From 44e3dcb3a4e7a573a2171d78f7e3a968f869db3a Mon Sep 17 00:00:00 2001 From: Sahil Muthoo Date: Tue, 25 Jun 2024 17:06:10 +1000 Subject: [PATCH] Use the minimum privileges needed Fixes https://github.com/cashapp/spirit/issues/291 --- compose/bootstrap.sql | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/compose/bootstrap.sql b/compose/bootstrap.sql index 3b3d194..59b5dc5 100644 --- a/compose/bootstrap.sql +++ b/compose/bootstrap.sql @@ -1,18 +1,18 @@ use mysql; -create role if not exists R_DO_IT_ALL; -grant all on *.* to R_DO_IT_ALL; -create user if not exists msandbox@'%' identified with caching_sha2_password by 'msandbox'; - -grant R_DO_IT_ALL to msandbox@'%' ; -set default role R_DO_IT_ALL to msandbox@'%'; - - +create role if not exists R_MIGRATOR; +grant alter, create, delete, drop, index, insert, lock tables, select, trigger, update on *.* to R_MIGRATOR; create role if not exists R_REPLICATION; grant REPLICATION SLAVE, REPLICATION CLIENT on *.* to R_REPLICATION; create role if not exists R_THROTTLER; grant SELECT on performance_schema.replication_applier_status_by_worker to R_THROTTLER; grant SELECT on performance_schema.replication_connection_status to R_THROTTLER; + + +create user if not exists msandbox@'%' identified with caching_sha2_password by 'msandbox'; +grant R_MIGRATOR, R_REPLICATION to msandbox@'%' ; +set default role R_MIGRATOR, R_REPLICATION to msandbox@'%'; + create user if not exists rsandbox@'%' identified with caching_sha2_password by 'rsandbox'; grant R_REPLICATION, R_THROTTLER to rsandbox@'%'; set default role R_REPLICATION, R_THROTTLER to rsandbox@'%';