Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.Original topic: TiDB config 权限

Question
What specific things does the config permission in TiDB control?
Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.Original topic: TiDB config 权限
Question
What specific things does the config permission in TiDB control?
Modify global configuration
Modify session configuration
Reload configuration
Do you mean which configs are shown in TiDB when using show config
?
Actually, the main thing is to distinguish between variables and configs.
Variables are system variable parameters for the TiDB server, divided into global and session levels.
Configs are cluster parameters for various components in the cluster, such as TiDB server, TiKV, PD, TiFlash, etc. They function similarly to the configuration file parameters you edit with tiup cluster edit-config
. However, not all configs can be modified online, and even if they can be modified online, the configuration file parameters will not be updated automatically and need to be manually modified.
No, I want to see the official description of the config permission. This is a permission specific to TiDB.
For example, DM and Dashboard definitely require this permission.
ConfigPriv is the privilege to enable the use of SET CONFIG statements.
This is the permission corresponding to the show config or set config I mentioned above. You can grant ordinary users the permission to modify the config through:
GRANT CONFIG ON . TO ming;
However, it is strongly recommended not to do this, because the config permission should theoretically only be given to the root user, as this permission has a significant impact on the database.
Yes, the initial point of the issue is: DM currently requires this permission, but normally this permission should not be granted to regular users.
The documentation should be optimized. During the load phase of dm 6.5.1 on my local machine, an error occurs: Error 1227 (42000): Access denied; you need (at least one of) the CONFIG privileges for the operation.
You can provide feedback and suggestions… However, DM users themselves have considerable permissions. It is recommended to use a separate user and encrypt the password when creating the data source.
I checked the statement I used to create dmuser, and it indeed requires config permissions.
The permissions for dm are indeed quite extensive, even allowing for the creation and dropping of databases at will. Creating a separate user for dm is a better approach. With resource control, it becomes very easy to manage the impact of imports on the database. Compared to controlling concurrency parameters through configuration files, the convenience of resource control is significantly improved.