I have migrated Grafana from SQLite database to MySQL (in fact, MariaDB 10.3.22), so database is now located on a different machine. It is obvious that the software needs a database account now, so I created a separate one:
MariaDB [(grafana)]> create user 'grafana'@'%' identified by 'XX';
Then, I adjusted Grafana configuration file to use the newly created account. And everything worked. The thing is that I cannot understand how it works when it comes to privileges (the goal is to apply least privileges possible). I didn't assign any privileges to the new user. Current ones:
MariaDB [(grafana)]> show grants for grafana;
| Grants for grafana@% |
| GRANT USAGE ON *.* TO 'grafana'@'%' IDENTIFIED BY PASSWORD 'XX' |
MySQL documentation says, that "usage" privilege (assigned on creation time) is a synonym for "no privilege". In another words, I should expect that Grafana wouldn't work at all. But it works like a charm.
How is that possible that reads and writes are possible? Neither could I find any reasonable explanation on this topic nor similar threads.