On Jan 22, 2008, at 3:04 PM, Geoff Franks wrote:
So, I'm not sure how useful or good of an idea this is, but I
discovered it
while setting up our mysql zenpack. By default, the ZenPack wants a
root
username/password to connect. I find this quite insecure, so I
wanted to use
my own account. I generated a regular account with no privileges on
any
database, and get the access denied error on the mysql db for that
user,
when Zenoss runs its queries. When I add select for mysql.*, the
connection
works fine. However, this still leaves me with an account containing
privileges, when in theory none are required to do "show
status" (what I
believe the ZenPack is running to get data). So, I modified the
python code
on the check_mysql_stats.py script, on line 37/38:
37 self.conn = MySQLdb.connect(host=self.host,
port=self.port,
38 db='', user=self.user, passwd=self.passwd)
Essentially, I just deleted the phrase "mysql" from the db
parameter. In my
limited testing, this appears to work fine on our mysql 5.0 server. I
haven't tried on 4.x yet, and don't have any running 5.1, or 6.
However, it
seems like removing the db dependency would enable people to use
accounts
with privileges only to authenticate, but not use any databases,
resulting
in a more secure database environment.
Eric Newton just brought this topic to my attention. I missed it when
it came by the first time, but it looks like a great idea and works
great. I've filled a ticket and made the required updates to the
MySqlMonitor ZenPack for the 2.2 release to incorporate this type of
access.
Ticket #2855: Fix MySqlMonitor to require less privilege to MySQL
http://dev.zenoss.org/trac/ticket/2855
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
