Skip to content

Cleanup MariaDB Monitor grants documentation #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 20, 2025
Merged

Cleanup MariaDB Monitor grants documentation #204

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions maxscale/mariadb-maxscale-tutorials/configuring-the-mariadb-monitor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Configuring the MariaDB Monitor

This document describes how to configure a MariaDB primary-replica cluster monitor to be used with MaxScale.
This document describes how to configure a MariaDB primary-replica cluster monitor to be used with
MaxScale.

## Configuring the Monitor

Expand All @@ -10,17 +11,29 @@ Define the monitor that monitors the servers.
[Replication-Monitor]
type=monitor
module=mariadbmon
servers=dbserv1, dbserv2, dbserv3
servers=dbserv1,dbserv2,dbserv3
user=monitor_user
password=my_password
monitor_interval=2000ms
```

The mandatory parameters are the object type, the monitor module to use, the list of servers to monitor, and the username and password to use when connecting to the servers. The `monitor_interval` parameter controls how long the monitor waits between each monitoring loop.
The mandatory parameters are the object type, the monitor module to use, the list of servers to
monitor, and the username and password to use when connecting to the servers. The `monitor_interval`
parameter controls how long the monitor waits between each monitor tick.

## Monitor User

For the necessary privileges the monitor user must have, see [this section](../reference/maxscale-monitors/mariadb-monitor.md#required-grants).
The monitor user requires the `REPLICA MONITOR` privilege to do basic monitoring. To create a user
with the proper grants, run:

```sql
CREATE USER 'monitor_user'@'%' IDENTIFIED BY 'my_password';
GRANT REPLICA MONITOR ON *.* TO 'monitor_user'@'%';
```

If the automatic failover feature is used, the monitor user needs additional grants. See
[monitor documentation](../reference/maxscale-monitors/mariadb-monitor.md#required-grants)
for more information.

<sub>_This page is licensed: CC BY-SA / Gnu FDL_</sub>

Expand Down
83 changes: 59 additions & 24 deletions maxscale/reference/maxscale-monitors/mariadb-monitor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,67 +8,102 @@

The monitor user requires the following grant:

{% tabs %}
{% tab title="Current" %}

```sql
CREATE USER 'maxscale'@'maxscalehost' IDENTIFIED BY 'maxscale-password';
GRANT REPLICATION CLIENT ON *.* TO 'maxscale'@'maxscalehost';
CREATE USER 'mariadbmon'@'maxscalehost' IDENTIFIED BY 'mariadbmon-password';
GRANT REPLICA MONITOR ON *.* TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}

`REPLICA MONITOR` is required:

{% tab title="< 10.5" %}
```sql
GRANT REPLICA MONITOR ON *.* TO 'maxscale'@'maxscalehost';
CREATE USER 'mariadbmon'@'maxscalehost' IDENTIFIED BY 'mariadbmon-password';
GRANT REPLICATION CLIENT ON *.* TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}
{% endtabs %}

If the monitor needs to query server disk space (for instance, `disk_space_threshold` is set), the `FILE` grant is required:

If the monitor needs to query server disk space (for instance, `disk_space_threshold` is set), it needs the `FILE`
privilege:
```sql
GRANT FILE ON *.* TO 'maxscale'@'maxscalehost';
GRANT FILE ON *.* TO 'mariadbmon'@'maxscalehost';
```

The `CONNECTION ADMIN` privilege is recommended since it allows the monitor to log in even if server connection limit has been reached.

```sql
GRANT CONNECTION ADMIN ON *.* TO 'maxscale'@'maxscalehost';
GRANT CONNECTION ADMIN ON *.* TO 'mariadbmon'@'maxscalehost';
```

### Cluster Manipulation Grants
[Topology scan](#scan-topology), [discover replicas](#discover-replicas) and [bootstrap](#bootstrap) require
the following privilege:

If [cluster manipulation operations](mariadb-monitor.md#cluster-manipulation-operations) are used, the following additional grants are required:
% tabs %}
{% tab title="Current" %}

```sql
GRANT SUPER, RELOAD, PROCESS, SHOW DATABASES, EVENT ON *.* TO 'maxscale'@'maxscalehost';
GRANT SELECT ON mysql.user TO 'maxscale'@'maxscalehost';
GRANT REPLICATION MASTER ADMIN ON *.* TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}

Read access to _mysql.global\_priv_ is required:

{% tab title="< 10.5" %}
```sql
GRANT SELECT ON mysql.global_priv TO 'maxscale'@'maxscalehost';
GRANT REPLICATION SLAVE ON *.* TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}
{% endtabs %}

### Cluster Manipulation Grants

If [cluster manipulation operations](mariadb-monitor.md#cluster-manipulation-operations) are used, the monitor requires
several additional privileges. These privileges allow the monitor to set the *read-only* flag, modify replication
connections and kill connections from clients that could interfere with an ongoing operation.

{% tabs %}
{% tab title="Current" %}
The `SUPER` privilege no longer contains several of its former subprivileges. These must be given separately.

```sql
GRANT RELOAD, PROCESS, SHOW DATABASES, EVENT, SET USER, READ_ONLY ADMIN ON *.* TO 'maxscale'@'maxscalehost';
GRANT REPLICATION SLAVE ADMIN, BINLOG ADMIN, CONNECTION ADMIN ON *.* TO 'maxscale'@'maxscalehost';
GRANT SELECT ON mysql.user TO 'maxscale'@'maxscalehost';
GRANT SELECT ON mysql.global_priv TO 'maxscale'@'maxscalehost';
GRANT READ_ONLY ADMIN, REPLICATION SLAVE ADMIN ON *.* TO 'mariadbmon'@'maxscalehost';
GRANT BINLOG ADMIN, CONNECTION ADMIN, PROCESS, RELOAD, SET USER ON *.* TO 'mariadbmon'@'maxscalehost';
GRANT SELECT ON mysql.user TO 'mariadbmon'@'maxscalehost';
GRANT SELECT ON mysql.global_priv TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}

{% tab title="< 11.0.1" %}
The `SUPER` privilege suffices.
```sql
GRANT SUPER ON *.* TO 'mariadbmon'@'maxscalehost';
GRANT PROCESS, RELOAD ON *.* TO 'mariadbmon'@'maxscalehost';
GRANT SELECT ON mysql.user TO 'mariadbmon'@'maxscalehost';
GRANT SELECT ON mysql.global_priv TO 'mariadbmon'@'maxscalehost';
```
{% endtab %}
{% endtabs %}

If a separate replication user is defined (with `replication_user` and`replication_password`), it requires the following grant:
If [scheduled event management](#handle_events) is enabled, the monitor requires the `EVENT` privilege. `SHOW DATABASES`
is also recommended to ensure monitor can see events for all databases.
```sql
GRANT EVENT, SHOW DATABASES ON *.* TO 'mariadbmon'@'maxscalehost';
```

If a separate replication user is defined (with `replication_user` and`replication_password`), it requires the following
grant:

{% tabs %}
{% tab title="Current" %}
```sql
CREATE USER 'replication'@'replicationhost' IDENTIFIED BY 'replication-password';
GRANT REPLICATION REPLICA ON *.* TO 'replication'@'replicationhost';
```
{% endtab %}
{% tab title="< 10.5" %}
```sql
CREATE USER 'replication'@'replicationhost' IDENTIFIED BY 'replication-password';
GRANT REPLICATION SLAVE ON *.* TO 'replication'@'replicationhost';
```
{% endtab %}
{% endtabs %}

## Primary selection

Expand Down Expand Up @@ -1188,7 +1223,7 @@
| -------- | ------- | ---------------- | --------------------------------- |
| monitor | monitor | none (mandatory) | Monitor name |
| source | server | none (mandatory) | Which server to copy data from |
| bu\_name | string | none (mandatory) | Backup name |

Check failure on line 1226 in maxscale/reference/maxscale-monitors/mariadb-monitor.md

View workflow job for this annotation

GitHub Actions / codespell-check 

bu ==> by, be, but, bug, bun, bud, buy, bum
| dry\_run | boolean | false | If true, only check preconditions |

The _dry\_run_-argument causes the monitor to only check if preconditions for backup creation are met on the source server and backup storage. It checks that SSH-connections can be established and that required tools are present. The backup storage must also not yet have a backup with the given name. No permanent changes are done.
Expand Down Expand Up @@ -1248,7 +1283,7 @@
| -------- | ------- | ------------------ | --------------------------------- |
| monitor | monitor | none (mandatory) | Monitor name |
| target | server | none (mandatory) | Which server to rebuild |
| bu\_name | string | none (mandatory) | Backup name |

Check failure on line 1286 in maxscale/reference/maxscale-monitors/mariadb-monitor.md

View workflow job for this annotation

GitHub Actions / codespell-check 

bu ==> by, be, but, bug, bun, bud, buy, bum
| datadir | string | empty (autodetect) | Data directory on target server |
| dry\_run | boolean | false | If true, only check preconditions |

Expand All @@ -1263,7 +1298,7 @@
"restore-from-backup completed successfully."
```

call command mariadbmon async-create-backup monitor=MariaDB-Monitor source=server1 dry\_run=true bu\_name=bu1

Check failure on line 1301 in maxscale/reference/maxscale-monitors/mariadb-monitor.md

View workflow job for this annotation

GitHub Actions / codespell-check 

bu ==> by, be, but, bug, bun, bud, buy, bum

### List backups

Expand Down