Essentials
A single database user can be used to grant access to the BL product databases. By default the BL products will try to connect using the root user that always exists in the MySQL installation. Recent versions of MySQL server install without access to the root user from outside the localhost (i.e. it cannot be used from any other server except its own.) Your options then at this point include:
- granting access to the root user from any server/host by using the wildcard syntax % as the host name
- see the Remote Privileges section below...
- granting access to the root user from the specific hosts you know you will run Flow and/or other BL apps on (Eg. RSS Reader, Weather Reader, etc)
- creating a new user with the required privileges
CREATE USER 'BL' IDENTIFIED BY 'bl-password'; -- make your own password
Remote Privileges and Granting Player Access to the DB
During the MySQL install, the user will be asked if they would like to allow remote access for the root user. It is important to allow this so that players, and other apps that are not running on the master server can access the database. If the players are having a problem accessing the database from remote systems use the following commands to enable non-local access for the root user account.
UPDATE mysql.user SET host = '%' WHERE host = '127.0.0.1' AND user == 'root'; FLUSH PRIVILEGES;
Required Privileges
You may create a single user that provides access for both Flow and any other BL apps you are using.
Flow
Flow requires an extensive set of privileges to allow it to update the database schema during installation and/or upgrades as well as managing the data in use.
GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP, EXECUTE, INDEX, INSERT, LOCK TABLES, SELECT, SHOW VIEW, TRIGGER, UPDATE ON superticker.* -- to superticker tables only TO 'BL';
BL Apps
You could use the same user for both Flow and the BL apps. If you wish to separate them note that most BL apps run with a much more limited privilege requirements.
GRANT DELETE, EXECUTE, INSERT, LOCK TABLES, SELECT, TRIGGER, UPDATE ON superticker.* -- to superticker tables only TO 'BL';
Suspending Privileges
You may want to temporarily disable the access to the database. In that case you would use a REVOKE command:
REVOKE ALL PRIVILEGES ON superticker.* FROM 'BL';
Replication Privileges
In situations where you want to use replication to provide a ongoing backup source you need additional privileges.
Replication User
You may choose to grant the privileges to an existing user or create a specific user for replication on the master/primary server. That account will need only the global REPLICATION SLAVE privilege.
GRANT REPLICATION SLAVE ON *.* TO 'BLreplicator';
Replication Monitoring
The DMan app can be used in scenarios with replication to provide status monitoring. To do so it will require the additional privilege
- REPLICATION CLIENT
Having this privilege will allow it to report the status of the replication server.
NOTE that this privilege can only be granted at the global level and not specific database on the server:
GRANT REPLICATION CLIENT ON *.* TO 'BL';
This privilege must be granted to the user on the server where the status is being monitored.
Read-Only Privileges
If you wished to grant read-only privileges you would need to assign:
- SELECT ON all tables
- EXECUTE ON FUNCTION CalcUtilityStatus
Flow will then be able to display the content but no changes will be able to me made. Note that Flow is not truly designed to operate in view mode except when using a browsing only user and as a result when using other user types you may encounter errors if you try to perform an action that requires a change to the content.
Flow version will need to be greater then 6.11.4.2 to support even this basic access when only SELECT privileges are given.
GRANT SELECT ON `superticker`.* TO 'BL'; GRANT EXECUTE ON FUNCTION `superticker`.`CalcUtilityStatus` TO 'BL';
In this section: