Skip to content

fix: Database_observability: grant check only require SELECT *.* on perf_schema#5294

Merged
matthewnolf merged 4 commits intomainfrom
mn/db-o11y-mysql/status-permissions-fix
Jan 22, 2026
Merged

fix: Database_observability: grant check only require SELECT *.* on perf_schema#5294
matthewnolf merged 4 commits intomainfrom
mn/db-o11y-mysql/status-permissions-fix

Conversation

@matthewnolf
Copy link
Contributor

@matthewnolf matthewnolf commented Jan 20, 2026

Brief description of Pull Request

This change fixes the MySQL health_check for permissions being overly restrictive. For SELECT permissions, we only need performance_schema.* - not *.*. This updates the logic to more thoroughly check for performance_schema access.

Pull Request Details

Issue(s) fixed by this Pull Request

Notes to the Reviewer

PR Checklist

  • Documentation added
  • Tests updated
  • Config converters updated

@matthewnolf matthewnolf requested a review from a team as a code owner January 20, 2026 13:20
cristiangreco
cristiangreco reviewed Jan 21, 2026
View reviewed changes
internal/component/database_observability/mysql/collector/health_check.go
Comment on lines +185 to +187
if strings.Contains(up, "SHOW VIEW") {
req["SHOW VIEW"] = true
}
Copy link
Contributor

@cristiangreco cristiangreco Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe for a followup: would be cool to show on which objects SHOW VIEW is granted (e.g. *.* vs payments.* or something else), as it helps debug why e.g. a specific schema is not reported.

cristiangreco
cristiangreco reviewed Jan 21, 2026
View reviewed changes
internal/component/database_observability/mysql/collector/health_check.go
}
}

r.result = req["PROCESS"] && req["REPLICATION CLIENT"] && req["SELECT"] && req["SHOW VIEW"]
Copy link
Contributor

@cristiangreco cristiangreco Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add to r.result the list of expected vs missing grants?

Copy link
Contributor Author

@matthewnolf matthewnolf Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r.result is a boolean whether the check passed or failed.
r.value can be used to send details of the check.

This comment seems similar to #5294 (comment) in which we attach more information about which grant is missing?

Copy link
Contributor

@cristiangreco cristiangreco Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r.result is a boolean whether the check passed or failed.
r.value can be used to send details of the check.

Sorry I confused the two fields. But yeah, basically I was thinking of attaching more info like I mentioned in the other comment.

@matthewnolf matthewnolf force-pushed the mn/db-o11y-mysql/status-permissions-fix branch from e8b9891 to d89ceee Compare January 22, 2026 12:05
@matthewnolf matthewnolf merged commit 490017c into main Jan 22, 2026
47 checks passed
@matthewnolf matthewnolf deleted the mn/db-o11y-mysql/status-permissions-fix branch January 22, 2026 12:32
This was referenced Jan 22, 2026
Draft
Merged
@BrewTestBot BrewTestBot mentioned this pull request Feb 5, 2026
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 6, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cristiangreco cristiangreco cristiangreco approved these changes

Assignees

No one assigned

Labels

frozen-due-to-age

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewnolf @cristiangreco