aljaz/addons
1
0
Fork 0
mirror of https://github.com/aljazceru/addons.git synced 2025-12-17 05:04:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added privilege control per user/db to MariaDB (#1941)

Browse Source 
* Added privilege control per user/db

* Fixes from feedback

* Using list config and added example
This commit is contained in:
Mike Degatano
2021-04-05 07:15:11 -04:00
committed by GitHub
parent 4f3bddfb88
commit 094695aa50
3 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
mariadb/DOCS.md
View File

@@ -28,9 +28,15 @@ databases:
logins: logins:
- username: homeassistant - username: homeassistant
password: PASSWORD password: PASSWORD
- username: read_only_user
password: PASSWORD
rights: rights:
- username: homeassistant - username: homeassistant
database: homeassistant database: homeassistant
- username: read_only_user
database: homeassistant
privileges:
- SELECT
``` ```
### Option: `databases` (required) ### Option: `databases` (required)
@@ -61,6 +67,13 @@ This should be the same user name defined in `logins` -> `username`.
This should be the same database defined in `databases`. This should be the same database defined in `databases`.
### Option: `rights.privileges` (optional)
A list of privileges to grant to this user from [grant][grant] like `SELECT` and `CREATE`.
If omitted, grants `ALL PRIVILEGES` to the user. Restricting privileges of the user
that Home Assistant uses is not recommended but if you want to allow other applications
to view recorder data should create a user limited to read-only access on the database.
## Home Assistant Configuration ## Home Assistant Configuration
MariaDB will be used by the `recorder` and `history` components within Home Assistant. For more information about setting this up, see the [recorder integration][mariadb-ha-recorder] documentation for Home Assistant. MariaDB will be used by the `recorder` and `history` components within Home Assistant. For more information about setting this up, see the [recorder integration][mariadb-ha-recorder] documentation for Home Assistant.

10
mariadb/config.json
View File

@@ -25,7 +25,15 @@
"schema": { "schema": {
"databases": ["str"], "databases": ["str"],
"logins": [{ "username": "str", "password": "password" }], "logins": [{ "username": "str", "password": "password" }],
"rights": [{ "username": "str", "database": "str" }] "rights": [
{
"username": "str",
"database": "str",
"privileges": [
"list(ALTER|CREATE|CREATE ROUTINE|CREATE TEMPORARY TABLES|CREATE VIEW|DELETE|DELETE HISTORY|DROP|EVENT|GRANT OPTION|INDEX|INSERT|LOCK TABLES|SELECT|SHOW VIEW|TRIGGER|UPDATE)?"
]
}
]
}, },
"image": "homeassistant/{arch}-addon-mariadb" "image": "homeassistant/{arch}-addon-mariadb"
} }

11
mariadb/rootfs/etc/services.d/mariadb/run
View File

@@ -84,8 +84,15 @@ for right in $(bashio::config "rights|keys"); do
USERNAME=$(bashio::config "rights[${right}].username") USERNAME=$(bashio::config "rights[${right}].username")
DATABASE=$(bashio::config "rights[${right}].database") DATABASE=$(bashio::config "rights[${right}].database")
bashio::log.info "Alter rights for ${USERNAME} to ${DATABASE}" if bashio::config.exists "rights[${right}].privileges"; then
mysql -e "GRANT ALL PRIVILEGES ON ${DATABASE}.* TO '${USERNAME}'@'%';" 2> /dev/null || true PRIVILEGES=$(bashio::config "rights[${right}].privileges")
bashio::log.info "Granting ${PRIVILEGES} to ${USERNAME} on ${DATABASE}"
mysql -e "REVOKE ALL PRIVILEGES ON ${DATABASE}.* FROM '${USERNAME}'@'%';" || true
mysql -e "GRANT ${PRIVILEGES} ON ${DATABASE}.* TO '${USERNAME}'@'%';" || true
else
bashio::log.info "Granting all privileges to ${USERNAME} on ${DATABASE}"
mysql -e "GRANT ALL PRIVILEGES ON ${DATABASE}.* TO '${USERNAME}'@'%';" 2> /dev/null || true
fi
done done
# Generate service user # Generate service user