MySQL: Flush Privileges Not Effective For Existing Connection - mysql

So on my database granting/revoking privileges kind of only takes effect after establishing a new connection. I need it effective instantly though, and as I understand this is what flush privileges should be for, but for some reason it doesn't work.
My setup:
(there is an established database connection from server1 to database server)
Database server:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'1.2.3.4';
FLUSH PRIVILEGES;
SHOW GRANTS FOR user#1.2.3.4;
> GRANT ALL PRIVILEGES ON *.* TO 'user'#'1.2.3.4' IDENTIFIED BY PASSWORD <secret>
Server1 (IP 1.2.3.4):
SHOW GRANTS;
> GRANT ALL PRIVILEGES ON *.* TO 'user'#'1.2.3.4' IDENTIFIED BY PASSWORD <secret>
SHOW DATABASES;
> only information_schema, doesn't show any other databases
And only after re-establishing the database connection does SHOW DATABASES update to show all databases. Same behaviour for when I query information_schema.tables to gather available databases.
The SHOW GRANTS on the server1 always shows the correct info immediately.
This is reproducible and is the same for revoke commands. MySQL server version is 5.6 if that's important.

So on my database granting/revoking privileges kind of only takes effect after establishing a new connection.
That is true.
I need it effective instantly though.
You Can't Do That™. Changed privileges take effect with new connections.

Related

Mysql lost privilegies after reboot

I use MYSQL 8.0.27 and Ubuntu. My problems are user's privileges. I can create and connect to database. It's ok. But when i reboot the machine, the user's privileges lost.
Example create user:
CREATE USER 'usuario'#'%' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON bbdd.* TO 'usuario'#'%' WITH GRANT OPTION;
UPDATE user SET plugin='mysql_native_password' WHERE User='usuario';
If i show privilegies for usuario. I see that ok. But if i reboot my machine and again i show the privilegies mysql says There is no such grant defined for user 'usuario' on host '%'

Set privilages to certain database for newly created user

I have foo_bar_test database existing on my mysql server on host 127.0.0.1.
But there's no user that can access it but root, and I don't want to use root user anywhere in my code. So I created new user, fb_test, and granted him privileges for this database:
create user fb_test#'127.0.0.1' identified by password 'some_password';
grant all on 'foo_bar_test.*' to fb_test#'127.0.0.1';
flush privileges;
Ok, that should work, but when I log in as this user, I don't have any database available!
What's wrong?
I checked it using show grants for fb_test#'127.0.0.1', but it shows some strange results:
grant usage on *.* to fb_test#'127.0.0.1' identified by password '*another_password_dont_know_which_one'
How do I solve this?
you have an error in grant statement. Use the query:
grant all on 'foo_bar_test'.* to fb_test#'127.0.0.1';
In fact your grant command results an error which I think you ignored.

MySQL only works with: skip-grant-tables

I forgot the root password, so followed a few different methods to reset, which eventually worked.
Now I am unable to create new databases on PHPmyAdmin, the message "no privileges" is displayed.
So I try to add all the permissions to ROOT again using:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
But then I get the error:
#1290 - The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
So I remove the "skip-grant-tables" from my.ini, then my MySQL based sites stop working.
Have I officially fudged it up?
Make sure you flush the privileges:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
From the documentation:
FLUSH PRIVILEGES
Reloads the privileges from the grant tables in the mysql database.
The server caches information in memory as a result of GRANT and CREATE USER statements. This memory is not released by the corresponding REVOKE and DROP USER statements, so for a server that executes many instances of the statements that cause caching, there will be an increase in memory use. This cached memory can be freed with FLUSH PRIVILEGES.

Not seeing database from localhost but seeing it when connecting to server

I'm connecting to the mysql server as user 'someuser'. When I connect to the server from my localbox I get to see all the databases.
However, when I SSH into the server and login with 'someuser' and execute show databases; I only see two: information_schema and test
How can I view all the databases when I SSH into the DB as well?
show grants; shows the below
mysql> show grants;
| Grants for dev#localhost |
| GRANT USAGE ON *.* TO 'someuser'#'localhost' IDENTIFIED BY PASSWORD '*' |
Edit
When I SSH into the server and login to mysql using root then I can see all the databases fine.
GRANT USAGE is not what you want. According to the mysql documentation:
USAGE Synonym for “no privileges”
It is used at the global level with GRANT to modify account attributes such as resource limits or SSL characteristics without affecting existing account privileges.
http://dev.mysql.com/doc/refman/5.1/en/grant.html
You need to grant actual privileges to your "someuser" user for the database the user needs to see. For example, if you grant select privileges on the mysql.*:
GRANT SELECT ON mysql.*
TO someuser#localhost IDENTIFIED BY "somepassword";
FLUSH PRIVILEGES;
Now, someuser connected from localhost will be able to see the mysql database when executing
SHOW DATABASES;
However, you might want to reserve the access to the mysql database for root only.

MySQL: Grant **all** privileges on database

I've created database, for example 'mydb'.
CREATE DATABASE mydb CHARACTER SET utf8 COLLATE utf8_bin;
CREATE USER 'myuser'#'%' IDENTIFIED BY PASSWORD '*HASH';
GRANT ALL ON mydb.* TO 'myuser'#'%';
GRANT ALL ON mydb TO 'myuser'#'%';
GRANT CREATE ON mydb TO 'myuser'#'%';
FLUSH PRIVILEGES;
Now i can login to database from everywhere, but can't create tables.
How to grant all privileges on that database and (in the future) tables. I can't create tables in 'mydb' database. I always get:
CREATE TABLE t (c CHAR(20) CHARACTER SET utf8 COLLATE utf8_bin);
ERROR 1142 (42000): CREATE command denied to user 'myuser'#'...' for table 't'
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'%' WITH GRANT OPTION;
This is how I create my "Super User" privileges (although I would normally specify a host).
IMPORTANT NOTE
While this answer can solve the problem of access, WITH GRANT OPTION creates a MySQL user that can edit the permissions of other users.
The GRANT OPTION privilege enables you to give to other users or remove from other users those privileges that you yourself possess.
For security reasons, you should not use this type of user account for any process that the public will have access to (i.e. a website). It is recommended that you create a user with only database privileges for that kind of use.
This is old question but I don't think the accepted answer is safe. It's good for creating a super user but not good if you want to grant privileges on a single database.
grant all privileges on mydb.* to myuser#'%' identified by 'mypasswd';
grant all privileges on mydb.* to myuser#localhost identified by 'mypasswd';
% seems to not cover socket communications, that the localhost is for. WITH GRANT OPTION is only good for the super user, otherwise it is usually a security risk.
Update for MySQL 5.7+ seems like this warns about:
Using GRANT statement to modify existing user's properties other than
privileges is deprecated and will be removed in future release. Use
ALTER USER statement for this operation.
So setting password should be with separate commands. Thanks to comment from #scary-wombat.
ALTER USER 'myuser'#'%' IDENTIFIED BY 'mypassword';
ALTER USER 'myuser'#'localhost' IDENTIFIED BY 'mypassword';
This will be helpful for some people:
From MySQL command line:
CREATE USER 'newuser'#'localhost' IDENTIFIED BY 'password';
Sadly, at this point newuser has no permissions to do anything with the databases. In fact, if newuser even tries to login (with the password, password), they will not be able to reach the MySQL shell.
Therefore, the first thing to do is to provide the user with access to the information they will need.
GRANT ALL PRIVILEGES ON * . * TO 'newuser'#'localhost';
The asterisks in this command refer to the database and table (respectively) that they can access—this specific command allows to the user to read, edit, execute and perform all tasks across all the databases and tables.
Once you have finalized the permissions that you want to set up for your new users, always be sure to reload all the privileges.
FLUSH PRIVILEGES;
Your changes will now be in effect.
For more information: http://dev.mysql.com/doc/refman/5.6/en/grant.html
If you are not comfortable with the command line then you can use a client like MySQL workbench, Navicat or SQLyog
1. Create the database
CREATE DATABASE db_name;
2. Create the username for the database db_name
GRANT ALL PRIVILEGES ON db_name.* TO 'username'#'localhost' IDENTIFIED BY 'password';
3. Use the database
USE db_name;
4. Finally you are in database db_name and then execute the commands like create , select and insert operations.
This SQL grants on all databases but just basic privileges. They're enough for Drupal or Wordpress and as a nicety, allows one developer account for local projects.
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
INDEX, ALTER, CREATE TEMPORARY TABLES
ON *.* TO 'username'#'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON mydb.* TO myuser#localhost IDENTIFIED BY 'mypasswd';
Works for privileges on schema :)
Optional: after mypasswd you can add WITH GRANT OPTION
I could able to make it work only by adding GRANT OPTION, without that always receive permission denied error
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'localhost' WITH GRANT OPTION;
Hello I used this code to have the super user in mysql
GRANT EXECUTE, PROCESS, SELECT, SHOW DATABASES, SHOW VIEW, ALTER, ALTER ROUTINE,
CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP,
EVENT, INDEX, INSERT, REFERENCES, TRIGGER, UPDATE, CREATE USER, FILE,
LOCK TABLES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHUTDOWN,
SUPER
ON *.* TO mysql#'%'
WITH GRANT OPTION;
and then
FLUSH PRIVILEGES;
I had this challenge when working on MySQL Ver 8.0.21
I wanted to grant permissions of a database named my_app_db to the root user running on localhost host.
But when I run the command:
use my_app_db;
GRANT ALL PRIVILEGES ON my_app_db.* TO 'root'#'localhost';
I get the error:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'my_app_db.* TO 'root'#'localhost'' at line 1>
Here's how I fixed:
Login to your MySQL console. You can change root to the user you want to login with:
mysql -u root -p
Enter your mysql root password
Next, list out all the users and their host on the MySQL server. Unlike PostgreSQL this is often stored in the mysql database. So we need to select the mysql database first:
use mysql;
SELECT user, host FROM user;
Note: if you don't run the use mysql, you get the no database selected error.
This should give you an output of this sort:
+------------------+-----------+
| user | host |
+------------------+-----------+
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+------------------+-----------+
4 rows in set (0.00 sec)
Next, based on the information gotten from the list, grant privileges to the user that you want. We will need to first select the database before granting permission to it. For me, I am using the root user that runs on the localhost host:
use my_app_db;
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost';
Note: The GRANT ALL PRIVILEGES ON database_name.* TO 'root'#'localhost'; command may not work for modern versions of MySQL. Most modern versions of MyQL replace the database_name with * in the grant privileges command after you select the database that you want to use.
You can then exit the MySQL console:
exit
That's it.
I hope this helps
To access from remote server to mydb database only
GRANT ALL PRIVILEGES ON mydb.* TO 'root'#'192.168.2.21';
To access from remote server to all databases.
GRANT ALL PRIVILEGES ON * . * TO 'root'#'192.168.2.21';
To grant all priveleges on the database: mydb to the user: myuser, just execute:
GRANT ALL ON mydb.* TO 'myuser'#'localhost';
or:
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'localhost';
The PRIVILEGES keyword is not necessary.
Also I do not know why the other answers suggest that the IDENTIFIED BY 'password' be put on the end of the command. I believe that it is not required.