Added privilege control per user/db to MariaDB (#1941)

* Added privilege control per user/db * Fixes from feedback * Using list config and added example
2025-12-17 13:14:21 +01:00 · 2021-04-05 07:15:11 -04:00
parent 4f3bddfb88
commit 094695aa50
3 changed files with 31 additions and 3 deletions
--- a/mariadb/DOCS.md
+++ b/mariadb/DOCS.md
@@ -28,9 +28,15 @@ databases:
 logins:
  - username: homeassistant
    password: PASSWORD
+  - username: read_only_user
+    password: PASSWORD
 rights:
  - username: homeassistant
    database: homeassistant
+  - username: read_only_user
+    database: homeassistant
+    privileges:
+      - SELECT
 ```

 ### Option: `databases` (required)
@@ -61,6 +67,13 @@ This should be the same user name defined in `logins` -> `username`.

 This should be the same database defined in `databases`.

+### Option: `rights.privileges` (optional)
+
+A list of privileges to grant to this user from [grant][grant] like `SELECT` and `CREATE`.
+If omitted, grants `ALL PRIVILEGES` to the user. Restricting privileges of the user
+that Home Assistant uses is not recommended but if you want to allow other applications
+to view recorder data should create a user limited to read-only access on the database.
+
 ## Home Assistant Configuration

 MariaDB will be used by the `recorder` and `history` components within Home Assistant. For more information about setting this up, see the [recorder integration][mariadb-ha-recorder] documentation for Home Assistant.
--- a/mariadb/config.json
+++ b/mariadb/config.json
@@ -25,7 +25,15 @@
  "schema": {
    "databases": ["str"],
    "logins": [{ "username": "str", "password": "password" }],
-    "rights": [{ "username": "str", "database": "str" }]
+    "rights": [
+      {
+        "username": "str",
+        "database": "str",
+        "privileges": [
+          "list(ALTER|CREATE|CREATE ROUTINE|CREATE TEMPORARY TABLES|CREATE VIEW|DELETE|DELETE HISTORY|DROP|EVENT|GRANT OPTION|INDEX|INSERT|LOCK TABLES|SELECT|SHOW VIEW|TRIGGER|UPDATE)?"
+        ]
+      }
+    ]
  },
  "image": "homeassistant/{arch}-addon-mariadb"
 }
--- a/mariadb/rootfs/etc/services.d/mariadb/run
+++ b/mariadb/rootfs/etc/services.d/mariadb/run
@@ -84,8 +84,15 @@ for right in $(bashio::config "rights|keys"); do
    USERNAME=$(bashio::config "rights[${right}].username")
    DATABASE=$(bashio::config "rights[${right}].database")

-    bashio::log.info "Alter rights for ${USERNAME} to ${DATABASE}"
+    if bashio::config.exists "rights[${right}].privileges"; then
+        PRIVILEGES=$(bashio::config "rights[${right}].privileges")
+        bashio::log.info "Granting ${PRIVILEGES} to ${USERNAME} on ${DATABASE}"
+        mysql -e "REVOKE ALL PRIVILEGES ON ${DATABASE}.* FROM '${USERNAME}'@'%';" || true
+        mysql -e "GRANT ${PRIVILEGES} ON ${DATABASE}.* TO '${USERNAME}'@'%';" || true
+    else
+        bashio::log.info "Granting all privileges to ${USERNAME} on ${DATABASE}"
        mysql -e "GRANT ALL PRIVILEGES ON ${DATABASE}.* TO '${USERNAME}'@'%';" 2> /dev/null || true
+    fi
 done

 # Generate service user