maria-discuss team mailing list archive

Thread
Date

Re: Privilege Question

To: Scott Canaan <srcdco@xxxxxxx>
From: Kristian Nielsen <knielsen@xxxxxxxxxxxxxxx>
Date: Thu, 06 Apr 2023 20:18:26 +0200
Cc: "maria-discuss@xxxxxxxxxxxxxxxxxxx" <maria-discuss@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BYAPR16MB2966FD6DD8D28BFF57FD3AA4C5919@BYAPR16MB2966.namprd16.prod.outlook.com> (Scott Canaan's message of "Thu, 6 Apr 2023 15:11:47 +0000")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Scott Canaan <srcdco@xxxxxxx> writes:

>   Thank you. I found SUPER, but was trying to avoid using it as it
> gives too many privileges. I was looking for something more
> fine-grained.

Maybe you can define a stored procedure with SQL SECURITY DEFINER (and a
DEFINER with the SUPER priviledge) that sets the desired syslog global
system variables. Then you can grant the ITS_READ account access to the
stored procedure, which will give access only to set the syslog
configuration.

Hope this helps,

 - Kristian.

> On Apr 06, Scott Canaan wrote:
>> We are on MariaDB 10.5.18.  There is a requirement to send all syslog 
>> data to a central syslog server.  In the past, we did it using a login 
>> called ITS_READ.  It has limited privs on purpose, but used to be able 
>> to execute the SET GLOBAL statements that we needed.  Those statements
>> are:
>> 
>> SET GLOBAL server_audit_output_type=SYSLOG; SET GLOBAL 
>> server_audit_logging=1; SET GLOBAL 
>> server_audit_syslog_facility=LOG_LOCAL2;
>> SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl";

References

Privilege Question
From: Scott Canaan, 2023-04-06
Re: Privilege Question
From: Sergei Golubchik, 2023-04-06
Re: Privilege Question
From: Scott Canaan, 2023-04-06