Mattermost-server: Minimal SQL database privileges

Created on 9 Mar 2018  路  6Comments  路  Source: mattermost/mattermost-server

Hi!

The installation documentation says that you should grant all SQL privileges to the mattermost user:

mysql> grant all privileges on mattermost.* to 'mmuser'@'%';

I was wondering what are the true minimal SQL privileges Mattermost needs to run normally.

I don't normally like to grant all privileges for security reasons and would really appreciate it if you could publish a minimal SQL database privileges list.

I guess I'm expecting something like Drupal does.

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON databasename.* TO 'username'@'localhost' IDENTIFIED BY 'password';

At the database level, MySQL/MariaDB supports:

  • ALTER
  • CREATE
  • CREATE ROUTINE
  • CREATE TEMPORARY TABLES
  • CREATE VIEW
  • DELETE
  • DELETE HISTORY
  • DROP
  • EVENT
  • INDEX
  • INSERT
  • LOCK TABLES
  • REFERENCES
  • SELECT
  • SHOW VIEW
  • TRIGGER
  • UPDATE

Does Mattermost really need database level privileges like EVENT or CREATE ROUTINE? If not, why should I grant them?

Thanks for the great work on Mattermost!

picture baldurmen

Most helpful comment

@baldurmen, you make a good point -- I'll document the required minimum privileges and get the details back to you.

picture lieut-data on 13 Mar 2018
🎉2

All 6 comments

@baldurmen, you make a good point -- I'll document the required minimum privileges and get the details back to you.

lieut-data picture lieut-data on 13 Mar 2018
🎉2

@lieut-data Thanks! That's really appreciated.

baldurmen picture baldurmen on 13 Mar 2018

We're not using much by way of advanced database features (intentionally), and so far I've been running (and upgrading) successfully on MySQL using just:

GRANT ALTER, CREATE, DELETE, DROP, INDEX, INSERT, SELECT, UPDATE ON mattermost_test.* TO 'mmuser'@'%'

Let's give this a while to soak while I continue to investigate and I'll confirm by closing out this issue and filing a docs update, including the requisite changes for PostgreSQL.

lieut-data picture lieut-data on 15 Mar 2018
👍1

I tested those privileges and did not have any problems either.

baldurmen picture baldurmen on 17 Mar 2018

Thanks @baldurmen

@lieut-data ok to close off this issue now?

lindy65 picture lindy65 on 25 Apr 2018

@lindy65: I've got a pending set of documentation changes that I'll get around to pushing to docs.mattermost.com, but I think we can resolve this issue as such for now.

lieut-data picture lieut-data on 25 Apr 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jwilander picture jwilander  路  3Comments
jasonblais picture jasonblais  路  3Comments
Pomax picture Pomax  路  3Comments
harshilsharma2 picture harshilsharma2  路  3Comments
esethna picture esethna  路  3Comments