← Back to team overview

maria-discuss team mailing list archive

Privilege Question

 

We are on MariaDB 10.5.18.  There is a requirement to send all syslog data to a central syslog server.  In the past, we did it using a login called ITS_READ.  It has limited privs on purpose, but used to be able to execute the SET GLOBAL statements that we needed.  Those statements are:

SET GLOBAL server_audit_output_type=SYSLOG;
SET GLOBAL server_audit_logging=1;
SET GLOBAL server_audit_syslog_facility=LOG_LOCAL2;
SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl";

Now, it doesn't have the privs needed to do that.  In looking online, I found that there is a "new" privilege (in MySQL 8), called system_variables_admin that allows the user to execute SET GLOBAL statements.  However, when I try to grant that privilege, I get an error:

MariaDB [(none)]> grant system_variables_admin to 'ITS_READ'@'localhost';
ERROR 1959 (OP000): Invalid role specification `system_variables_admin`

It seems that the only other option is to grant the SUPER privilege, which we don't want to do.

How do I get around this, or do I just tell the sysadmins they can't have the syslog data?

Scott Canaan '88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
srcdco@xxxxxxx<mailto:srcdco@xxxxxxx> | c: (585) 339-8659

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.


Follow ups