Bug #58391 Add role for "blackout" usage
Submitted: 22 Nov 2010 16:01 Modified: 24 Jan 2011 20:11
Reporter: Mark Leith Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S3 (Non-critical)
Version:2.3.0.2036 OS:Any
Assigned to: Mark Leith CPU Architecture:Any
Tags: windmill

[22 Nov 2010 16:01] Mark Leith 
Description:
Currently we require a user to use a manager role user to black out a server via the REST API.

This requires users to have their most privileged credentials in scripts on each database server (if they are integrating blackout with backup scripts for example). 

How to repeat:
Try to hit the blackout REST API using a user with the DBA role for authentication. 

Suggested fix:
Two options:

1) Allow a less privileged user (such as with the DBA role) to invoke blackout
2) Add a new role, such as "blackout" or "backup", who's only privilege is to toggle blackout
[22 Nov 2010 16:18] Mark Leith 
Actually, it appears as if a DBA role user should already be allowed to toggle this. 

So this feature request is for a new role, that does not give any form of UI access (as the DBA role does).
[22 Nov 2010 18:16] Simon Mudd 
related comment:

btw, should you first clarify: http://dev.mysql.com/doc/mysql-monitor/2.3/en/mem-advisor-blackouts.html 
This says: "... To reactivate the blacked-out server or server group, use the appropriate URL and query string, changing the blackout_state=true name/value pair to blackout_state=false. 
                Again, this must be done by a user with administrative privileges."

which is not explicit as to which role is currently needed.
[22 Nov 2010 18:20] Simon Mudd 
Related item:

http://dev.mysql.md/doc/mysql-monitor/2.0/en/mem-advisor-scripting-blackouts.html mentions a script for performing this. It's not clear (and is important) that

$browser->credentials(
    $ARGV[0],

%$ARGV[0] _must_ include the hostname _and_ :port.

The LWP man page is not clear about this and if you customise the given script and do not do this properly you may get unexpected 401 Unauthorized responses.

It might be worth adding a comment to this page.
[29 Nov 2010 13:53] Enterprise Tools JIRA Robot 
Mark Leith writes: 
Pushed to 2.3:

8241 Mark Leith	2010-11-25
     Bug#58391 / EM-5062 - Add role for "blackout" usage
     - Also allow the "agent" role to toggle blackout for a server via the REST API
[1 Dec 2010 19:51] Enterprise Tools JIRA Robot 
Andy Bang writes: 
In build 2.3.1.2046.
[8 Dec 2010 11:23] Enterprise Tools JIRA Robot 
Mark Leith writes: 
Follow on fix pushed:

8248 Mark Leith	2010-12-08
     Bug#58391 / EM-5062 - Add role for "blackout" usage
     - Additional fix to push the blackout API before the higher level REST API isAdmin() check
[4 Jan 2011 19:21] Enterprise Tools JIRA Robot 
Marcos Palacios writes: 
Verified fixed in Monitor build 2.3.2.2048.

Please edit documentation as indicated above.
[19 Jan 2011 18:21] John Russell 
Here is the entry going into the 2.3.2 doc changelog:

The REST API for toggling blackout periods can now be called by a
user with the agent role. Oracle recommends using such a
lower-privileged account, rather than including administrator
credentials in scripts.