In T166310: Grant root access for Bryan Davis on labstore* and admin for maintain scripts for labsdb* the original ask was for me to get full sudo rights on labsdb*. After discussion on that task about the implications of labsdb root the request was modified to create a wmcs-adminuser group and grant that group limited sudo access to run some maintenance scripts on labsdb hosts.
As time goes on I am finding that not have a mysql user login capable of at least seeing the raw tables on the labsdb servers greatly limits the Data-Services tasks I can work on. The only way that I can interact with the databases on these hosts is via normal Toolforge replica.my.cnf credentials. This makes working on tickets like T173891: Create core ip_changes view for replicas difficult and working on others like T177223: Determine schema differences between labsdb1001 and labsdb1009 functionally impossible. Even more frustrating is that I, and likely anyone else who will end up in the wmcs-admin group, have access to the full data in most of these databases via /usr/local/bin/sql $wikidb from tin/terbium/etc.
Can we add some shared role or per-user account(s) on the labsdb mysql instances that will at least allow read-only queries of the raw tables? I'd like to be able to see:
- raw table structure
- raw table data
- grants for other users
Even without being able to directly change any of these things, having the ability to see the actual state of the systems will make it much easier for me to triage and fix a larger class of bugs.