[mariadb][backup-v2] use granular backup/restore permissions

s10 · s10 · commit 909c9b8c7495 · 2026-04-01T15:10:44.000+03:00
* remove unneeded privileges from the `backup` user
* `maria-back-me-up` updated to `10.11-20260401120352`
diff --git a/common/mariadb/CHANGELOG.md b/common/mariadb/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.34.0 - 2026/04/01
+* remove unneeded privileges from the `backup` user
+* `maria-back-me-up` updated to `10.11-20260401120352`
+* chart version bumped
+
 ## v0.33.1 - 2026/03/27
 * updated sidecar image:
   * `mysqld-exporter` image updated to `0.19.0`
diff --git a/common/mariadb/Chart.yaml b/common/mariadb/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 description: A Helm chart for Kubernetes
 name: mariadb
-version: 0.33.1
+version: 0.34.0
 # scripts/docker-entyrpoint.sh should be updated when appVersion is updated
 appVersion: 10.11.16
 dependencies:
diff --git a/common/mariadb/values.yaml b/common/mariadb/values.yaml
@@ -49,7 +49,28 @@ users:
     limits:
       max_user_connections: 4
     grants:
-      - ALL PRIVILEGES ON *.*
+      # backup & restore
+      - SELECT ON *.*
+      - SHOW VIEW ON *.*
+      - TRIGGER ON *.*
+      - LOCK TABLES ON *.*
+      # backup only
+      - PROCESS ON *.*
+      - RELOAD ON *.*
+      - REPLICATION SLAVE ON *.*        # BinlogSyncer streams binlogs as a replica
+      - BINLOG MONITOR ON *.*           # --master-data=1 (SHOW MASTER STATUS)
+      - BINLOG ADMIN ON *.*             # PURGE BINARY LOGS
+      # restore only
+      - INSERT ON *.*
+      - CREATE ON *.*
+      - DROP ON *.*
+      - ALTER ON *.*
+      - INDEX ON *.*
+      - REFERENCES ON *.*
+      - CREATE VIEW ON *.*
+      - SHUTDOWN ON *.*
+      - REPLICATION SLAVE ADMIN ON *.*  # CHANGE MASTER TO, RESET SLAVE
+      - SET USER ON *.*                 # DEFINER= clauses (mysql.user view)
 #  example:
 #    name: example1 # This looks repetitive, but the point is that they key is the name
 #                   # you refer to in your charts, while the field 'name' is the actual name
@@ -202,7 +223,7 @@ backup_v2:
   enabled: false
   backup_dir: "./backup"
   image: maria-back-me-up
-  image_version: "20260210150801"
+  image_version: "10.11-20260401120352"
   full_backup_cron_schedule: "0 0 * * *"
   incremental_backup_in_minutes: 5
   purge_binlog_after_minutes: 60
