From 9d9edbded5cc6078ffbc7860c2e53cf0f3e26b10 Mon Sep 17 00:00:00 2001
From: "Markin, Sergiy (sm515x)" <sm515x@att.com>
Date: Tue, 10 May 2022 14:52:36 -0500
Subject: [PATCH] [MariaDB] Fix privileges for mysql-exporter user used by
 prometheus exporter

Change-Id: I1a2ba8d2525d28d1179a64d5c815e2f32ef56744
---
 mariadb/Chart.yaml                            |  2 +-
 .../prometheus/bin/_create-mysql-user.sh.tpl  | 39 +++++++++++++++----
 releasenotes/notes/mariadb.yaml               |  1 +
 3 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml
index 258b8860c..be4a201d6 100644
--- a/mariadb/Chart.yaml
+++ b/mariadb/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.2.20
+version: 0.2.21
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
diff --git a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl
index 682d3beee..bf6e733cb 100644
--- a/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl
+++ b/mariadb/templates/monitoring/prometheus/bin/_create-mysql-user.sh.tpl
@@ -16,10 +16,35 @@ limitations under the License.
 
 set -e
 
-if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
-  "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
-   GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
-   FLUSH PRIVILEGES;" ; then
-  echo "ERROR: Could not create user: ${EXPORTER_USER}"
-  exit 1
-fi
+  # SLAVE MONITOR
+  # Grants ability to SHOW SLAVE STATUS, SHOW REPLICA STATUS,
+  # SHOW ALL SLAVES STATUS, SHOW ALL REPLICAS STATUS, SHOW RELAYLOG EVENTS.
+  # New privilege added in MariaDB Enterprise Server 10.5.8-5. Alias for REPLICA MONITOR.
+  #
+  # REPLICATION CLIENT
+  # Grants ability to SHOW MASTER STATUS, SHOW SLAVE STATUS, SHOW BINARY LOGS. In ES10.5,
+  # is an alias for BINLOG MONITOR and the capabilities have changed. BINLOG MONITOR grants
+  # ability to SHOW MASTER STATUS, SHOW BINARY LOGS, SHOW BINLOG EVENTS, and SHOW BINLOG STATUS.
+
+  mariadb_version=$(mysql --defaults-file=/etc/mysql/admin_user.cnf -e "status" | grep -E '^Server\s+version:')
+  echo "Current database ${mariadb_version}"
+
+  if [[ ! -z ${mariadb_version} && -z $(grep -E '10.2|10.3|10.4' <<< ${mariadb_version}) ]]; then
+    # In case MariaDB version is 10.2.x-10.4.x - we use old privileges definitions
+    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT PROCESS, BINLOG MONITOR, SLAVE MONITOR, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      FLUSH PRIVILEGES;" ; then
+      echo "ERROR: Could not create user: ${EXPORTER_USER}"
+      exit 1
+    fi
+  else
+    # here we use new MariaDB privileges definitions defines since version 10.5
+    if ! mysql --defaults-file=/etc/mysql/admin_user.cnf -e \
+      "CREATE OR REPLACE USER '${EXPORTER_USER}'@'%' IDENTIFIED BY '${EXPORTER_PASSWORD}'; \
+      GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO '${EXPORTER_USER}'@'%' ${MARIADB_X509}; \
+      FLUSH PRIVILEGES;" ; then
+      echo "ERROR: Could not create user: ${EXPORTER_USER}"
+      exit 1
+    fi
+  fi
diff --git a/releasenotes/notes/mariadb.yaml b/releasenotes/notes/mariadb.yaml
index c55ea565c..cd9cd4a15 100644
--- a/releasenotes/notes/mariadb.yaml
+++ b/releasenotes/notes/mariadb.yaml
@@ -36,4 +36,5 @@ mariadb:
   - 0.2.18 Updated naming for subchart compatibility
   - 0.2.19 Update default image value to Wallaby
   - 0.2.20 Migrated CronJob resource to batch/v1 API version & PodDisruptionBudget to policy/v1; Uplift Mariadb-ingress to 1.1.3
+  - 0.2.21 Fix mysql exporter user privileges
 ...