MDEV-39028 DROP PARTITION should only require DROP privilege

[FarihaIS]

Description

ALTER TABLE ... DROP PARTITION requires both ALTER and DROP privileges, which is inconsistent with TRUNCATE PARTITION that only requires DROP. This prevents fine-grained privilege separation since users who need to drop partitions must also be granted ALTER, allowing them to perform any other DDL changes on the table.

Change DROP PARTITION to require only DROP privilege, consistent with TRUNCATE PARTITION. Users allowed to drop the table should also be allowed to drop partitions without needing ALTER rights.

Release Notes

N/A

How can this PR be tested?

Execute the main.partition_grant test in mysql-test-run. This commit adds a test in partition_grant.test.

Before the fix

A user needs both ALTER and DROP privileges to DROP PARTITION:

main.partition_grant                     [ fail ]
        Test ended at 2026-03-10 19:16:05

CURRENT_TEST: main.partition_grant
mysqltest: At line 49: query 'alter table t1 drop partition p3' failed: ER_TABLEACCESS_DENIED_ERROR (1142): ALTER command denied to user 'mysqltest_1'@'localhost' for table `mysqltest_1`.`t1`

The result from queries just before the failure was:
< snip >
revoke all privileges on *.* from mysqltest_1@localhost;
grant select,alter on mysqltest_1.* to mysqltest_1@localhost;
connect  conn1,localhost,mysqltest_1,,mysqltest_1;
show grants for current_user;
Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO `mysqltest_1`@`localhost`
GRANT SELECT, ALTER ON `mysqltest_1`.* TO `mysqltest_1`@`localhost`
alter table t1 add b int;
alter table t1 drop partition p2;
ERROR 42000: DROP command denied to user 'mysqltest_1'@'localhost' for table `mysqltest_1`.`t1`
disconnect conn1;
connection default;
grant drop on mysqltest_1.* to mysqltest_1@localhost;
connect  conn2,localhost,mysqltest_1,,mysqltest_1;
alter table t1 drop partition p2;
disconnect conn2;
connection default;
revoke alter on mysqltest_1.* from mysqltest_1@localhost;
connect  conn3,localhost,mysqltest_1,,mysqltest_1;
alter table t1 drop partition p3;

After the fix

A user needs only DROP privilege to DROP PARTITION.

main.partition_grant                     [ pass ]    101

Basing the PR against the correct MariaDB version

• This is a bug fix, and the PR is based against the branch 10.6.

Copyright

All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.

[CLAassistant]

All committers have signed the CLA.

[grooverdan]

could use a --echo End of 10.6 tests marker, but I'm not sure yet if @midenok wants this to be a 10.6 or 10.11 fix.

Looking good to me, but I'll leave @midenok to do the final review.

[gkodinov]

This is a preliminary review. Please sort out the CLA bot : click on the button and choose the right license. I know it's a formality, but it's easier if we have a unified way to check about the license IMHO.

Otherwise, please work with the assigned final reviewer.