Give limited access to pmm user while connecting pmm-client to mysql service

Ayushi-gupta · May 3, 2023, 11:28am

Hello everyone, As I am connecting my pmm-client to the MySQL instance and according to docs when we add pmm-client to mariadb: command is :

GRANT SELECT, PROCESS, SUPER, REPLICATION CLIENT, RELOAD, BACKUP_ADMIN ON . TO ‘pmm’@‘localhost’;

But I want to give pmm-user specific access, not all the access. I don’t want that pmm user to write to any of my databases as somehow my percona server is comprised, it can comprise my database also.

So, can we give some limited access to pmm-user to the database or can we give access to pmm-user to access only database logs, not the whole database?

matthewb · May 3, 2023, 4:46pm

Hello @Ayushi-gupta,
The GRANT you show has no write permissions to any databases; only read access.

Ayushi-gupta · May 4, 2023, 5:25am

So, is not risky to give the pmm server to access read the database? As if the pmm-server is compromised, anyone can read our database. So, can we give only permission for pmm-user to access only logs of database?

matthewb · May 4, 2023, 2:38pm

I believe you can restrict SELECT to only mysql.*, information_schema.*, and performance_schema.* The other permissions are global and thus require *.*

Topic		Replies	Views
Super privileges for pmm user PMM 1.x	1	2019	January 17, 2019
Pmm, pmm server , pmm client Percona Monitoring and Management (PMM) percona	10	711	May 16, 2022
Why PMM User need Super privileges? Percona Monitoring and Management (PMM)	2	869	January 26, 2021
Exact permissions need PMM user on Postgresql? PMM 2.x postgres , postgresql	1	212	February 6, 2024
PMM2 - Connection check failed pmm , mysql , percona	22	2522	June 4, 2022

Give limited access to pmm user while connecting pmm-client to mysql service

Related Topics