Minimum permissions for MySQL plugin

telegraf
#1

Hi,

I don’t find anywhere which are the minimum permissions needed / security recomendations to monitor a MySQL server using the telegraf plugin.

I assume that people uses the root user o something similar.

It would be nice to have an explanation about that in the official MySQL intput plugin documentation.

Have the SQL sentence to execute in the MySQL to create a monitoring user for telegraf with minimum permissions to allow the monitoring etc.

Thanks!

1 Like
#2

@bmiro According to the MySQL documentation the monitoring user requires SELECT, CREATE USER, REPLICATION CLIENT (not required for single instance), SHOW DATABASES, SUPER, and PROCESS permissions.

GRANT SELECT, CREATE USER, REPLICATION CLIENT, SHOW DATABASES, SUPER, PROCESS
  ON *.*
  TO  'mysqluser'@'localhost'
  IDENTIFIED BY 'agent_password';

Is that what you are looking for?

#3

Hi,

Thanks for the fast reply but:

Thats for MySQL Enterprise Monitor software, I don’t understand the connection with Telegraf. Does Telegraf implement the same interface than MySQL Enterprise Monitor?

That permission level is huge. I don’t understand why Telegraf should be able to create users (CREATE USER) on the monitored MySQL Database I expect that it can run in some kind of read-only mode.

Also I don’t understand the need of the SUPER privilege that has many permissions on the DB.

#4

I think the following is a minimal set of permissions that will get it done. I created a user named telegraf and I run telegraf on the MySQL server system. Thus, I want to connect to it via the UNIX socket /tmp/mysql.sock (which is where it is on my system) instead of connecting via TCP.

In the telegraf.conf file I have the following line to connect to the database server.

servers = ["telegraf:password@unix(/tmp/mysql.sock)/information_schema"]

To create the telegraf MySQL user and grant it the minimal level of privileges, I ran the following:

CREATE USER 'telegraf'@'localhost' IDENTIFIED WITH mysql_native_password AS '***';
GRANT PROCESS ON *.* TO 'telegraf'@'localhost' REQUIRE NONE WITH 
  MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 
  MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

GRANT REPLICATION CLIENT ON *.* TO 'telegraf'@'localhost';
GRANT SELECT ON `cluster\_replication`.* TO 'telegraf'@'localhost';
GRANT SELECT ON `information\_schema`.* TO 'telegraf'@'localhost';
GRANT SELECT ON `performance\_schema`.* TO 'telegraf'@'localhost';

I seem to be getting all the metrics that I expect, so I think this is working. I think this is a minimal set of privileges because it is only SELECT on various databases and the ability to read process variables. I’m no expert, but this seems fairly safe.