Skip to content

Commit 6054c24

Browse files
jan-win1993jan-win1993
committed
MySQL 8.0: Grant required privileges to xtrabackup user
1 parent 506563b commit 6054c24

File tree

2 files changed

+108
-11
lines changed

2 files changed

+108
-11
lines changed

manifests/backup/xtrabackup.pp

+45-10
Original file line numberDiff line numberDiff line change
@@ -48,25 +48,60 @@
4848
password_hash => mysql::password($backuppassword),
4949
require => Class['mysql::server::root_password'],
5050
}
51-
52-
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
53-
mysql_grant { "${backupuser}@localhost/*.*":
51+
if versioncmp($facts['mysql_version'], '8') >= 0 {
52+
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
53+
mysql_grant { "${backupuser}@localhost/*.*":
54+
ensure => $ensure,
55+
user => "${backupuser}@localhost",
56+
table => '*.*',
57+
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES', 'BACKUP_ADMIN'],
58+
require => Mysql_user["${backupuser}@localhost"],
59+
}
60+
}
61+
else {
62+
mysql_grant { "${backupuser}@localhost/*.*":
63+
ensure => $ensure,
64+
user => "${backupuser}@localhost",
65+
table => '*.*',
66+
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT', 'BACKUP_ADMIN'],
67+
require => Mysql_user["${backupuser}@localhost"],
68+
}
69+
}
70+
mysql_grant { "${backupuser}@localhost/performance_schema.keyring_component_status":
5471
ensure => $ensure,
5572
user => "${backupuser}@localhost",
56-
table => '*.*',
57-
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES'],
73+
table => 'performance_schema.keyring_component_status',
74+
privileges => ['SELECT'],
5875
require => Mysql_user["${backupuser}@localhost"],
5976
}
60-
}
61-
else {
62-
mysql_grant { "${backupuser}@localhost/*.*":
77+
mysql_grant { "${backupuser}@localhost/performance_schema.log_status":
6378
ensure => $ensure,
6479
user => "${backupuser}@localhost",
65-
table => '*.*',
66-
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT'],
80+
table => 'performance_schema.log_status',
81+
privileges => ['SELECT'],
6782
require => Mysql_user["${backupuser}@localhost"],
6883
}
6984
}
85+
else {
86+
if $::osfamily == 'debian' and $::operatingsystemmajrelease == '11' {
87+
mysql_grant { "${backupuser}@localhost/*.*":
88+
ensure => $ensure,
89+
user => "${backupuser}@localhost",
90+
table => '*.*',
91+
privileges => ['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES'],
92+
require => Mysql_user["${backupuser}@localhost"],
93+
}
94+
}
95+
else {
96+
mysql_grant { "${backupuser}@localhost/*.*":
97+
ensure => $ensure,
98+
user => "${backupuser}@localhost",
99+
table => '*.*',
100+
privileges => ['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT'],
101+
require => Mysql_user["${backupuser}@localhost"],
102+
}
103+
}
104+
}
70105
}
71106

72107
if $install_cron {

spec/classes/mysql_backup_xtrabackup_spec.rb

+63-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@ class { 'mysql::server': }
1111
EOF
1212
end
1313
let(:facts) do
14-
facts.merge(root_home: '/root')
14+
facts.merge(root_home: '/root',
15+
mysql_version: '5.7')
1516
end
1617

1718
let(:default_params) do
@@ -114,6 +115,67 @@ class { 'mysql::server': }
114115
)
115116
.that_requires('Mysql_user[backupuser@localhost]')
116117
end
118+
119+
context 'with MySQL version 5.7' do
120+
let(:facts) do
121+
facts.merge(mysql_version: '5.7')
122+
end
123+
124+
it {
125+
is_expected.not_to contain_mysql_grant('backupuser@localhost/performance_schema.keyring_component_status')
126+
is_expected.not_to contain_mysql_grant('backupuser@localhost/performance_schema.log_status')
127+
is_expected.not_to contain_mysql_grant('backupuser@localhost/*.*')
128+
.with(
129+
ensure: 'present',
130+
user: 'backupuser@localhost',
131+
table: '*.*',
132+
privileges:
133+
['BACKUP_ADMIN']
134+
)
135+
.that_requires('Mysql_user[backupuser@localhost]')
136+
}
137+
end
138+
139+
context 'with MySQL version 8.0' do
140+
let(:facts) do
141+
facts.merge(mysql_version: '8.0')
142+
end
143+
144+
it {
145+
is_expected.to contain_mysql_grant('backupuser@localhost/*.*')
146+
.with(
147+
ensure: 'present',
148+
user: 'backupuser@localhost',
149+
table: '*.*',
150+
privileges:
151+
if facts[:osfamily] == 'Debian' && Puppet::Util::Package.versioncmp(facts[:operatingsystemmajrelease], '11') == 0
152+
['BINLOG MONITOR', 'RELOAD', 'PROCESS', 'LOCK TABLES', 'BACKUP_ADMIN']
153+
else
154+
['RELOAD', 'PROCESS', 'LOCK TABLES', 'REPLICATION CLIENT', 'BACKUP_ADMIN']
155+
end,
156+
)
157+
.that_requires('Mysql_user[backupuser@localhost]')
158+
is_expected.to contain_mysql_grant('backupuser@localhost/performance_schema.keyring_component_status')
159+
.with(
160+
ensure: 'present',
161+
user: 'backupuser@localhost',
162+
table: 'performance_schema.keyring_component_status',
163+
privileges:
164+
['SELECT']
165+
)
166+
.that_requires('Mysql_user[backupuser@localhost]')
167+
168+
is_expected.to contain_mysql_grant('backupuser@localhost/performance_schema.log_status')
169+
.with(
170+
ensure: 'present',
171+
user: 'backupuser@localhost',
172+
table: 'performance_schema.log_status',
173+
privileges:
174+
['SELECT']
175+
)
176+
.that_requires('Mysql_user[backupuser@localhost]')
177+
}
178+
end
117179
end
118180

119181
context 'with additional cron args' do

0 commit comments

Comments
 (0)