[MariaDB] Fix privileges for mysql-exporter user used by prometheus exporter

Change-Id: I1a2ba8d2525d28d1179a64d5c815e2f32ef56744
2022-05-10 14:52:36 -05:00 · 2022-05-10 14:52:36 -05:00 · 9d9edbded5
commit 9d9edbded5
parent 1e56dd59ea
3 changed files with 34 additions and 8 deletions
--- a/mariadb/Chart.yaml
+++ b/mariadb/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.2.20
+version: 0.2.21
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
--- a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl
+++ b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl
@ -16,10 +16,35 @@ limitations under the License.

 set -e

-if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
-  "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-   GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
-   FLUSH PRIVILEGES;" ; then
-  echo "ERROR: Could not create user: ${EXPORTER_USER}"
-  exit 1
-fi
+  # SLAVE MONITOR
+  # Grants ability to SHOW SLAVE STATUS, SHOW REPLICA STATUS,
+  # SHOW ALL SLAVES STATUS, SHOW ALL REPLICAS STATUS, SHOW RELAYLOG EVENTS.
+  # New privilege added in MariaDB Enterprise Server 10.5.8-5. Alias for REPLICA MONITOR.
+  #
+  # REPLICATION CLIENT
+  # Grants ability to SHOW MASTER STATUS, SHOW SLAVE STATUS, SHOW BINARY LOGS. In ES10.5,
+  # is an alias for BINLOG MONITOR and the capabilities have changed. BINLOG MONITOR grants
+  # ability to SHOW MASTER STATUS, SHOW BINARY LOGS, SHOW BINLOG EVENTS, and SHOW BINLOG STATUS.
+
+  mariadb_version=$(mysql --defaults-file=/etc/mysql/admin_user.cnf -e "status" | grep -E '^Server\s+version:')
+  echo "Current database ${mariadb_version}"
+
+  if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then
+    # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions
+    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      FLUSH PRIVILEGES;" ; then
+      echo "ERROR: Could not create user: ${EXPORTER_USER}"
+      exit 1
+    fi
+  else
+    # here we use new MariaDB privileges definitions defines since version 10.5
+    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      FLUSH PRIVILEGES;" ; then
+      echo "ERROR: Could not create user: ${EXPORTER_USER}"
+      exit 1
+    fi
+  fi
--- a/releasenotes/notes/mariadb.yaml
+++ b/releasenotes/notes/mariadb.yaml
@ -36,4 +36,5 @@ mariadb:
  - 0.2.18 Updated naming for subchart compatibility
  - 0.2.19 Update default image value to Wallaby
  - 0.2.20 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1; Uplift Mariadb-ingress to 1.1.3
+  - 0.2.21 Fix mysql exporter user privileges
 ...