From 34eb72c68c3f0ac9e1a8d0020533425c407a8184 Mon Sep 17 00:00:00 2001 From: Esa Korhonen Date: Thu, 20 Nov 2025 14:46:43 +0200 Subject: [PATCH] Cleanup MariaDB Monitor grants documentation --- .../configuring-the-mariadb-monitor.md | 21 ++++- .../maxscale-monitors/mariadb-monitor.md | 83 +++++++++++++------ 2 files changed, 76 insertions(+), 28 deletions(-) diff --git a/maxscale/mariadb-maxscale-tutorials/configuring-the-mariadb-monitor.md b/maxscale/mariadb-maxscale-tutorials/configuring-the-mariadb-monitor.md index d54494fa6..eead440a0 100644 --- a/maxscale/mariadb-maxscale-tutorials/configuring-the-mariadb-monitor.md +++ b/maxscale/mariadb-maxscale-tutorials/configuring-the-mariadb-monitor.md @@ -1,6 +1,7 @@ # Configuring the MariaDB Monitor -This document describes how to configure a MariaDB primary-replica cluster monitor to be used with MaxScale. +This document describes how to configure a MariaDB primary-replica cluster monitor to be used with +MaxScale. ## Configuring the Monitor @@ -10,17 +11,29 @@ Define the monitor that monitors the servers. [Replication-Monitor] type=monitor module=mariadbmon -servers=dbserv1, dbserv2, dbserv3 +servers=dbserv1,dbserv2,dbserv3 user=monitor_user password=my_password monitor_interval=2000ms ``` -The mandatory parameters are the object type, the monitor module to use, the list of servers to monitor, and the username and password to use when connecting to the servers. The `monitor_interval` parameter controls how long the monitor waits between each monitoring loop. +The mandatory parameters are the object type, the monitor module to use, the list of servers to +monitor, and the username and password to use when connecting to the servers. The `monitor_interval` +parameter controls how long the monitor waits between each monitor tick. ## Monitor User -For the necessary privileges the monitor user must have, see [this section](../reference/maxscale-monitors/mariadb-monitor.md#required-grants). +The monitor user requires the `REPLICA MONITOR` privilege to do basic monitoring. To create a user +with the proper grants, run: + +```sql +CREATE USER 'monitor_user'@'%' IDENTIFIED BY 'my_password'; +GRANT REPLICA MONITOR ON *.* TO 'monitor_user'@'%'; +``` + +If the automatic failover feature is used, the monitor user needs additional grants. See +[monitor documentation](../reference/maxscale-monitors/mariadb-monitor.md#required-grants) +for more information. _This page is licensed: CC BY-SA / Gnu FDL_ diff --git a/maxscale/reference/maxscale-monitors/mariadb-monitor.md b/maxscale/reference/maxscale-monitors/mariadb-monitor.md index 07b4674f3..18a4dcdf8 100644 --- a/maxscale/reference/maxscale-monitors/mariadb-monitor.md +++ b/maxscale/reference/maxscale-monitors/mariadb-monitor.md @@ -8,67 +8,102 @@ MariaDB Monitor monitors a Primary-Replica replication cluster. It probes the st The monitor user requires the following grant: +{% tabs %} +{% tab title="Current" %} + ```sql -CREATE USER 'maxscale'@'maxscalehost' IDENTIFIED BY 'maxscale-password'; -GRANT REPLICATION CLIENT ON *.* TO 'maxscale'@'maxscalehost'; +CREATE USER 'mariadbmon'@'maxscalehost' IDENTIFIED BY 'mariadbmon-password'; +GRANT REPLICA MONITOR ON *.* TO 'mariadbmon'@'maxscalehost'; ``` +{% endtab %} -`REPLICA MONITOR` is required: - +{% tab title="< 10.5" %} ```sql -GRANT REPLICA MONITOR ON *.* TO 'maxscale'@'maxscalehost'; +CREATE USER 'mariadbmon'@'maxscalehost' IDENTIFIED BY 'mariadbmon-password'; +GRANT REPLICATION CLIENT ON *.* TO 'mariadbmon'@'maxscalehost'; ``` +{% endtab %} +{% endtabs %} -If the monitor needs to query server disk space (for instance, `disk_space_threshold` is set), the `FILE` grant is required: - +If the monitor needs to query server disk space (for instance, `disk_space_threshold` is set), it needs the `FILE` +privilege: ```sql -GRANT FILE ON *.* TO 'maxscale'@'maxscalehost'; +GRANT FILE ON *.* TO 'mariadbmon'@'maxscalehost'; ``` The `CONNECTION ADMIN` privilege is recommended since it allows the monitor to log in even if server connection limit has been reached. - ```sql -GRANT CONNECTION ADMIN ON *.* TO 'maxscale'@'maxscalehost'; +GRANT CONNECTION ADMIN ON *.* TO 'mariadbmon'@'maxscalehost'; ``` -### Cluster Manipulation Grants +[Topology scan](#scan-topology), [discover replicas](#discover-replicas) and [bootstrap](#bootstrap) require +the following privilege: -If [cluster manipulation operations](mariadb-monitor.md#cluster-manipulation-operations) are used, the following additional grants are required: +% tabs %} +{% tab title="Current" %} ```sql -GRANT SUPER, RELOAD, PROCESS, SHOW DATABASES, EVENT ON *.* TO 'maxscale'@'maxscalehost'; -GRANT SELECT ON mysql.user TO 'maxscale'@'maxscalehost'; +GRANT REPLICATION MASTER ADMIN ON *.* TO 'mariadbmon'@'maxscalehost'; ``` +{% endtab %} -Read access to _mysql.global\_priv_ is required: - +{% tab title="< 10.5" %} ```sql -GRANT SELECT ON mysql.global_priv TO 'maxscale'@'maxscalehost'; +GRANT REPLICATION SLAVE ON *.* TO 'mariadbmon'@'maxscalehost'; ``` +{% endtab %} +{% endtabs %} + +### Cluster Manipulation Grants + +If [cluster manipulation operations](mariadb-monitor.md#cluster-manipulation-operations) are used, the monitor requires +several additional privileges. These privileges allow the monitor to set the *read-only* flag, modify replication +connections and kill connections from clients that could interfere with an ongoing operation. {% tabs %} {% tab title="Current" %} -The `SUPER` privilege no longer contains several of its former subprivileges. These must be given separately. ```sql -GRANT RELOAD, PROCESS, SHOW DATABASES, EVENT, SET USER, READ_ONLY ADMIN ON *.* TO 'maxscale'@'maxscalehost'; -GRANT REPLICATION SLAVE ADMIN, BINLOG ADMIN, CONNECTION ADMIN ON *.* TO 'maxscale'@'maxscalehost'; -GRANT SELECT ON mysql.user TO 'maxscale'@'maxscalehost'; -GRANT SELECT ON mysql.global_priv TO 'maxscale'@'maxscalehost'; +GRANT READ_ONLY ADMIN, REPLICATION SLAVE ADMIN ON *.* TO 'mariadbmon'@'maxscalehost'; +GRANT BINLOG ADMIN, CONNECTION ADMIN, PROCESS, RELOAD, SET USER ON *.* TO 'mariadbmon'@'maxscalehost'; +GRANT SELECT ON mysql.user TO 'mariadbmon'@'maxscalehost'; +GRANT SELECT ON mysql.global_priv TO 'mariadbmon'@'maxscalehost'; ``` {% endtab %} {% tab title="< 11.0.1" %} -The `SUPER` privilege suffices. +```sql +GRANT SUPER ON *.* TO 'mariadbmon'@'maxscalehost'; +GRANT PROCESS, RELOAD ON *.* TO 'mariadbmon'@'maxscalehost'; +GRANT SELECT ON mysql.user TO 'mariadbmon'@'maxscalehost'; +GRANT SELECT ON mysql.global_priv TO 'mariadbmon'@'maxscalehost'; +``` {% endtab %} {% endtabs %} -If a separate replication user is defined (with `replication_user` and`replication_password`), it requires the following grant: +If [scheduled event management](#handle_events) is enabled, the monitor requires the `EVENT` privilege. `SHOW DATABASES` +is also recommended to ensure monitor can see events for all databases. +```sql +GRANT EVENT, SHOW DATABASES ON *.* TO 'mariadbmon'@'maxscalehost'; +``` +If a separate replication user is defined (with `replication_user` and`replication_password`), it requires the following +grant: + +{% tabs %} +{% tab title="Current" %} +```sql +CREATE USER 'replication'@'replicationhost' IDENTIFIED BY 'replication-password'; +GRANT REPLICATION REPLICA ON *.* TO 'replication'@'replicationhost'; +``` +{% endtab %} +{% tab title="< 10.5" %} ```sql CREATE USER 'replication'@'replicationhost' IDENTIFIED BY 'replication-password'; GRANT REPLICATION SLAVE ON *.* TO 'replication'@'replicationhost'; ``` +{% endtab %} +{% endtabs %} ## Primary selection