Page MenuHomePhabricator
Create Task
Maniphest T422806

[wikireplicas] Update grants for "maintainviews" user
Closed, ResolvedPublic
Actions

Description

MariaDB instances in clouddb* hosts have a maintainviews user that is used by the maintain-views script to create and update the database views.

The grants for this user are defined in wiki-replicas.sql but are applied manually.

Some grants are redundant, and some contain a wrong double escape \\_ instead of \_. Some grants are also different in different hosts, for example:

root@clouddb1017:s3[(none)]> SHOW GRANTS FOR 'maintainviews'@localhost;
[...]
| GRANT ALL PRIVILEGES ON `meta\\_p`.* TO `maintainviews`@`localhost` |
root@clouddb1014:s7[(none)]> SHOW GRANTS FOR 'maintainviews'@localhost;
[...]
| GRANT ALL PRIVILEGES ON `meta\_p`.* TO `maintainviews`@`localhost` |

We should remove the redundant grants, fix the wrong escapes and make sure that the same grants are applied consistently to all clouddb* hosts and to an-redacteddb1001.

We should also add a new grant for the maintainviews user so that it has full privileges on %\_maintain databases, which will be required by the new version of the maintain-views script: T351637: [wikireplicas] add proper dry-run/diff mode to maintain-views.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
mariadb: wiki-replicas: add missing grantsoperations/puppetproduction+1 -0
mariadb: wiki-replicas: add grants for %_maintainoperations/puppetproduction+3 -2
mariadb: wiki-replicas: remove redundant grantsoperations/puppetproduction+7 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

fnegri created this task.Apr 9 2026, 10:47 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptApr 9 2026, 10:47 AM
fnegri changed the task status from Open to In Progress.Apr 9 2026, 10:47 AM
fnegri triaged this task as Medium priority.
Marostegui added a comment.Apr 9 2026, 10:58 AM

We can probably start by running a pt-show-grants on each host, compare them and make sure they are all the same. Once done that, we can start fixing redundant stuff and escaping things.
One thing I've always noticed was:
GRANT ALL PRIVILEGES ON '%\_p'.* already covers every _p database, making these three specific ones redundant:

  • heartbeat\_p — subsumed by %\_p
  • meta\_p — subsumed by %\_p
  • centralauth\_p — subsumed by %\_p
  • %wik%\_p — also subsumed by %\_p

But we have to double check everything.

fnegri added a comment.Apr 9 2026, 12:34 PM

I did a cumin run:

fnegri@cumin1003:~$ sudo cumin clouddb* 'for s in $(ls /run/mysqld/mysqld*sock); do pt-show-grants --socket $s --only=maintainviews; done'

This shows that clouddb1013, clouddb1017, clouddb1022 and clouddb1023 have the incorrect "double escape" with \\_ instead of \_. I will fix it manually on those 4 hosts, then check again.

Note: I couldn't check clouddb1019 as it's currently down: T422813: clouddb1019 down.

fnegri added a comment.Apr 9 2026, 12:40 PM

Manual commands I'm running on the affected hosts to fix the double escape:

GRANT ALL PRIVILEGES ON `meta\_p`.* TO `maintainviews`@`localhost`;
GRANT ALL PRIVILEGES ON `heartbeat\_p`.* TO `maintainviews`@`localhost`;
GRANT ALL PRIVILEGES ON `centralauth\_p`.* TO `maintainviews`@`localhost`;
GRANT ALL PRIVILEGES ON `%wik%\_p`.* TO `maintainviews`@`localhost`;
GRANT ALL PRIVILEGES ON `%\_p`.* TO `maintainviews`@`localhost`;

REVOKE ALL PRIVILEGES ON `meta\\_p`.* FROM maintainviews@localhost;
REVOKE ALL PRIVILEGES ON `heartbeat\\_p`.* FROM maintainviews@localhost;
REVOKE ALL PRIVILEGES ON `centralauth\\_p`.* FROM maintainviews@localhost;
REVOKE ALL PRIVILEGES ON `%wik%\\_p`.* FROM maintainviews@localhost;
REVOKE ALL PRIVILEGES ON `%\\_p`.* FROM maintainviews@localhost;
fnegri added a comment.Apr 9 2026, 12:52 PM

Done, and verified that now the grants for maintainviews are in sync across all clouddbs (except clouddb1019 that I could not verify).

I will prepare a patch to remove the redundant grants from wiki-replicas.sql.

Marostegui added a subtask: T422813: clouddb1019 down.Apr 9 2026, 12:53 PM
RhinosF1 subscribed.Apr 9 2026, 2:08 PM
gerritbot added a comment.Apr 13 2026, 2:41 PM

Change #1270464 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] mariadb: wiki-replicas: remove redundant grants

https://gerrit.wikimedia.org/r/1270464

gerritbot added a project: Patch-For-Review.Apr 13 2026, 2:41 PM

Change #1270465 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] mariadb: wiki-replicas: add grants for %_maintain

https://gerrit.wikimedia.org/r/1270465

Marostegui closed subtask T422813: clouddb1019 down as Resolved.Apr 13 2026, 3:27 PM
aputhin moved this task from Backlog to In progress on the tools-platform-team board.Apr 13 2026, 3:51 PM
aputhin moved this task from In progress to In review on the tools-platform-team board.
fnegri added a comment.Apr 14 2026, 11:05 AM

These grants are present on all clouddb hosts but are not listed in wiki-replicas.sql:

GRANT BINLOG ADMIN, BINLOG REPLAY, CONNECTION ADMIN, FEDERATED ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, SET USER, SUPER ON *.* TO `maintainviews`@`localhost` IDENTIFIED BY PASSWORD '***';

I don't think they are required, I am using clouddb1017@s3 to test if they can be removed by recreating the user with:

DROP USER maintainviews@localhost;
CREATE USER maintainviews@localhost IDENTIFIED BY '***';
fnegri added a comment.Apr 14 2026, 11:08 AM

Two of the grants are actually needed to create views. This seems to be enough:

GRANT SET USER, READ_ONLY ADMIN ON *.* TO `maintainviews`@`localhost` IDENTIFIED BY PASSWORD '***';
gerritbot added a comment.Apr 14 2026, 11:16 AM

Change #1270891 had a related patch set uploaded (by FNegri; author: FNegri):

[operations/puppet@production] mariadb: wiki-replicas: add missing grants

https://gerrit.wikimedia.org/r/1270891

fnegri added a comment.EditedApr 14 2026, 11:17 AM

Two of the grants are actually needed to create views.

Added in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1270891

gerritbot added a comment.Apr 17 2026, 3:41 PM

Change #1270464 merged by FNegri:

[operations/puppet@production] mariadb: wiki-replicas: remove redundant grants

https://gerrit.wikimedia.org/r/1270464

gerritbot added a comment.Apr 17 2026, 3:41 PM

Change #1270465 merged by FNegri:

[operations/puppet@production] mariadb: wiki-replicas: add grants for %_maintain

https://gerrit.wikimedia.org/r/1270465

gerritbot added a comment.Apr 17 2026, 3:41 PM

Change #1270891 merged by FNegri:

[operations/puppet@production] mariadb: wiki-replicas: add missing grants

https://gerrit.wikimedia.org/r/1270891

fnegri added a comment.Apr 17 2026, 3:42 PM

I merged the patches but they need to be applied manually. So far I've only applied the new grants to clouddb1017, I will do the other clouddbs next week.

fnegri closed this task as Resolved.Apr 20 2026, 1:27 PM
fnegri moved this task from In review to Done on the tools-platform-team board.

I have applied the new grants manually to all clouddb hosts, using the following commands:

DROP USER maintainviews@localhost;
CREATE USER maintainviews@localhost IDENTIFIED BY '***';
GRANT SET USER, READ_ONLY ADMIN ON *.* TO 'maintainviews'@'localhost';
GRANT SELECT ON `centralauth`.* TO 'maintainviews'@'localhost';
GRANT SELECT ON `heartbeat`.* TO 'maintainviews'@'localhost';
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON `%wik%`.* TO 'maintainviews'@'localhost';
GRANT SELECT (user, host) ON `mysql`.`user` TO 'maintainviews'@'localhost';
GRANT ALL PRIVILEGES ON `%\_p`.* TO 'maintainviews'@'localhost';
GRANT ALL PRIVILEGES ON `%\_maintain`.* TO 'maintainviews'@'localhost';
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits