Skip to content

Commit 1b1a11a

Browse files
jan-win1993jan-win1993
committed
MySQL 8.0: Grant required privileges to xtrabackup user
1 parent 506563b commit 1b1a11a

File tree

2 files changed

+108
-11
lines changed

2 files changed

+108
-11
lines changed

manifests/backup/xtrabackup.pp

+45-10
Original file line numberDiff line numberDiff line change
@@ -48,22 +48,57 @@
4848
password_hash => mysql::password($backuppassword),
4949
require => Class['mysql::server::root_password'],
5050
}
51-
52-
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
53-
mysql_grant { "${backupuser}@localhost/*.*":
51+
if versioncmp($facts['mysql_version'], '8') == -1 {
52+
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
53+
mysql_grant { "${backupuser}@localhost/*.*":
54+
ensure => $ensure,
55+
user => "${backupuser}@localhost",
56+
table => '*.*',
57+
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES'],
58+
require => Mysql_user["${backupuser}@localhost"],
59+
}
60+
}
61+
else {
62+
mysql_grant { "${backupuser}@localhost/*.*":
63+
ensure => $ensure,
64+
user => "${backupuser}@localhost",
65+
table => '*.*',
66+
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT'],
67+
require => Mysql_user["${backupuser}@localhost"],
68+
}
69+
}
70+
}
71+
if versioncmp($facts['mysql_version'], '8') >= 0 {
72+
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
73+
mysql_grant { "${backupuser}@localhost/*.*":
74+
ensure => $ensure,
75+
user => "${backupuser}@localhost",
76+
table => '*.*',
77+
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES', 'BACKUP_ADMIN'],
78+
require => Mysql_user["${backupuser}@localhost"],
79+
}
80+
}
81+
else {
82+
mysql_grant { "${backupuser}@localhost/*.*":
83+
ensure => $ensure,
84+
user => "${backupuser}@localhost",
85+
table => '*.*',
86+
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT', 'BACKUP_ADMIN'],
87+
require => Mysql_user["${backupuser}@localhost"],
88+
}
89+
}
90+
mysql_grant { "${backupuser}@localhost/performance_schema.keyring_component_status":
5491
ensure => $ensure,
5592
user => "${backupuser}@localhost",
56-
table => '*.*',
57-
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES'],
93+
table => 'performance_schema.keyring_component_status',
94+
privileges => ['SELECT'],
5895
require => Mysql_user["${backupuser}@localhost"],
5996
}
60-
}
61-
else {
62-
mysql_grant { "${backupuser}@localhost/*.*":
97+
mysql_grant { "${backupuser}@localhost/performance_schema.log_status":
6398
ensure => $ensure,
6499
user => "${backupuser}@localhost",
65-
table => '*.*',
66-
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT'],
100+
table => 'performance_schema.log_status',
101+
privileges => ['SELECT'],
67102
require => Mysql_user["${backupuser}@localhost"],
68103
}
69104
}

spec/classes/mysql_backup_xtrabackup_spec.rb

+63-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@ class { 'mysql::server': }
1111
EOF
1212
end
1313
let(:facts) do
14-
facts.merge(root_home: '/root')
14+
facts.merge(root_home: '/root',
15+
mysql_version: '5.7')
1516
end
1617

1718
let(:default_params) do
@@ -114,6 +115,67 @@ class { 'mysql::server': }
114115
)
115116
.that_requires('Mysql_user[backupuser@localhost]')
116117
end
118+
119+
context 'with MySQL version 5.7' do
120+
let(:facts) do
121+
facts.merge(mysql_version: '5.7')
122+
end
123+
124+
it {
125+
is_expected.not_to contain_mysql_grant('backupuser@localhost/performance_schema.keyring_component_status')
126+
is_expected.not_to contain_mysql_grant('backupuser@localhost/performance_schema.log_status')
127+
is_expected.not_to contain_mysql_grant('backupuser@localhost/*.*')
128+
.with(
129+
ensure: 'present',
130+
user: 'backupuser@localhost',
131+
table: '*.*',
132+
privileges:
133+
['BACKUP_ADMIN']
134+
)
135+
.that_requires('Mysql_user[backupuser@localhost]')
136+
}
137+
end
138+
139+
context 'with MySQL version 8.0' do
140+
let(:facts) do
141+
facts.merge(mysql_version: '8.0')
142+
end
143+
144+
it {
145+
is_expected.to contain_mysql_grant('backupuser@localhost/*.*')
146+
.with(
147+
ensure: 'present',
148+
user: 'backupuser@localhost',
149+
table: '*.*',
150+
privileges:
151+
if facts[:osfamily] == 'Debian' && Puppet::Util::Package.versioncmp(facts[:operatingsystemmajrelease], '11') == 0
152+
['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES', 'BACKUP_ADMIN']
153+
else
154+
['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT', 'BACKUP_ADMIN']
155+
end,
156+
)
157+
.that_requires('Mysql_user[backupuser@localhost]')
158+
is_expected.to contain_mysql_grant('backupuser@localhost/performance_schema.keyring_component_status')
159+
.with(
160+
ensure: 'present',
161+
user: 'backupuser@localhost',
162+
table: 'performance_schema.keyring_component_status',
163+
privileges:
164+
['SELECT']
165+
)
166+
.that_requires('Mysql_user[backupuser@localhost]')
167+
168+
is_expected.to contain_mysql_grant('backupuser@localhost/performance_schema.log_status')
169+
.with(
170+
ensure: 'present',
171+
user: 'backupuser@localhost',
172+
table: 'performance_schema.log_status',
173+
privileges:
174+
['SELECT']
175+
)
176+
.that_requires('Mysql_user[backupuser@localhost]')
177+
}
178+
end
117179
end
118180

119181
context 'with additional cron args' do

0 commit comments

Comments
 (0)