Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.
Original topic: 使用dm全量同步预检用户权限优化
[Problem Scenario Involved]
When adding a synchronization task with task-mode: all for full synchronization, if the user lacks Reload and Process permissions, it is well prompted. However, if the user lacks select permissions, there is no prompt, and it directly indicates that a certain table does not exist.
[Expected Requirement Behavior]
- It is expected that DM can pre-check the user’s select permissions in task-mode: all.
- In the TiDB user community, some members have suggested that tables synchronized by DM must be modified, as directly created tables may have issues like hotspot writing, especially for large tables and frequently updated tables. It is expected that DM can remind users or directly provide optimization suggestions.
This involves fundamental logic. When you cannot query a table, should you be informed that the table exists but you don’t have permission, or should it directly say that the table doesn’t exist? If it indicates no permission, then a user without many table permissions could deduce which tables exist in the database based on this…
This has nothing to do with DM. DM just directly displays the return from MySQL. MySQL follows the same logic; you can try it yourself. For tables without permission, it prompts that they do not exist.
Since it is a full synchronization, I think there should be a check for select permissions.
No, you didn’t understand my point. Actually, this is a security measure. DM checks the select permissions of the table, but it can’t tell you that you don’t have select permissions; it can only tell you that it can’t find the table. Understand?
What I mean is that select is a prerequisite for full synchronization, and there is no security issue involved here. DM is aimed at DBA operations personnel, not general users who can enumerate.
The current permissions definitely follow a complete system, consistent with MySQL. To achieve your desired effect, you would need to separately modify the full synchronization of DM…