MySQL Enterprise Backup User's Guide (Version 4.1.5)
For most backup operations, the mysqlbackup
command connects to the MySQL server using the credentials
supplied with the --user and
--password options. The specified
user needs certain privileges. You
can either create a new user with a minimal set of privileges,
or use an administrative account such as root. Here are the
privileges required by mysqlbackup:
The minimum privileges for the MySQL user with which mysqlbackup connects to the server are:
RELOAD on all databases and tables.
CREATE, INSERT,
DROP, and UPDATE
on the tables mysql.backup_progress
and mysql.backup_history, and also
SELECT and ALTER on
mysql.backup_history.
SUPER, to enable and disable logging,
and to optimize locking in order to minimize disruption
to database processing.
REPLICATION CLIENT, to retrieve the
binary log position,
which is stored with the backup.
PROCESS, to process DDL statements
with the ALGORITHM = INPLACE clause.
SELECT on
performance_schema.replication_group_members,
to know whether the server instance is part of a Group
Replication setup and, if so, to gather information on
the group members (required by release 4.1.2 and later).
To create a MySQL user (mysqlbackup in
this example) and set the above-mentioned privileges for the
user to connect from localhost, issue statements like the
following from the mysql client program:
CREATE USER 'mysqlbackup'@'localhost' IDENTIFIED BY 'password';
GRANT RELOAD, SUPER, PROCESS ON *.* TO 'mysqlbackup'@'localhost';
GRANT CREATE, INSERT, DROP, UPDATE ON mysql.backup_progress TO 'mysqlbackup'@'localhost';
GRANT CREATE, INSERT, SELECT, DROP, UPDATE, ALTER ON mysql.backup_history
TO 'mysqlbackup'@'localhost';
GRANT REPLICATION CLIENT ON *.* TO 'mysqlbackup'@'localhost';
GRANT SELECT ON performance_schema.replication_group_members TO 'mysqlbackup'@'localhost'; The following additional privileges are required when using MySQL Enterprise Backup 4.1.2 or later for the first time on a MySQL Server that has been upgraded from 5.7.22 or earlier and has been backed up by MySQL Enterprise Backup before:
CREATE, INSERT,
and DROP on
mysql.backup_history_old.
CREATE, INSERT,
DROP, and ALTER on
mysql.backup_history_new.
Grant these privileges by issuing these sample statements at the mysql client:
GRANT CREATE, INSERT, DROP ON mysql.backup_history_old TO 'mysqlbackup'@'localhost';
GRANT CREATE, INSERT, DROP, ALTER ON mysql.backup_history_new TO 'mysqlbackup'@'localhost';If you are working with a multiprimary Group Replication setting, make sure these privileges are granted on all primary nodes; see also Chapter 8, Using MySQL Enterprise Backup with Group Replication.
These privileges are for the attempt to migrate
the mysql.backup_history table to a newer
format (see Appendix D, Backup History Table Update
for details), and they are no longer needed after the first
backup operation by MySQL Enterprise Backup 4.1.2 or later has taken place on
the server, by which point they can be revoked.
The following additional privileges are required for using specific features of MySQL Enterprise Backup:
For using transportable tablespaces (TTS) to back up and restore InnoDB tables:
LOCK TABLES and
SELECT for backing up tables.
CREATE for restoring tables.
DROP for dropping tables if the
restore fails for some reasons.
FILE for restoring tables in
external tablespaces outside of the server's data
directory.
For creating tape backups using the System Backup to Tape (SBT) API :
CREATE,
INSERT,
DROP, and
UPDATE on the
mysql.backup_sbt_history table
Set those additional privileges if you are using the
features that require them. To set all of them, issue a
statement like the following from the
mysql client program:
GRANT LOCK TABLES, SELECT, CREATE, DROP, FILE ON *.* TO 'mysqlbackup'@'localhost';
GRANT CREATE, INSERT, DROP, UPDATE ON mysql.backup_sbt_history TO 'mysqlbackup'@'localhost';For privileges required for using MySQL Enterprise Backup with a Group Replication setting, see Chapter 8, Using MySQL Enterprise Backup with Group Replication.