← Back to team overview

maria-discuss team mailing list archive

Re: Privilege Question


Scott Canaan <srcdco@xxxxxxx> writes:

>   Thank you. I found SUPER, but was trying to avoid using it as it
> gives too many privileges. I was looking for something more
> fine-grained.

Maybe you can define a stored procedure with SQL SECURITY DEFINER (and a
DEFINER with the SUPER priviledge) that sets the desired syslog global
system variables. Then you can grant the ITS_READ account access to the
stored procedure, which will give access only to set the syslog

Hope this helps,

 - Kristian.

> On Apr 06, Scott Canaan wrote:
>> We are on MariaDB 10.5.18.  There is a requirement to send all syslog 
>> data to a central syslog server.  In the past, we did it using a login 
>> called ITS_READ.  It has limited privs on purpose, but used to be able 
>> to execute the SET GLOBAL statements that we needed.  Those statements
>> are:
>> SET GLOBAL server_audit_output_type=SYSLOG; SET GLOBAL 
>> server_audit_logging=1; SET GLOBAL 
>> server_audit_syslog_facility=LOG_LOCAL2;
>> SET GLOBAL server_audit_events="connect,table,query_ddl,query_dcl";