Closed
Bug 1184167
Opened 10 years ago
Closed 9 years ago
Remove MySQL permissions 'Insert_priv, 'Update_priv' and 'Delete_priv' from 'th_user' on stage/prod
Categories
(Tree Management :: Treeherder: Infrastructure, defect, P2)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: emorley, Unassigned)
References
Details
In bug 1182994 comment 9 it was noticed that the user "th_user", which is used for our read_host targetted datasource queries ([1]) has more than just select privs:
Select_priv, Insert_priv, Update_priv, Delete_priv
We should probably just remove everything other than "Select_priv" - after first checking on stage it doesn't break anything.
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
If I make the changes on stage (and then do a |flush privileges;| so they get picked up), will they stick?
Or will puppet/... overwrite them?
Flags: needinfo?(klibby)
|
||
Comment 3•10 years ago
|
||
puppet does not control mysql privs, so you're gtg.
Flags: needinfo?(klibby)
|
|
Reporter | |
Comment 5•9 years ago
|
||
Stage...
Execute:
> SELECT `Host`, `Insert_priv`, `Update_priv`, `Delete_priv` FROM `mysql`.`user` WHERE `User` = "th_user"
+ --------- + ---------------- + ---------------- + ---------------- +
| Host | Insert_priv | Update_priv | Delete_priv |
+ --------- + ---------------- + ---------------- + ---------------- +
| 10.X.X.X_ | Y | Y | Y |
| 10.X.X.X_ | Y | Y | Y |
+ --------- + ---------------- + ---------------- + ---------------- +
2 rows
UPDATE `mysql`.`user`
SET
`Insert_priv` = "N",
`Update_priv` = "N",
`Delete_priv` = "N"
WHERE `User` = "th_user";
Execute:
> SELECT `Host`, `Insert_priv`, `Update_priv`, `Delete_priv` FROM `mysql`.`user` WHERE `User` = "th_user"
+ --------- + ---------------- + ---------------- + ---------------- +
| Host | Insert_priv | Update_priv | Delete_priv |
+ --------- + ---------------- + ---------------- + ---------------- +
| 10.X.X.X_ | N | N | N |
| 10.X.X.X_ | N | N | N |
+ --------- + ---------------- + ---------------- + ---------------- +
2 rows
But I then get an access denied on |flush privileges;|.
Reading more, we should just be using the GRANT commands etc.
|
|
Reporter | |
Comment 6•9 years ago
|
||
(In reply to Ed Morley [:emorley] from comment #5)
> Reading more, we should just be using the GRANT commands etc.
...which th_admin may have access to use, even if it can't use |flush privileges;|. The permissions error was:
Error Code: 1227. Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
|
|
Reporter | |
Comment 7•9 years ago
|
||
I've filed bug 1207991 for Heroku. As for stage/prod, that will become irrelevant once we move to Heroku and isn't urgent anyway.
Assignee: emorley → nobody
|
|
Reporter | |
Comment 8•9 years ago
|
||
Wontfix since moving to Heroku.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•