User story: Under normal operations it is very common to require the SUPER privilege for certain users, for example admin users, replication topology management, etc. To make the check useful, it should not be overly restrictive and instead permit the user to provide exclusions to the rule to avoid alert fatigue.
UI/UX:
Acceptance criteria
Out of scope:
Suggested implementation:
How to test:
Details: A way to specify users to be excluded from the check for the SUPER privilege is required. The following would be needed as ways to exclude a user:
Perform a partial match, examining only the mysql.user.User, e.g. the user can specify percona and any accounts for that username would be excluded
Perform exact matching, examining the full account (user and host) to allow for specific accounts to be excluded
Bonus points would go if pattern matching is used, which would allow for the widest level of customisation and fewer rules.
User story:
Under normal operations it is very common to require the SUPER privilege for certain users, for example admin users, replication topology management, etc. To make the check useful, it should not be overly restrictive and instead permit the user to provide exclusions to the rule to avoid alert fatigue.
UI/UX:
Acceptance criteria
Out of scope:
Suggested implementation:
How to test:
Details:
A way to specify users to be excluded from the check for the SUPER privilege is required. The following would be needed as ways to exclude a user:
Perform a partial match, examining only the
mysql.user.User, e.g. the user can specifyperconaand any accounts for that username would be excludedPerform exact matching, examining the full account (user and host) to allow for specific accounts to be excluded
Bonus points would go if pattern matching is used, which would allow for the widest level of customisation and fewer rules.