Grant Remote Access to a User - mysql

I've made a user only for specific operations make, read, update and delete (CRUD operations) on a specific database like so:
REVOKE ALL PREVILEGES, GRANT OPTION FROM 'username'#'localhost';
GRANT SELECT, INSERT ON database_name.* TO 'username'#'localhost';
But then, I'm getting this error message trying to access the database remotely with the previous user:
ERROR 1130 (HY000): Host 'ip_address' is not allowed to connect to this MySQL server
Any idea how to grant the remote access without giving it all previleges?

When you set the hostname of a user to localhost, MySQL will not accept remote connections for the user. You need to set the host name to an ip address or ip address range. To allow connections from anywhere, execute
RENAME USER 'username'#'localhost' TO 'username'#'%';
Please also have a look at the official documentation: https://dev.mysql.com/doc/refman/8.0/en/account-names.html

Related

Can't find matching rows in table error when trying to grant privileges to mariadb user

It seems like this should be easy...I literally pulled this command from the mysql handbook, changed the privileges granted slightly and the user. I'm just trying to add privileges to a user and I'm getting an error in the command line. Here is the command I'm trying to send through:
GRANT SELECT,INSERT,UPDATE,DELETE ON mytable.* TO 'myclient';
And here is the error I'm getting:
ERROR 1133 (28000): Can't find any matching row in the user table
The table and the user already exist. Here is the part of the mysql handbook I'm referencing:
https://dev.mysql.com/doc/refman/8.0/en/adding-users.html
What am I doing wrong here?
(MariaDB version 10.1.34 on Ubuntu server 18.04)
From the documentation
As a user, when you connect to a MySQL server, your identity is
determined by the host from which you connect and the user name you
specify.
So, MySQL privileges are not granted to the named user, but to a user connecting from a particular host. This way the named user can have different privileges depending on where they connect from.
When granting privileges it's usual to specify both the user and host parts so that they can be matched to the correct user and host combination. If the host part is omitted, as here, then MySQL assumes that the host is the wildcard '%' (i.e. from anywhere). Your command is therefore treated as
GRANT SELECT,INSERT,UPDATE,DELETE ON mytable.* TO 'myclient'#'%';
and the error message you quote means that there is no record in the mysql.user table where user = 'myclient' and host = '%'.

Create a user on mysql database at RDS

I tried to create a user to grant access to a database hosted at amazon RDS, the user was created, but I can't access to the database that it has allowed to manage, here's the code I used:
GRANT ALL PRIVILEGES ON my_db.* TO 'admin'#'my.rds.domain' IDENTIFIED BY
'xxxyyyzzz';
FLUSH PRIVILEGES ;
I ran that from my mysql client — DataGrid– also, I verified that the user was created using:
SELECT * FROM mysql.user;
And effectively, the user is listed.
Is there any special configuration I have to make at RDS console, or what?
In the GRANT command, 'admin'#'my.rds.domain' means that admin user connecting from my.rds.domain host is granted all privileges on my_db's all objects.
If this admin user attempts to log on from hostname abc.microsoft.com, no access will be given. If the hostname is not understood by MySQL server, it uses IP to form a user#hostname (e.g. 'admin'#'88.99.11.22'). If that entry is not in mysql.users table access will be denied.
If we use 'admin'#'%', it means that admin user logging in from any system is granted the rights. So when you changed hostname to %, access was granted. For better security, if you know that the user is going to log on from a particular IP or hostname only, it would be best to do like you did ('admin'#'hostname').

Access denied for user 'user'#'host' (using password: YES)

I have a created user in my MySQL database:
CREATE USER 'user'#'host' IDENTIFIED BY 'password';
I have granted that user full privileges:
GRANT ALL ON *.* to 'user'#'host';
Echoing the grant:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'host' IDENTIFIED BY PASSWORD '*03FFC888F82E921D8CA360925A8F443CF326DE89'
I can connect from MySQL workbench using this login credential w/o any issues and execute queries. And it's running on the same machine the web application is running on. MySQL instance is running on another computer in the same local network.
However, when I try to use the same credentials from my web application running in Tomcat7 under Eclipse I receive the error. Please advise.
Note: As of last night, the web application was able to connect just fine. With nothing changing (that I am aware of - I am only one working on this), this morning I could not connect.
RESOLVED:
I added the user with grants using the IP address for the host for the local machine.
I am not sure what changed on the server, but now I am able to connect again.
Would someone possibly be able to explain this change, and with it why I am now required to use the IP address when previously the local host name was sufficient?
Make sure you are using the appropriate hostname, and you're accessing from that host, the user can't connect from another host.
To give permission you must put the password unencrypted.
Example
GRANT ALL PRIVILEGES ON test. * TO 'root' # 'localhost'
IDENTIFIED BY 'goodsecret';
Also must be the same password when you create the user.
Here How adding users to MySQL
Note: For more information on GRANT here is the documentation.
Hope this helps

How do I manually block and then unblock a specific IP/Hostname in MYSQL

First off, I did google this but sites are flooded with advice on how to deal with "host name is blocked" issues. (https://www.google.com/search?q=mysql+block+a+host). My issue is a little bit the opposite of that.
With me, I am running a MySQL database and no PHP is involved.
I need to block a certain host-name/IP address from connecting to my database, then I will unblock it. I am hoping there are 2 simple queries for this that I can execute on the MySQL database, I just can't seem to find it anywhere.
I can find the hostnames pretty easily by running the show processlist query and I know I can kill one process at a time, but so many new threads pop up that if I can just block all of them from a certain hostname, that would be ideal. Then I will unblock once I fix a few things.
You can use GRANT to give a non-privileged entry for a user connecting from a specific host, even if you have GRANTed privileges to a wildcard including that host. When authenticating, the most specific host match takes precedence.
For example, suppose you enabled a user to connect from a range of hosts on your local subnet:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'user'#'192.168.56.%' IDENTIFIED BY 'xyzzy';
Then you could grant the minimal USAGE privilege, which is a synonym for "no privileges" for that user for one specific host within that subnet:
mysql> GRANT USAGE ON *.* TO 'user'#'192.168.56.110';
Subsequent attempts to connect from that host get this error:
$ mysql -uuser -pxyzzy
ERROR 1045 (28000): Access denied for user 'user'#'192.168.56.110' (using password: YES)
The reason this gets an error is that I did this grant for the user with no password. If I try to submit a password, this doesn't match the entry in the privileges table.
Even if the user tries to connect without using a password, he finds he has no access to anything.
$ mysql -uuser
mysql> USE mydatabase;
ERROR 1044 (42000): Access denied for user 'user'#'192.168.56.110' to database 'mydatabase'
You can undo the blocking:
mysql> DELETE FROM mysql.user WHERE host='192.168.56.110' AND user='user';
mysql> FLUSH PRIVILEGES;
And then the IP range will come back into effect, and the user will be able to connect from thathost again.
You can revoke privileges as mentioned above, but this will still allow a user to make a connection to your MySQL server - albeit this will prevent that user from authenticating. If you really want to block/allow connections to your MySQL server based on IP, use iptables.
Have you tried using MySQL Workbench?
You can simply remove ROLES for a specific User/Host from there.

Unable to connect mysql using ip address

I try to connect my db using host address as my ip address 203.199.209.**,but not able to connect db.if i try to connect my db using host address as localhost it connected successfully.
How to solve this issue?
MySQL grants access based on which host you are connecting from.
Run this command as root:
SELECT user, host FROM mysql.user;
These are the users which exist on your server. Notice the host column.
In short, a user is defined as both a user name (user) and a point of connection (host). When you access your server as localhost, you actually login as some_user#localhost. On the other hand, when you access the sever via its IP address, you actually login as some_user#your.ip.address.here. I guess the latter does not exist on your server.
You may want to create a new user such as some_user#your.ip.address.here or some_user#% (the percent sign is a wildcard; here, it means "any host"):
CREATE USER 'some_user'#'your.ip.address.here' IDENTIFIED BY 'your_password';
GRANT ALL ON your_database.* to 'some_user'#'your.ip.address.here';
If you wish to dig further, see this manual page for more details about MySQL access control, and this page for the CREATE USER syntax.
[edit]
Obviously, as suggested by others, you first need to make sure your server listens to this IP address (203.199.209.**). But if this were not already the case, you should get the following error:
ERROR 2003 (HY000): Can't connect to MySQL server on '203.199.209.**' (111)
The error you are getting definitely indicates a permission issue.
For mysql-5.7.15-winx64 (Windows Version), login as "root" user and run the following queries in MYSQL:
CREATE USER 'user'#'localhost' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON *.* TO 'user'#'localhost' WITH GRANT OPTION;
CREATE USER 'user'#'%' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON *.* TO 'user'#'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
and then Re-start your MYSQL DB.
For this version of MYSQL DB no changes are required in "my-default.ini" located in the same location as "bin" folder.