search

cloudfoundry / pxc-release

BOSH release of Percona Xtradb Cluster
Apache License 2.0
30 stars 22 forks source link

least privilege backup user (xtrabackup, Shield plugin) #6

Closed GETandSELECT closed 4 years ago

GETandSELECT commented 5 years ago

Hi

I don't like to use the root user for backup, it's not good security practise. There is the roadmin user, with missing privileges for xtrabackup.

errors with roadmin:

xtrabackup: Error: missing required privilege SHOW DATABASES on *.*
xtrabackup: Error: missing required privilege CREATE on *.*
xtrabackup: Error: missing required privilege RELOAD on *.*
xtrabackup: Error: missing required privilege LOCK TABLES on *.*

I recommend to create a bkpuser with those minimal privileges needed for backup (and expose it in manifest):

CREATE USER 'bkpuser'@'localhost' IDENTIFIED BY 'uuw9shai1cheingae3oru6eejeegheiRocee8xoo7ahS';
GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT, SHOW DATABASES, SELECT, PROCESS, CREATE ON *.* TO 'bkpuser'@'localhost';
FLUSH PRIVILEGES;

What do you think? Do you wish a PR for that or do you wish to implement it yourself?

We use those xtrabackup arguments (later integrate into Shield):

/var/vcap/packages/percona-xtrabackup/bin/xtrabackup --check-privileges --galera-info --no-version-check --parallel=8 --open-files-limit=1048576 --backup --target-dir=/var/vcap/store/tmp-backup --datadir=/var/vcap/store/pxc-mysql --socket=/var/vcap/data/sys/run/pxc-mysql/mysqld.sock --user=bkpuser --password=uuw9shai1cheingae3oru6eejeegheiRocee8xoo7ahS

thanks and best regards GETandSELECT

cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/160984667

The labels on this github issue will be updated when the story is started.