Grant MonitorAdmin / PROCESS privilege to user
-
23-02-2021 - |
Question
I need to assign the monitoradmin privilege to a user because this is what an application called "dynatrace" needs to monitor the server (some details in a post on their site).
According to https://mariadb.com/kb/en/grant/ there is a PROCESS
privilege but I can't assign it.
MariaDB [(none)]> CREATE USER dynatrace IDENTIFIED BY 'secret';
Query OK, 0 rows affected (0.007 sec)
MariaDB [(none)]> GRANT MonitorAdmin TO dynatrace;
ERROR 1959 (OP000): Invalid role specification `MonitorAdmin`
Same result with PROCESS
:
MariaDB [(none)]> GRANT PROCESS TO dynatrace;
ERROR 1959 (OP000): Invalid role specification `PROCESS`
Where is my mistake ? Although my knowledge about mariaDB is more than limited I have the password of the root account ;-) and can run the commands as this user.
Solution
For general monitoring, this comes closer to covering all bases, but without being able to "cause damage":
GRANT SELECT, PROCESS, REFERENCES, SHOW DATABASES,
REPLICATION CLIENT, SHOW VIEW
ON *.* TO username@'...';
The ON *.*
is necessary (though clumsy) syntax.
If the data is sensitive, remove SELECT
. It can even be argued that being able to list the database names (SHOW DATABASES
) could be sensitive.
REPLICATION CLIENT
(not SLAVE
) let's you monitor Seconds_behind_master
in a Slave.
OTHER TIPS
From the MariaDB documentation:
To set a global privilege, use *.* for priv_level.
So your command should be
GRANT PROCESS ON *.* TO dynatrace;
One more way:
GRANT PROCESS, SELECT ON *.* TO dynatrace;