About PMM security problem.


I’ve installed pmm-latest version.

but there is some security issue.

pmm db user has too many privilege in database. (including select all data / super)

and pmm db user’s password is in pmm.yml

so it could be dangerous.

how could I solve this security problem?

could we use incrypt the pmm.yml file?


The situation with PMM is no different with any other application/script you chose to run on your server. It needs to have the password and in vast majority of the cases it will be stored in the config file.

pmm configuration files are only accessible by “root” user which will protect credentials from being accessed by other users.

You can also use file system level encryption if your policies prevent you from having any passwords stored in the plain text.

In terms of PMM permissions - you can revoke certain privileges but when some functionality will become unavailable. For example SELECT you mention is needed for PMM to be able to run EXPLAIN on the queries.