the privileges now. I hope I am wrong but this appears to be the case. I suspect this may be a bug in the RDS provisioning and they should add this privilege to the new admin user that is created.

Update: Just chatted with AWS support and they are aware of the issue and agree that the DELETE HISTORY privilege should get GRANT ALL working again. I also asked them to update their provisioning scripts to get this added. They recommended using 10.2 in the meantime.

sources:

1. https://jira.mariadb.org/browse/MDEV-18884 (GRANT ALL returns Access denied for user with GRANT OPTION)
2. https://mariadb.com/kb/en/grant/#table-privileges