I think the following is a minimal set of permissions that will get it done. I created a user named telegraf and I run telegraf on the MySQL server system. Thus, I want to connect to it via the UNIX socket /tmp/mysql.sock (which is where it is on my system) instead of connecting via TCP.
In the telegraf.conf file I have the following line to connect to the database server.
servers = ["telegraf:password@unix(/tmp/mysql.sock)/information_schema"]
To create the telegraf MySQL user and grant it the minimal level of privileges, I ran the following:
CREATE USER 'telegraf'@'localhost' IDENTIFIED WITH mysql_native_password AS '***';
GRANT PROCESS ON *.* TO 'telegraf'@'localhost' REQUIRE NONE WITH
MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
GRANT REPLICATION CLIENT ON *.* TO 'telegraf'@'localhost';
GRANT SELECT ON `cluster\_replication`.* TO 'telegraf'@'localhost';
GRANT SELECT ON `information\_schema`.* TO 'telegraf'@'localhost';
GRANT SELECT ON `performance\_schema`.* TO 'telegraf'@'localhost';
I seem to be getting all the metrics that I expect, so I think this is working. I think this is a minimal set of privileges because it is only SELECT on various databases and the ability to read process variables. I’m no expert, but this seems fairly safe.
