docs: clarify column-level SELECT grants unsupported for MySQL/MariaDB CDC#3085
Conversation
…B CDC Column-scoped grants (GRANT SELECT (col1,col2)) break the capture: backfill and the per-table prerequisite check both run SELECT *, and CDC reads the binary log (global REPLICATION privilege) which carries every column regardless of grants. Point users to table-level SELECT + redaction to keep specific columns out of the pipeline.
…sions unsupported'
|
🚀 Preview deployed to https://docs.estuary.dev/pr-preview/pr-3085/ 📄 Changed pages: |
aeluce
left a comment
There was a problem hiding this comment.
This may go into more depth than is needed. Having a special section makes it seem like table-level SELECT is an outlier that needs to be noted for these particular connectors. It may be sufficient to simply reword the existing info about SELECT permissions.
Ex.
1. Create the `flow_capture` user with permissions for replication and
reading required tables.
Grant `SELECT` on all tables or restrict it to tables to be captured.
Note that `SELECT` permissions must be at the table level rather
than the column level. Automatic discovery will also require
`information_schema` access.
Approving as-is, though, in case you've found this to be a recurring point of confusion for users.
Replace the standalone 'Column-level permissions unsupported' section with a reworded permissions sentence in the setup steps: SELECT must be table-level not column-level, plus a one-line pointer to redaction for keeping columns out.
|
Good call, incorporated. Dropped the standalone section and reworded the permissions line in each setup step: |
What
Adds a
Column-level permissionssection to the MySQL and MariaDB CDC capture connector docs, and a one-line pointer to it from the Setup steps.Why
A customer tried to limit what leaves their database by granting column-scoped
SELECT(GRANT SELECT (col1, col2) ...) to the capture user. This does not work and actively breaks the capture, but the docs only saidSELECTcould be restricted "to just the tables," which implies column scoping is fine.Confirmed in
estuary/connectorssource-mysql:SELECT *(backfill.gokeylessScanQuery/buildScanQuery), and the per-table prerequisite check runsSELECT * ... LIMIT 0(prerequisites.go). A column-scoped grant fails both withcannot read from table.REPLICATION CLIENT/REPLICATION SLAVEprivileges, and decodes every column in the row image (replication.go). Column grants have no effect on the replication stream.The new section explains both failure modes and points users to redaction to keep specific columns out of the pipeline.
Scope
Covers the two canonical pages (
MySQL.md,MariaDB.md). The RDS/Aurora/Cloud SQL variant pages were left for a follow-up; happy to extend if preferred.