More restrictive grants #622
Description
In the README.md file the following is mentioned as Required Grants
CREATE USER 'exporter'@'localhost' IDENTIFIED BY 'XXXXXXXX' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO 'exporter'@'localhost';However this allows the user exporter to access sensitive information, too.
I think it would be more secure to reduce the SELECT to the minimum.
We succeeded to get the mysqld_exporter running with the following settings
CREATE USER 'exporter'@'localhost' IDENTIFIED BY 'XXXXXXXX' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT TO 'exporter'@'localhost';
GRANT SELECT ON performance_schema.* TO 'exporter'@'localhost';
GRANT SELECT ON information_schema.* TO 'exporter'@'localhost';As mentioned in #242 the minimal required grants might depend on the version of the database and the mysqld_exporter used, but maybe one could provide such minimal secure configurations for the most common versions.
E.g. by adding a section like the following to README.md or placing it on a sub page
With MySQL 8.0.x and mysqld_exporter version 0.13.0 on CentOS 7 the following minimal grants work too:
CREATE USER 'exporter'@'localhost' IDENTIFIED BY 'XXXXXXXX' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT TO 'exporter'@'localhost';
GRANT SELECT ON performance_schema.* TO 'exporter'@'localhost';
GRANT SELECT ON information_schema.* TO 'exporter'@'localhost';It was actually quite ease to find the minimal set of grants. All one has to do is check the logs of mysqld_exporter. When it could not read some information the log output indicated which table was the problem and from there one could deduct which schema one had to allow a SELECT for.
I think using such a restrictive set of grants would be beneficial for security, since it guarantees that the mysqld_exporter has no access to data in the tables.