Mattermost, Inc.

Limiting database access

I would like to give a group of users access to the mattermost files, including the config file (and maybe limited read access to the database) so that they can do troubleshooting and maintenance and so forth, without giving them total access to the database because then they can read everyone’s private chats. I am not sure if this is possible.

Currently, if a user can read the config file then they can log in to the MySQL database, because the DataSource in the config is of the form mmuser:password@tcp(host:port)/mattermost?charset=.... Clearly this also means that they can read any post if they are so inclined.

Is it possible to remove the password from DataSource and authenticate another way, e.g. using ~/.my.cnf, or a private key? If so, then I think it would work, because only mmuser would be able to log in to the database, while other users would be able to read the config file.

Mattermost is intended to be managed by a System Administrator, who effectively has the power to do anything with the system. We don’t really support connecting directly to the database, as it is intended to only be accessed via Mattermost and related tools. That said, the DataSource config element is just a MySql connection string, so you may be able to accomplish your goal after a close read of the MySql documentation.

Hi @MusikPolice,

I am returning to this topic at the moment. Actually I didn’t find your response all that helpful because a “MySql connection string” is not completely standardised across clients and drivers. After a look at the code I see that actually this string is parsed by the go-sql-driver/mysql package. It seems that this does indeed require a password to be given directly in the string unless the database requires no password.

I see that someone (unsuccessfully) requested a feature to have the driver read ~/.my.cnf, but the package is intended to be just a driver and won’t support such things.

If mattermost itself supported reading database credentials from a separate file, it would help me out a lot - otherwise I am forced to make the list of users who can read Posts identical to the list of users who can read the config file, which I don’t want to do unless I have to (as strange as it might seem!)

D

The way I am planning to tackle this is to:

  • remove DataSource from config.json
  • make config.json accessible to users who are maintaining the system
  • have the priveleged user which runs the platform set MM_SQLSETTINGS_DATASOURCE in the environment based on files that are only visible to this user

This way we can keep the database credentials secret while allowing other users access to the config file.