From 092c9ec9ca8ef498dbc4c4d81e4d505a81cd2123 Mon Sep 17 00:00:00 2001 From: Ti Chi Robot Date: Mon, 20 Feb 2023 17:20:29 +0800 Subject: [PATCH] Update dashboard-statement-details.md (#12575) (#12598) * Update dashboard-statement-details.md * Update dashboard-user.md * Apply suggestions from code review Co-authored-by: Ran * Update dashboard/dashboard-user.md * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> * Apply suggestions from code review --------- Co-authored-by: Lux Co-authored-by: Ran Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- dashboard/dashboard-statement-details.md | 2 ++ dashboard/dashboard-user.md | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/dashboard/dashboard-statement-details.md b/dashboard/dashboard-statement-details.md index 533f59d47179f..fcd19aa195d7e 100644 --- a/dashboard/dashboard-statement-details.md +++ b/dashboard/dashboard-statement-details.md @@ -56,6 +56,8 @@ Currently, the fast plan binding feature does not support the following types of - Queries that access TiFlash - Queries that join three or more tables +To use this feature, you must have the SUPER privilege. If you encounter permission issues while using it, refer to [TiDB Dashboard User Management](/dashboard/dashboard-user.md) to add the necessary privileges. + ## Execution details of plans The execution detail of plans includes the following information: diff --git a/dashboard/dashboard-user.md b/dashboard/dashboard-user.md index aaa26dcc6ee30..acfc3d54c1076 100644 --- a/dashboard/dashboard-user.md +++ b/dashboard/dashboard-user.md @@ -32,6 +32,11 @@ For details about how to control and manage TiDB SQL users, see [TiDB User Accou - SYSTEM_VARIABLES_ADMIN +- To use the [Fast Bind Executions Plan](/dashboard/dashboard-statement-details.md#fast-plan-binding) feature on the interface after signing in to TiDB Dashboard, the SQL user must also have the following privileges: + + - SYSTEM_VARIABLES_ADMIN + - SUPER + > **Note:** > > Users with high privileges such as `ALL PRIVILEGES` or `SUPER` can sign in to TiDB Dashboard as well. Therefore, to comply with the least privilege principle, it is highly recommended that you create users with the required privileges only to prevent unintended operations. See [Privilege Management](/privilege-management.md) for more information on these privileges. @@ -52,6 +57,10 @@ If an SQL user does not meet the preceding privilege requirements, the user fail -- To modify the configuration items on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privilege. GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%'; + + -- To use the Fast Bind Executions Plan feature (https://docs.pingcap.com/tidb/v6.6/dashboard-statement-details#fast-plan-binding) on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privileges. + GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%'; + GRANT SUPER ON *.* TO 'dashboardAdmin'@'%'; ``` - When [Security Enhanced Mode (SEM)](/system-variables.md#tidb_enable_enhanced_security) is enabled on the connected TiDB server, disable SEM first and execute the following SQL statements to create an SQL user `dashboardAdmin` that can sign in to TiDB Dashboard. After creating the user, enable SEM again: @@ -67,13 +76,17 @@ If an SQL user does not meet the preceding privilege requirements, the user fail -- To modify the configuration items on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privilege. GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%'; + + -- To use the Fast Bind Executions Plan feature (https://docs.pingcap.com/tidb/v6.6/dashboard-statement-details#fast-plan-binding) on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privileges. + GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%'; + GRANT SUPER ON *.* TO 'dashboardAdmin'@'%'; ``` ## Example: Authorize SQL user to access TiDB Dashboard via RBAC The following example demonstrates how to create a role and a user to access TiDB Dashboard through the [role-based access control (RBAC)](/role-based-access-control.md) mechanism. -1. Create a `dashboard_access` role that meets the privilege requirements of TiDB Dashboard: +1. Create a `dashboard_access` role that meets all privilege requirements of TiDB Dashboard: ```sql CREATE ROLE 'dashboard_access'; @@ -81,6 +94,7 @@ The following example demonstrates how to create a role and a user to access TiD GRANT SHOW DATABASES ON *.* TO 'dashboard_access'@'%'; GRANT DASHBOARD_CLIENT ON *.* TO 'dashboard_access'@'%'; GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboard_access'@'%'; + GRANT SUPER ON *.* TO 'dashboardAdmin'@'%'; ``` 2. Grant the `dashboard_access` role to other users and set `dashboard_access` as the default role: @@ -96,4 +110,4 @@ After the above steps, you can use the `dashboardAdmin` user to sign in to TiDB ## Sign in to TiDB Dashboard -After creating an SQL user that meets the privilege requirements of TiDB Dashboard, you can use this user to [Sign in](/dashboard/dashboard-access.md#sign-in) to TiDB Dashboard. \ No newline at end of file +After creating an SQL user that meets the privilege requirements of TiDB Dashboard, you can use this user to [Sign in](/dashboard/dashboard-access.md#sign-in) to TiDB Dashboard.