Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce privileges for backup- and SST-user #445

Merged
merged 4 commits into from
Dec 14, 2023
Merged

Reduce privileges for backup- and SST-user #445

merged 4 commits into from
Dec 14, 2023

Conversation

tvdijen
Copy link
Contributor

@tvdijen tvdijen commented Dec 11, 2023

@thijskh thijskh requested a review from quartje December 12, 2023 04:35
@tvdijen
Copy link
Contributor Author

tvdijen commented Dec 12, 2023

I just read that REPLICATION CLIENT has become a deprecated alias for BINLOG MONITOR in MariaDB 10.6, so depending on the version in use you may want to use the latter.

@tvdijen
s/REPLICATION CLIENT/BINLOG MONITOR
d85a74e 
https://mariadb.com/kb/en/mariabackup-overview/
https://mariadb.com/docs/server/ref/mdb/privileges/BINLOG_MONITOR/

Legacy privilege REPLICATION CLIENT can be used as an alias for BINLOG MONITOR in ES10.5 but the capabilities are different. BINLOG MONITOR does not grant SHOW SLAVE STATUS, or SHOW REPLICA STATUS these are granted with REPLICA MONITOR.
@tvdijen
Drop excess ON
96b2e55
@tvdijen
Copy link
Contributor Author

tvdijen commented Dec 12, 2023

According to the documentation the backup-user should have the same privileges.
I've verified this and backup remains in working condition. Could it be that the current privileges for the backup-user are there from the times we used Percona Xtrabackup instead of mariabackup?

@tvdijen
Copy link
Contributor Author

tvdijen commented Dec 12, 2023

May want to await https://jira.mariadb.org/browse/MDEV-33006 before merging, although everything seems to run smooth. I now have both the repl-user and the backup-user running with just the RELOAD, PROCESS, LOCK TABLES, BINLOG MONITOR privileges. Only thing I noticed is that mariabackup is complaining about a missing CONNECTION ADMIN privilege, which is why I opened the issue in their tracker.

@tvdijen tvdijen changed the title Reduce privileges for SST-user Reduce privileges for backup- and SST-user Dec 13, 2023
quartje
quartje approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@quartje quartje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Tim! I see that the documentation of MariaDB has been updated because of your ticket.

@quartje quartje merged commit 67eb7e4 into master Dec 14, 2023
5 checks passed
@quartje quartje deleted the patch/reduce-sst-privileges branch December 14, 2023 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quartje quartje quartje approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tvdijen @quartje