Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add priviledge info for dashboard-statement-details.md #13087

Merged
merged 12 commits into from
Feb 20, 2023
Merged

Add priviledge info for dashboard-statement-details.md #13087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e350e51
Update dashboard-statement-details.md
lilyjazz Feb 20, 2023
42f4bfe
Update dashboard-user.md
lilyjazz Feb 20, 2023
7056135
Update dashboard-statement-details.md
lilyjazz Feb 20, 2023
2ab8f4c
Update dashboard-statement-details.md
lilyjazz Feb 20, 2023
34c6c49
Update dashboard-statement-details.md
lilyjazz Feb 20, 2023
185593c
Update dashboard-user.md
lilyjazz Feb 20, 2023
8303b78
Update dashboard-user.md
lilyjazz Feb 20, 2023
510a0ec
Apply suggestions from code review
TomShawn Feb 20, 2023
1a6a85d
Update dashboard-user.md
lilyjazz Feb 20, 2023
be8653f
fix ci
ran-huang Feb 20, 2023
541a5e0
Apply suggestions from code review
ran-huang Feb 20, 2023
c1adedc
Update dashboard/dashboard-user.md
ran-huang Feb 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions dashboard/dashboard-statement-details.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ aliases: ['/docs-cn/dev/dashboard/dashboard-statement-details/','/docs-cn/dev/da
- 访问 TiFlash 的查询
- 对三张表或更多表进行 Join 的查询

目前该功能需用户拥有 `SUPER` 权限才可使用。如果在使用过程中提示权限不足,请参考 [TiDB Dashboard 用户管理](/dashboard/dashboard-user.md)补充所需权限。

## 执行计划详情

执行计划详情包括以下内容:
Expand Down
16 changes: 15 additions & 1 deletion dashboard/dashboard-user.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@ TiDB Dashboard 与 TiDB 使用相同的用户权限体系和登录验证方式

- SYSTEM_VARIABLES_ADMIN

- 若希望 SQL 用户在登录 TiDB Dashboard 后允许使用[快速绑定执行计划](/dashboard/dashboard-statement-details.md#快速绑定执行计划)功能。

- SYSTEM_VARIABLES_ADMIN
- SUPER

> **注意:**
>
> 拥有 `ALL PRIVILEGES` 或 `SUPER` 等粗粒度高权限的用户同样可以登录 TiDB Dashboard。出于最小权限原则,强烈建议创建用户时仅使用上述精细权限,从而防止用户执行非预期操作。请参阅[权限管理](/privilege-management.md)了解这些权限的详细信息。
Expand All @@ -52,6 +57,10 @@ TiDB Dashboard 与 TiDB 使用相同的用户权限体系和登录验证方式

-- 如果要使自定义的 SQL 用户能修改 TiDB Dashboard 界面上的各项配置,可以增加以下权限
GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';

-- 如果要使用快速绑定执行计划(具体参见 https://docs.pingcap.com/zh/tidb/dev/dashboard-statement-details#快速绑定执行计划)功能,可以增加以下权限
GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
GRANT SUPER ON *.* TO 'dashboardAdmin'@'%';
```

- 当所连接的 TiDB 服务器启用了[安全增强模式 (SEM)](/system-variables.md#tidb_enable_enhanced_security) 时,先关闭 SEM,然后执行以下示例 SQL 语句创建一个允许登录 TiDB Dashboard 的 SQL 用户 `dashboardAdmin`,创建完成后,再重新开启 SEM:
Expand All @@ -66,21 +75,26 @@ TiDB Dashboard 与 TiDB 使用相同的用户权限体系和登录验证方式
GRANT RESTRICTED_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';

-- 如果要使自定义的 SQL 用户能修改 TiDB Dashboard 界面上的各项配置,可以增加以下权限
GRANT SUPER ON *.* TO 'dashboardAdmin'@'%';

-- 如果要使用快速绑定执行计划(具体参见 https://docs.pingcap.com/zh/tidb/dev/dashboard-statement-details#快速绑定执行计划)功能,可以增加以下权限
GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
GRANT SUPER ON *.* TO 'dashboardAdmin'@'%';
```

## 示例:通过 RBAC 授权 SQL 用户登录 TiDB Dashboard

以下示例演示了如何在[基于角色的访问控制 (RBAC)](/role-based-access-control.md) 机制下创建角色及用户来登录 TiDB Dashboard。

1. 创建一个包含登录 TiDB Dashboard 所需权限的角色 `dashboard_access`:
1. 创建一个包含 TiDB Dashboard 所有功能所需权限的角色 `dashboard_access`:

```sql
CREATE ROLE 'dashboard_access';
GRANT PROCESS, CONFIG ON *.* TO 'dashboard_access'@'%';
GRANT SHOW DATABASES ON *.* TO 'dashboard_access'@'%';
GRANT DASHBOARD_CLIENT ON *.* TO 'dashboard_access'@'%';
GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboard_access'@'%';
GRANT SUPER ON *.* TO 'dashboard_access'@'%';
```

2. 为其他用户授权 `dashboard_access` 角色并设置为默认启用:
Expand Down