Page MenuHomePhabricator
Create Task
Maniphest T111929

Puppetize grants for mysql hosts that are the source of recovery (dbstore, passive misc)
Closed, ResolvedPublic
Actions

Description

The dump user should have the new grants GRANT SUPER, REPLICATION CLIENT ON *.* TO dump@localhost;, in addition to FILE, RELOAD globally and

GRANT EVENT, LOCK TABLES, SELECT, SHOW VIEW, TRIGGER ON `%wik%`.* TO 'dump'@'localhost';
GRANT EVENT, LOCK TABLES, SELECT, SHOW VIEW, TRIGGER ON `centralauth`.* TO 'dump'@'localhost';

Otherwise, bacula backups will fail:

(without replication client)

mysqldump: Couldn't execute 'SHOW ALL SLAVES STATUS': Access denied; you need (at least one of) the SUPER, REPLICATION CLIENT privilege(s) for this operation (1227)
mysqldump: Couldn't execute 'SHOW ALL SLAVES STATUS': Access denied; you need (at least one of) the SUPER, REPLICATION CLIENT privilege(s) for this operation (1227)

(without super)

mysqldump: Couldn't execute 'STOP SLAVE 's2' SQL_THREAD': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Couldn't execute 'START SLAVE 'm3'': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Error: Unable to start slave 'm3'
mysqldump: Couldn't execute 'START SLAVE 's1'': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Error: Unable to start slave 's1'
mysqldump: Couldn't execute 'START SLAVE 's5'': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Error: Unable to start slave 's5'
mysqldump: Couldn't execute 'START SLAVE 's6'': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Error: Unable to start slave 's6'
mysqldump: Couldn't execute 'START SLAVE 's7'': Access denied for user 'dump'@'localhost' (using password: YES) (1045)
mysqldump: Error: Unable to start slave 's7

I do not like the dump user having SUPER privileges, but it is an upstream bug: START and STOP SLAVE do not have separate privileges, and without binary log coordinates, backups are useless.

Update: bacula no longer does the backups, but the same issue is relevant.

Details

SubjectRepoBranchLines +/-
mariadb-backups: Document logical backups grants throughout production dbsoperations/puppetproduction+346 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

jcrespo created this task.Sep 9 2015, 9:59 AM
jcrespo claimed this task.
jcrespo raised the priority of this task from to Needs Triage.
jcrespo updated the task description. (Show Details)
jcrespo added projects: acl*sre-team, DBA.
jcrespo added subscribers: jcrespo, akosiaris.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 9 2015, 9:59 AM
jcrespo added a comment.Sep 9 2015, 10:00 AM

This would be a super-simple task, if it wasn't because grants puppetization is very lacking, and I have to refactor it completely even for such a simple task.

jcrespo triaged this task as Medium priority.Sep 9 2015, 10:44 AM
jcrespo set Security to None.
jcrespo moved this task from Triage to Backlog on the DBA board.Sep 9 2015, 3:40 PM
jcrespo removed jcrespo as the assignee of this task.Feb 14 2017, 3:51 PM
jcrespo added a parent task: Restricted Task.Feb 20 2017, 4:39 PM
jcrespo added a parent task: T138562: Improve regular production database backups handling.Apr 12 2017, 10:26 AM
jcrespo renamed this task from Puppetize grants for mysql backups on dbstore hosts to Puppetize grants for mysql hosts that are the source of recovery (dbstore, passive misc).Mar 9 2018, 3:26 PM
jcrespo updated the task description. (Show Details)
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:18 PM
Marostegui moved this task from Backlog to Pending comment on the DBA board.Aug 12 2019, 2:07 PM
LSobanski subscribed.Oct 13 2020, 10:59 AM

@jcrespo could you weigh in on what is the exact work that needs to happen here?

LSobanski moved this task from Pending comment to Refine on the DBA board.Oct 13 2020, 10:59 AM
jcrespo added a comment.Oct 20 2020, 4:05 PM

@LSobanski

I think Manuel and/or I requested to document what grants are needed to setup a backup host. The problems is there is no good way to do so- as grants are currently only maintained/supported to document on a text file for core mediawiki hosts, and there is no way to define/document non-core/non-misc grants.

With the current system a puppet refactoring would be needed. But may be it is not worth it if we are going to work on a better account management solution?

This is one of the many issue regarding the topic we discussed several times about privilege and account management of mysql servers (on roadmap), epic blocker.

jcrespo added a comment.Oct 20 2020, 4:07 PM

In other works this is a subtask of bigger issue T146149, specific to the backup-related hosts.

gerritbot added a comment.Jan 22 2021, 1:14 PM

Change 657801 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] mariadb-backups: Document logical backups grants throughout production dbs

https://gerrit.wikimedia.org/r/657801

gerritbot added a project: Patch-For-Review.Jan 22 2021, 1:14 PM
gerritbot added a comment.Mar 2 2021, 2:25 PM

Change 657801 merged by Jcrespo:
[operations/puppet@production] mariadb-backups: Document logical backups grants throughout production dbs

https://gerrit.wikimedia.org/r/657801

Maintenance_bot removed a project: Patch-For-Review.Mar 2 2021, 3:11 PM
jcrespo closed this task as Resolved.Mar 2 2021, 3:19 PM
jcrespo claimed this task.

This is technically done with the merging of the previous patch. This is not a great solution, but it is "a" solution, at least until we have a better one for grants in general. Resolving.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL