1
==================================
2
Connection and Privileges Needed
3
==================================
5
|XtraBackup| needs to be able to connect to the database server and perform operations on the server and the :term:`datadir` when creating a backup, when preparing in some scenarios and when restoring it. In order to do so, there are privileges and permission requirements on its execution that must be fulfilled.
7
Privileges refers to the operations that a system user is permitted to do in the database server. **They are set at the database server and only apply to users in the database server**.
9
Permissions are those which permits a user to perform operations on the system, like reading, writing or executing on a certain directory or start/stop a system service. **They are set at a system level and only apply to system users**.
11
Whether |xtrabackup| or |innobackupex| is used, there are two actors involved: the user invoking the program - *a system user* - and the user performing action in the database server - *a database user*. Note that these are different users on different places, despite they may have the same username.
13
All the invocations of |innobackupex| and |xtrabackup| in this documentation assumes that the system user has the appropriate permissions and you are providing the relevant options for connecting the database server - besides the options for the action to be performed - and the database user has adequate privileges.
15
Connecting to the server
16
========================
18
The database user used to connect to the server and its password are specified by the :option:`--user` and :option:`--password` option, ::
20
$ innobackupex --user=DBUSER --password=SECRET /path/to/backup/dir/
21
$ innobackupex --user=LUKE --password=US3TH3F0RC3 --stream=tar ./ | bzip2 -
22
$ xtrabackup --user=DVADER --password=14MY0URF4TH3R --backup --target-dir=/data/bkps/
24
If you don't use the :option:`--user` option, |XtraBackup| will assume the database user whose name is the system user executing it.
26
Other Connection Options
27
------------------------
29
According to your system, you may need to specify one or more of the following options to connect to the server:
31
=============== ===================================================================
33
=============== ===================================================================
34
--port The port to use when connecting to the database server with TCP/IP.
35
--socket The socket to use when connecting to the local database.
36
--host The host to use when connecting to the database server with TCP/IP.
37
=============== ===================================================================
39
These options are passed to the :command:`mysql` child process without alteration, see :option:`mysql --help` for details.
41
Permissions and Privileges Needed
42
=================================
45
Once connected to the server, in order to perform a backup you will need ``READ``, ``WRITE`` and ``EXECUTE`` permissions at a filesystem level in the server's :term:`datadir`.
47
The database user needs the following privileges on the tables / databases to be backed up:
49
* ``RELOAD`` and ``LOCK TABLES`` (unless the :option:`--no-lock <innobackupex --no-lock>` option is specified) in order to ``FLUSH TABLES WITH READ LOCK`` prior to start copying the files and
51
* ``REPLICATION CLIENT`` in order to obtain the binary log position,
53
* ``CREATE TABLESPACE`` in order to import tables (see :ref:`imp_exp_ibk`) and
55
* ``SUPER`` in order to start/stop the slave threads in a replication environment.
57
The explanation of when these are used can be found in :ref:`how_ibk_works`.
59
An SQL example of creating a database user with the minimum privileges required to full backups would be:
63
mysql> CREATE USER 'bkpuser'@'localhost' IDENTIFIED BY 's3cret';
64
mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'bkpuser';
65
mysql> GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'bkpuser'@'localhost';
66
mysql> FLUSH PRIVILEGES;
added
removed
doc/source/innobackupex/privileges.rst
