TiDB Configuration Permissions

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: TiDB config 权限

| username: MrSylar

Question

What specific things does the config permission in TiDB control?

| username: redgame | Original post link

Modify global configuration
Modify session configuration
Reload configuration

| username: tidb菜鸟一只 | Original post link

Do you mean which configs are shown in TiDB when using show config?
Actually, the main thing is to distinguish between variables and configs.
Variables are system variable parameters for the TiDB server, divided into global and session levels.
Configs are cluster parameters for various components in the cluster, such as TiDB server, TiKV, PD, TiFlash, etc. They function similarly to the configuration file parameters you edit with tiup cluster edit-config. However, not all configs can be modified online, and even if they can be modified online, the configuration file parameters will not be updated automatically and need to be manually modified.

| username: MrSylar | Original post link

No, I want to see the official description of the config permission. This is a permission specific to TiDB.

| username: MrSylar | Original post link

Have you seen any official documentation?

| username: ShawnYan | Original post link

Could you specify which config it is?

| username: MrSylar | Original post link

For example, DM and Dashboard definitely require this permission.

| username: MrSylar | Original post link

ConfigPriv is the privilege to enable the use of SET CONFIG statements.

| username: tidb菜鸟一只 | Original post link

This is the permission corresponding to the show config or set config I mentioned above. You can grant ordinary users the permission to modify the config through:

GRANT CONFIG ON . TO ming;

However, it is strongly recommended not to do this, because the config permission should theoretically only be given to the root user, as this permission has a significant impact on the database.

| username: MrSylar | Original post link

Yes, the initial point of the issue is: DM currently requires this permission, but normally this permission should not be granted to regular users.

| username: tidb菜鸟一只 | Original post link

DM doesn’t require this permission, does it?

| username: MrSylar | Original post link

The documentation should be optimized. During the load phase of dm 6.5.1 on my local machine, an error occurs: Error 1227 (42000): Access denied; you need (at least one of) the CONFIG privileges for the operation.

| username: tidb菜鸟一只 | Original post link

You can provide feedback and suggestions… However, DM users themselves have considerable permissions. It is recommended to use a separate user and encrypt the password when creating the data source.

| username: 有猫万事足 | Original post link

I checked the statement I used to create dmuser, and it indeed requires config permissions.

The permissions for dm are indeed quite extensive, even allowing for the creation and dropping of databases at will. Creating a separate user for dm is a better approach. With resource control, it becomes very easy to manage the impact of imports on the database. Compared to controlling concurrency parameters through configuration files, the convenience of resource control is significantly improved.