2

I have migrated Grafana from SQLite database to MySQL (in fact, MariaDB 10.3.22), so database is now located on a different machine. It is obvious that the software needs a database account now, so I created a separate one:

MariaDB [(grafana)]> create user 'grafana'@'%' identified by 'XX';

Then, I adjusted Grafana configuration file to use the newly created account. And everything worked. The thing is that I cannot understand how it works when it comes to privileges (the goal is to apply least privileges possible). I didn't assign any privileges to the new user. Current ones:

MariaDB [(grafana)]> show grants for grafana; | Grants for grafana@% | | GRANT USAGE ON *.* TO 'grafana'@'%' IDENTIFIED BY PASSWORD 'XX' |

MySQL documentation says, that "usage" privilege (assigned on creation time) is a synonym for "no privilege". In another words, I should expect that Grafana wouldn't work at all. But it works like a charm.

How is that possible that reads and writes are possible? Neither could I find any reasonable explanation on this topic nor similar threads.

Improve this question

1 Answer 1

Reset to default
1

Is it possible that you forgot to restart grafana after the configuration change?
If not, it's still using SQLite, which would explain why it's still working.

Improve this answer
5
  • Nope, it is definitely not using SQLite. Grafana's read/write abilities were verified by live queries to MySQL instance, not only in GUI. Commented Jun 24, 2020 at 19:00
  • can you post the output of "show databases" when you're connected as the grafana user on mariadb Commented Jun 24, 2020 at 20:30
  • 'show databases;' while being connected as a 'grafana' user shows two databases: grafana, information schema. Commented Jun 25, 2020 at 20:44
  • 1
    I was able to sort of reproduce the problem. Just to check if i'm on the right track, would you mind running "select Db,User from mysql.db where Db='grafana';" When the user column is empty, i am able to use the grafana database as the grafana user, even though the grafana user has only usage privileges like in your case. Commented Jun 26, 2020 at 10:57
  • It seems I've found the issue. When I ran the above command, it showed 3 rows, all of them with a different value in 'host' column – IPs of Grafana server, database and localhost. The first one (with IP of Grafana server) had full privileges, others had only select_priv set as 'Y'. i deleted all of the rows with user='grafana', recreated the database from .sql file (I guess that doesn't matter here) and now it's taking user privileges into account. So I assume that was the reason – more specific host value of a user took precedence over just %. If I'm right, thank you for your help. Commented Jun 26, 2020 at 13:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.