I would like to give a group of users access to the mattermost files, including the config file (and maybe limited read access to the database) so that they can do troubleshooting and maintenance and so forth, without giving them total access to the database because then they can read everyone’s private chats. I am not sure if this is possible.
Currently, if a user can read the config file then they can log in to the MySQL database, because the
DataSource in the config is of the form
mmuser:password@tcp(host:port)/mattermost?charset=.... Clearly this also means that they can read any post if they are so inclined.
Is it possible to remove the password from
DataSource and authenticate another way, e.g. using
~/.my.cnf, or a private key? If so, then I think it would work, because only
mmuser would be able to log in to the database, while other users would be able to read the config file.