MDEV-38601 require FEDERATED ADMIN for SHOW CREATE SERVER

mysql-test/main/grant_server.result

@@ -69,3 +69,33 @@ DROP USER user1@localhost;
 #
 # End of 10.5 tests
 #
+#
+# Start of 11.8 tests
+#
+#
+# MDEV-38601 SHOW CREATE SERVER does not require FEDERATED ADMIN
+#
+CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+OPTIONS (USER 'remote_user', HOST 'localhost', PASSWORD 'secret', DATABASE 'test2');
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW CREATE SERVER srv;
+ERROR 42000: Access denied; you need (at least one of) the FEDERATED ADMIN privilege(s) for this operation
+disconnect con1;
+connection default;
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+connect  con1,localhost,user1,,;
+connection con1;
+SHOW CREATE SERVER srv;
+Server	Create Server
+srv	CREATE SERVER `srv` FOREIGN DATA WRAPPER mysql OPTIONS (USER 'remote_user', HOST 'localhost', PASSWORD 'secret', DATABASE 'test2');
+disconnect con1;
+connection default;
+DROP SERVER srv;
+DROP USER user1@localhost;
+#
+# End of 11.8 tests
+#

mysql-test/main/grant_server.test

@@ -80,3 +80,40 @@ DROP USER user1@localhost;
 --echo #
 --echo # End of 10.5 tests
 --echo #
+
+--echo #
+--echo # Start of 11.8 tests
+--echo #
+
+--echo #
+--echo # MDEV-38601 SHOW CREATE SERVER does not require FEDERATED ADMIN
+--echo #
+
+CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+  OPTIONS (USER 'remote_user', HOST 'localhost', PASSWORD 'secret', DATABASE 'test2');
+
+CREATE USER user1@localhost IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO user1@localhost;
+REVOKE FEDERATED ADMIN, SUPER ON *.* FROM user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+SHOW CREATE SERVER srv;
+disconnect con1;
+
+connection default;
+GRANT FEDERATED ADMIN ON *.* TO user1@localhost;
+
+connect (con1,localhost,user1,,);
+connection con1;
+SHOW CREATE SERVER srv;
+disconnect con1;
+
+connection default;
+DROP SERVER srv;
+DROP USER user1@localhost;
+
+--echo #
+--echo # End of 11.8 tests
+--echo #

sql/sql_parse.cc

@@ -5174,6 +5174,8 @@ mysql_execute_command(THD *thd, bool is_called_from_prepared_stmt)
     res= show_create_db(thd, lex);
     break;
   case SQLCOM_SHOW_CREATE_SERVER:
+    if (check_global_access(thd, PRIV_STMT_CREATE_SERVER))
+      break;
     WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
     res= mysql_show_create_server(thd, &lex->name);
     break;