Skip to content

docs: clarify column-level SELECT grants unsupported for MySQL/MariaDB CDC#3085

Merged
jwhartley merged 3 commits into
masterfrom
docs/mysql-mariadb-column-grants
Jul 3, 2026
Merged

docs: clarify column-level SELECT grants unsupported for MySQL/MariaDB CDC#3085
jwhartley merged 3 commits into
masterfrom
docs/mysql-mariadb-column-grants

Conversation

@jwhartley

Copy link
Copy Markdown
Contributor

What

Adds a Column-level permissions section to the MySQL and MariaDB CDC capture connector docs, and a one-line pointer to it from the Setup steps.

Why

A customer tried to limit what leaves their database by granting column-scoped SELECT (GRANT SELECT (col1, col2) ...) to the capture user. This does not work and actively breaks the capture, but the docs only said SELECT could be restricted "to just the tables," which implies column scoping is fine.

Confirmed in estuary/connectors source-mysql:

  • Backfill builds SELECT * (backfill.go keylessScanQuery / buildScanQuery), and the per-table prerequisite check runs SELECT * ... LIMIT 0 (prerequisites.go). A column-scoped grant fails both with cannot read from table.
  • CDC reads the binary log, authorized by the global REPLICATION CLIENT / REPLICATION SLAVE privileges, and decodes every column in the row image (replication.go). Column grants have no effect on the replication stream.

The new section explains both failure modes and points users to redaction to keep specific columns out of the pipeline.

Scope

Covers the two canonical pages (MySQL.md, MariaDB.md). The RDS/Aurora/Cloud SQL variant pages were left for a follow-up; happy to extend if preferred.

…B CDC

Column-scoped grants (GRANT SELECT (col1,col2)) break the capture: backfill and the per-table prerequisite check both run SELECT *, and CDC reads the binary log (global REPLICATION privilege) which carries every column regardless of grants. Point users to table-level SELECT + redaction to keep specific columns out of the pipeline.
@github-actions

Copy link
Copy Markdown

@jwhartley jwhartley requested a review from aeluce June 29, 2026 11:37

@aeluce aeluce left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may go into more depth than is needed. Having a special section makes it seem like table-level SELECT is an outlier that needs to be noted for these particular connectors. It may be sufficient to simply reword the existing info about SELECT permissions.

Ex.

1. Create the `flow_capture` user with permissions for replication and 
reading required tables.

Grant `SELECT` on all tables or restrict it to tables to be captured. 
Note that `SELECT` permissions must be at the table level rather 
than the column level. Automatic discovery will also require 
`information_schema` access.

Approving as-is, though, in case you've found this to be a recurring point of confusion for users.

Replace the standalone 'Column-level permissions unsupported' section with a reworded permissions sentence in the setup steps: SELECT must be table-level not column-level, plus a one-line pointer to redaction for keeping columns out.
@jwhartley

Copy link
Copy Markdown
Contributor Author

Good call, incorporated. Dropped the standalone section and reworded the permissions line in each setup step: SELECT at the table level not column level, with a one-line pointer to redaction for keeping specific columns out. It has come up with a customer, so I kept that redaction breadcrumb, but agreed the dedicated section over-weighted it.

@jwhartley jwhartley merged commit 2bbe512 into master Jul 3, 2026
8 checks passed
@jwhartley jwhartley deleted the docs/mysql-mariadb-column-grants branch July 3, 2026 05:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants