Minimum MySQL permission for RT database access

Hello,

I have spent an hour or so looking at the least recommended permission RT
need to be able to manage mysql database and everybody seem to be taking
the easy way, grant everything

Is it possible Best Practice has listed the necessary grants that is needed
for RT to work successfully on mysql server that I missed? Would appreciate
any guidance

Regards,

William

Hello,

I have spent an hour or so looking at the least recommended permission RT
need to be able to manage mysql database and everybody seem to be taking
the easy way, grant everything

People usually don’t grant any mysql level permissions and just trust RT to
do so and the following is what RT grants:

18 “GRANT SELECT,INSERT,CREATE,INDEX,UPDATE,DELETE
19 ON $db_name.*
20 TO ‘$db_user’@’$db_rthost’
21 IDENTIFIED BY ‘$db_pass’;”,
22 );

It’s a bit over-granting and I believe that our code is clean enough that
it’s possible to limit the list to SELECT,INSERT,UPDATE,DELETE, but I can
not say it’s possible for sure without fixing code.

Is it possible Best Practice has listed the necessary grants that is
needed for RT to work successfully on mysql server that I missed? Would
appreciate any guidance

RT’s user in mysql (RT uses one account for operation) has to have SELECT,
INSERT, UPDATE, DELETE rights on all RT’s tables to operate. Upgrade steps
should use DBA account for steps that require DROP/CREATE/ALTER/INDEX or
any other rights, but as I said, considering above GRANT, this code may
have “bugs” and use RT’s primary account to perform some upgrade
operations.

What is the problem you’re trying to solve?

Regards,

William

Best regards, Ruslan.

Hello,

is it possible to set NotifyActor per queue basis?

Thanks,
Andrea

Every time I type ‘win’, I loose …

Ing. Andrea Gabellini
Email: andrea.gabellini@telecomitalia.sm
mailto:Andrea%20Gabellini%20<andrea.gabellini@telecomitalia.sm>
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino

http://www.telecomitalia.sm

Hello,

is it possible to set NotifyActor per queue basis?

No. If you wanted to hack up some Perl, you could do it. I don’t
recommend it. What’s your use case?

Thank you

That’s what I was looking for. Agree, its a little unnecessary but prefer
not being too generous as the application is external facing.

If you guys ever get around cleaning the code to just use select, insert,
update and delete, please document it somewhere

WilliamOn May 15, 2013 10:12 AM, “Ruslan Zakirov” ruz@bestpractical.com wrote:

On Wed, May 15, 2013 at 4:23 PM, William Muriithi < william.muriithi@gmail.com> wrote:

Hello,

I have spent an hour or so looking at the least recommended permission RT
need to be able to manage mysql database and everybody seem to be taking
the easy way, grant everything

People usually don’t grant any mysql level permissions and just trust RT
to do so and the following is what RT grants:

18 “GRANT SELECT,INSERT,CREATE,INDEX,UPDATE,DELETE
19 ON $db_name.*
20 TO ‘$db_user’@‘$db_rthost’
21 IDENTIFIED BY ‘$db_pass’;”,
22 );

It’s a bit over-granting and I believe that our code is clean enough that
it’s possible to limit the list to SELECT,INSERT,UPDATE,DELETE, but I can
not say it’s possible for sure without fixing code.

Is it possible Best Practice has listed the necessary grants that is
needed for RT to work successfully on mysql server that I missed? Would
appreciate any guidance

RT’s user in mysql (RT uses one account for operation) has to have SELECT,
INSERT, UPDATE, DELETE rights on all RT’s tables to operate. Upgrade steps
should use DBA account for steps that require DROP/CREATE/ALTER/INDEX or
any other rights, but as I said, considering above GRANT, this code may
have “bugs” and use RT’s primary account to perform some upgrade
operations.

What is the problem you’re trying to solve?

Regards,

William


Best regards, Ruslan.

Thomas,

I have 10 queues and only in one of them I need to notify the actor.
What about a config like this?

Set(NotifyActor, {
‘default’ => ‘0’,
‘queue-name’ => ‘1’,
});Il 16/05/2013 01:08, Thomas Sibley ha scritto:

On 05/15/2013 07:49 AM, Andrea gabellini - SC wrote:

Hello,

is it possible to set NotifyActor per queue basis?
No. If you wanted to hack up some Perl, you could do it. I don’t
recommend it. What’s your use case?

When looking for faults, use a mirror, not a telescope.

Ing. Andrea Gabellini
Email: andrea.gabellini@telecomitalia.sm
mailto:Andrea%20Gabellini%20<andrea.gabellini@telecomitalia.sm>
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino

http://www.telecomitalia.sm

Thomas,

I have 10 queues and only in one of them I need to notify the actor.
What about a config like this?

Set(NotifyActor, {
‘default’ => ‘0’,
‘queue-name’ => ‘1’,
});

I understand the concept. What I’m asking is for an explanation why you
want it for only 1 queue but not all the others.

Filed a ticket.On Thu, May 16, 2013 at 3:43 AM, William Muriithi < william.muriithi@gmail.com> wrote:

Thank you

That’s what I was looking for. Agree, its a little unnecessary but prefer
not being too generous as the application is external facing.

If you guys ever get around cleaning the code to just use select, insert,
update and delete, please document it somewhere

William
On May 15, 2013 10:12 AM, “Ruslan Zakirov” ruz@bestpractical.com wrote:

On Wed, May 15, 2013 at 4:23 PM, William Muriithi < william.muriithi@gmail.com> wrote:

Hello,

I have spent an hour or so looking at the least recommended permission
RT need to be able to manage mysql database and everybody seem to be taking
the easy way, grant everything

People usually don’t grant any mysql level permissions and just trust RT
to do so and the following is what RT grants:

18 “GRANT SELECT,INSERT,CREATE,INDEX,UPDATE,DELETE
19 ON $db_name.*
20 TO ‘$db_user’@‘$db_rthost’
21 IDENTIFIED BY ‘$db_pass’;”,
22 );

It’s a bit over-granting and I believe that our code is clean enough that
it’s possible to limit the list to SELECT,INSERT,UPDATE,DELETE, but I can
not say it’s possible for sure without fixing code.

Is it possible Best Practice has listed the necessary grants that is
needed for RT to work successfully on mysql server that I missed? Would
appreciate any guidance

RT’s user in mysql (RT uses one account for operation) has to have
SELECT, INSERT, UPDATE, DELETE rights on all RT’s tables to operate.
Upgrade steps should use DBA account for steps that require
DROP/CREATE/ALTER/INDEX or any other rights, but as I said, considering
above GRANT, this code may have “bugs” and use RT’s primary account to
perform some upgrade operations.

What is the problem you’re trying to solve?

Regards,

William


Best regards, Ruslan.

Best regards, Ruslan.

Thomas,

this queue is a low traffic queue, and users that use it aren’t so
familiar with RT, so they prefer to have all emails in their mailbox,
also those they send.

Thanks,
AndreaIl 16/05/2013 21:45, Thomas Sibley ha scritto:

On 05/16/2013 01:07 AM, Andrea gabellini - SC wrote:

Thomas,

I have 10 queues and only in one of them I need to notify the actor.
What about a config like this?

Set(NotifyActor, {
‘default’ => ‘0’,
‘queue-name’ => ‘1’,
});
I understand the concept. What I’m asking is for an explanation why you
want it for only 1 queue but not all the others.

Maintenance-free: When it breaks, it can’t be fixed…

Ing. Andrea Gabellini
Email: andrea.gabellini@telecomitalia.sm
mailto:Andrea%20Gabellini%20<andrea.gabellini@telecomitalia.sm>
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino

http://www.telecomitalia.sm

Thomas,

this queue is a low traffic queue, and users that use it aren’t so
familiar with RT, so they prefer to have all emails in their mailbox,
also those they send.

Nod. NotifyActor is also changeable a per-user preference (Logged in as
… -> Settings, look under the “Mail” section).

Perhaps it would be sufficient for those users to simply flip the
"Outgoing mail" preference to yes for themselves while leaving the
global $NotifyActor preference off.

Thomas,

thank you. The solution was so simple…

AndreaIl 17/05/2013 20:59, Thomas Sibley ha scritto:

On 05/17/2013 03:06 AM, Andrea gabellini - SC wrote:

Thomas,

this queue is a low traffic queue, and users that use it aren’t so
familiar with RT, so they prefer to have all emails in their mailbox,
also those they send.
Nod. NotifyActor is also changeable a per-user preference (Logged in as
… → Settings, look under the “Mail” section).

Perhaps it would be sufficient for those users to simply flip the
“Outgoing mail” preference to yes for themselves while leaving the
global $NotifyActor preference off.

Why do they call this a word processor? It’s simple, … you’ve seen
what food processors do to food, right?

Ing. Andrea Gabellini
Email: andrea.gabellini@telecomitalia.sm
mailto:Andrea%20Gabellini%20<andrea.gabellini@telecomitalia.sm>
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188

Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino

http://www.telecomitalia.sm