MSSQL DBA here, I know how to do the following in TSQL, I am wondering if the same can be done in MySQL. Basically, set a variable and be able to use it throughout a script. MySQL docs have gotten me only so far, looking for some veteran MySQL devs/dbas for some detail. Thanks.
SET #newuser := `'usr652'#'%.domain.com'`;
SET #pw := `'ge?jJ!ARxbz$qiC6n'`;
CREATE USER #newuser IDENTIFIED BY #pw;
ALTER USER IF EXISTS
#newuser PASSWORD EXPIRE;
GRANT USAGE ON `POP%`.* TO #newuser;
GRANT SELECT ON `POP%`.* TO #newuser;
SHOW GRANTS FOR #newuser;
Related
Is it possible in MySQL to do a GRANT to a user on a set of tables within a database, e.g. to allow CREATE AND DROP ing of some table names but not others?
Neither of these seem to work:
GRANT SELECT ON `testdb`.`%_testing` TO 'wildcardtest'#'localhost';
GRANT SELECT ON `testdb`.`testing%` TO 'wildcardtest'#'localhost';
and the MySQL manual doesn't seem to give an answer either way.
The only wildcard that works in the GRANT statement is *
GRANT SELECT ON `testdb`.* TO 'user'#'localhost';
GRANT SELECT ON *.* TO 'privilegeduser'#'localhost';
It's all or one; there's no facility for dynamic matching of table names to granted privileges.
Nope. You can separate table names with commas but can't use wildcards in a GRANT.
Create a new empty database .
Give it access to the original database ( use a user who allready have access to original database )
in this new database
CREATE VIEW test as SELECT * from originaldatabase.tablename
WHERE conditions...
Then give test user access to NewDatabase whith
GRANT select on NewDatabase.* to 'testuser'#'localhost'
Then only create views for the tables you want testuser to access.
Also remember you can do a USER() in the WHERE part of the view:
example:
create view test as
select * from original.customer where mysql_user = USER()
In the original.customer you must then have a column 'mysql_user'
and every row the test user is allowed to see must have testuser#localhost as a entry
The testuser will see all the created views as tables in the database 'test'
Within my mysql script,
I am creating a user as follows:
CREATE DATABASE fire;
after creating a table called Table1, privileges are changed
GRANT SELECT ON fire.Table1 TO 'user1'#'localhost';
In this case, fire is hardcoded, however, say in the future, I created a mysql database called called "ice" and I wanted to reuse the script above, but I want the below line to this time grant privileges for fire.TABLE1, but in this case, it is really "ice.TABLE1". How do I make mysql think that "fire" means some other variable without having to change "fire" to "ice" everywhere on my script?
GRANT SELECT ON fire.Table1 TO 'user1'#'localhost';
Do not include the database name in your grant scripts, but issue a use dbname statement to set the default database for your scripts to whatever database you want to work with.
As mysql manual on grant statement says:
If you use ON * syntax (rather than ON .), privileges are assigned at the database level for the default database. An error occurs if there is no default database.
So, your script would look like:
USE fire;
GRANT SELECT ON Table1 TO 'user1'#'localhost';
I am trying to revoke select privilege from a particular table from a MySQL DB.
Database level restriction is working but table level is not.
When I write "show grants"
This is what I get :
| GRANT USAGE ON *.* TO 'rachit'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT ALL PRIVILEGES ON `test123`.* TO 'rachit'#'localhost' |
| GRANT INSERT, UPDATE, DELETE ON `test123`.`names123` TO 'rachit'#'localhost'
As you can see above I want to
revoke select privilege from rachit user on 'names123' table of 'test123' database, but SELECT is working.
I have attached a screenshot below for better understanding.
https://ibb.co/GRtjXX7
If you GRANT ALL ON test123.* TO 'rachit'#'localhost' you cannot remove one table by running REVOKE ALL ON test123.* TO 'rachit'#'localhost'.
some DBMS systems specifically DENY option for specifically denying access to specific table but this is not the case for mysql.
you may consider to write script and give access to each table one by one
Discussion:
If it wasn't specifically GRANTed, it can't be REVOKEd. This is an unfortunate side effect of the not-so-user-friendly Grant/Revoke syntax and implementation.
You can use a SELECT against information_schema.TABLES to automate the discovery of all the other tables. And have the SELECT build the desired GRANTs.
Possible workaround:
Another approach to your particular problem is to move that one table to a different database. Then GRANT different permissions to that db.
I am using a hosted web service account that uses cpanel as its management system. When logged into phpmyadmin, I am trying to import an SQL file that contains tables and some procedures.
CREATE DEFINER=`root`#`localhost` PROCEDURE `getClientDashboardStatsMap` (IN `in_userID` INT) BEGIN
SELECT
rl.city,
rl.state,
rl.zip,
rl.longitude,
rl.latitude,
rl.timestamp,
count(rl.ID) as total
FROM
crowd.redemption_log as rl
JOIN
reward as r
ON
rl.rewardID = r.rewardID
WHERE
r.userID = 1
AND
rl.timestamp BETWEEN NOW() - INTERVAL 30 DAY AND NOW()
GROUP BY
rl.city, rl.state, rl.zip
ORDER BY
total DESC;
END$$
When I try to run this, I get an error about needing super user privileges to do so. Doing some searching, people suggested removing the definer line like so:
CREATE PROCEDURE getClientDashboardStatsMap (IN in_userID INT) BEGIN.
While this allows me to complete the import, I am running into another issue. The procedures are getting a default definer of cpaneluser#localhost. However, the database user that is set up is different than this user so the procedure has no permissions for things like select, update, delete. The database user is cpaneluser_dbusername, which is typical for hosted sites like this so you can associate databases with accounts.
How else can I get this procedures to run, under the correct user? I don't see any settings in PHPMYADMIN for privileges in order to run these as a super user.
There are two ways to solve this problem:
Log into phpmyadmin with the database user cpaneluser_dbusername. I am not familar with phpmyadmin and cpanel, so I'm not sure whether they provide you the option to change the user. You should check it out by yourself. I'm using MySQL Workbench and MySQL Administrator, they both privode me this option.
Grant privileges to cpaneluser#localhost. Such as:
GRANT ALL ON db_name.table_name TO 'cpaneluser#localhost';
It's better if you grant each privilege explicitly, e.g.: GRANT SELECT,INSERT,UPDATE,DELETE ON .... Check GRANT Syntax.
I want to create a user and only allow them to use select statements on the cameracircle database. So I have the following code:
CREATE USER 'hoeym'#'localhost' IDENTIFIED BY 'password';
CREATE DATABASE cameracircle;
GRANT SELECT ON cameracircle TO 'hoeym'#'localhost';
But the phpmyadmin doesn't like that. If I run this it says there is an error cause I don't have a databases selected, and if I add in USE cameracircle; before the GRANT statement it says that there is no table inside the database with the same name as the database. What have I done wrong?
Before you issue a GRANT statement, check that the
derby.database.sqlAuthorization
property is set to true. The derby.database.sqlAuthorization property enables the SQL Authorization mode.
Solved it with
GRANT SELECT ON cameracircle.* TO 'hoeym'#'localhost';
phpMyAdmin lets you do this graphically. From the Users tab, look for Add User then don't select anything for the Global Privileges area. Go ahead and create the user, then edit the privileges. Halfway down the page there's a area for "Database-specific privileges" where you can specify the permissions on a database (or even table-) level.