Connect MySQL / MariaDB

MySQL 5.7+ and MariaDB 10.4+ are supported. We connect over TLS; for private networks, route through the gateway agent.

1. Create a read-only user

CREATE USER 'oa_reader'@'%' IDENTIFIED BY 'ChangeMe-Strong-1!'
  REQUIRE SSL;
GRANT SELECT, SHOW VIEW ON mydb.* TO 'oa_reader'@'%';
GRANT REPLICATION CLIENT ON *.* TO 'oa_reader'@'%';  -- only if CDC planned
FLUSH PRIVILEGES;

Limit '@'%' to our egress IPs with 'oa_reader'@'10.20.0.129' and a second row for 10.20.0.130 if you prefer explicit scoping.

2. Enforce TLS

Ensure your server has a cert and the have_ssl variable is YES:

SHOW VARIABLES LIKE 'have_ssl';

If DISABLED, generate a cert (mysql_ssl_rsa_setup) and restart.

3. Add the connection

Sources → Add → MySQL:

Host, port (default 3306), database
Username, password
SSL: required (recommended) or verify-full if you upload the CA

4. CDC via binlog

For large tables enable row-based binlog replication:

[mysqld]
server_id = 1
log_bin = mysql-bin
binlog_format = ROW
binlog_row_image = FULL
expire_logs_days = 7

Restart MySQL, then in OneAnalytics check Dataset → Settings → CDC via binlog. We create a oneanalytics_xxx replica position and stream changes from that point forward.

Gotchas

utf8 vs utf8mb4 — Columns in legacy utf8 (3-byte) drop emoji and some Devanagari characters. Use utf8mb4 everywhere.
TIMESTAMP timezones — MySQL stores TIMESTAMP in UTC-normalised form but returns it in the session timezone. We set time_zone = '+00:00' on every session to make results deterministic.
MariaDB SEQUENCE — Treated as a table; ignored by dataset import unless you select it.

Performance tips

For big imports, set net_read_timeout = 600 and net_write_timeout = 600 on the server or in my.cnf to survive multi-minute SELECT streams.
Add an index on any column used heavily in dataset filters — our compiler generates straightforward WHERE clauses that benefit from standard B-tree indexes.