Page MenuHomePhabricator
Create Task
Maniphest T293197

WBaaS: Grant REPLICA MONITOR to individual wiki dbs
Closed, ResolvedPublic
Actions

Description

In https://github.com/wmde/wbaas-deploy/pull/19 we bumped the sql version from 10.5.12 to 10.3.22

And started seeing:

Access denied; you need (at least one of) the SUPER, SLAVE MONITOR privilege(s)

Per docs the permissions that we need has changed https://mariadb.com/kb/en/show-replica-status/#description

This statement requires the SUPER privilege, the REPLICATION_CLIENT privilege, or, from MariaDB 10.5.2, the REPLICATION SLAVE ADMIN privilege, or, from MariaDB 10.5.9, the REPLICA MONITOR privilege.

We now need to grant REPLICA MONITOR to mediawiki-db-manager and to mediawiki accounts when we are using a newer sql version like this.

The change to the SQL init script will likley be needed first, then the change to the API that creates mediawiki accounts.

Related Objects
Search...

Event Timeline

Addshore created this task.Oct 13 2021, 10:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2021, 10:06 AM
Addshore triaged this task as High priority.Oct 13 2021, 10:06 AM
Addshore moved this task from Backlog (incoming) to Doing on the Wikibase Cloud board.
Addshore added parent tasks: T292830: [INITIATIVE 1.5] Setup local cluster, T291839: [INITIATIVE 1] Deploy a staging environment to wikibase.dev using the existing components.
Addshore updated the task description. (Show Details)
toan added a comment.Oct 13 2021, 10:28 AM

Also, this should apply

When a database is upgraded from an older major release to MariaDB Server 10.5.9 or later, any user accounts with the REPLICATION CLIENT or REPLICATION SLAVE privileges will automatically be granted the new REPLICA MONITOR privilege. The privilege fix occurs when the server is started up, not when mariadb-upgrade is performed.t

https://mariadb.com/kb/en/grant/#replica-monitor

Addshore added a comment.Oct 13 2021, 11:48 AM
In T293197#7423379, @toan wrote:

Also, this should apply

When a database is upgraded from an older major release to MariaDB Server 10.5.9 or later, any user accounts with the REPLICATION CLIENT or REPLICATION SLAVE privileges will automatically be granted the new REPLICA MONITOR privilege. The privilege fix occurs when the server is started up, not when mariadb-upgrade is performed.t

https://mariadb.com/kb/en/grant/#replica-monitor

Thats very nice to know.
That means for wbstack.com for example all that would need to happen is ensure it runs the new version of API before updating the SQL servers

toan added a comment.Oct 13 2021, 12:08 PM

https://github.com/wmde/wbaas-deploy/pull/30

https://github.com/wbstack/api/pull/214

toan moved this task from Doing to Review on the Wikibase Cloud board.Oct 13 2021, 12:08 PM
Addshore updated the task description. (Show Details)Oct 13 2021, 4:40 PM
toan added a comment.Oct 14 2021, 9:05 AM

https://github.com/wbstack/api/pull/216

Addshore moved this task from Review to Done on the Wikibase Cloud board.Oct 14 2021, 2:33 PM
Addshore closed this task as Resolved.Oct 15 2021, 8:06 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits