Limiting database access


#1

I would like to give a group of users access to the mattermost files, including the config file (and maybe limited read access to the database) so that they can do troubleshooting and maintenance and so forth, without giving them total access to the database because then they can read everyone’s private chats. I am not sure if this is possible.

Currently, if a user can read the config file then they can log in to the MySQL database, because the DataSource in the config is of the form mmuser:password@tcp(host:port)/mattermost?charset=.... Clearly this also means that they can read any post if they are so inclined.

Is it possible to remove the password from DataSource and authenticate another way, e.g. using ~/.my.cnf, or a private key? If so, then I think it would work, because only mmuser would be able to log in to the database, while other users would be able to read the config file.


#2

Mattermost is intended to be managed by a System Administrator, who effectively has the power to do anything with the system. We don’t really support connecting directly to the database, as it is intended to only be accessed via Mattermost and related tools. That said, the DataSource config element is just a MySql connection string, so you may be able to accomplish your goal after a close read of the MySql documentation.