If you need to enforce fine-grained access control in Vitess, you cannot use the normal MySQL GRANTs system to give certain application-level MySQL users more or less permissions than others. This is because Vitess uses connection pooling with fixed MySQL users at the VTTablet level, and implements its own authentication at the VTGate level.
Not all of the MySQL GRANT system has been implemented in Vitess. Authorization can be done via table-level ACLs. Individual users can be assigned 3 levels of permissions and can be applied on a specified set of tables, which can be enumerated or specified by regex:
- Read (corresponding to read DML, e.g. SELECT)
- Write (corresponding to write DML, e.g. INSERT, UPDATE, DELETE)
- Admin (corresponding to DDL, e.g. ALTER TABLE)
Vitess authorization via ACLs are applied at the VTTablet level, as opposed to on VTGate, where authentication is enforced. There are a number of VTTablet command line parameters that control the behavior of ACLs. You can see examples and read more about the command line parameters and further configuration options here.