we have many users in our mysql server with alot of grants. Is there exists some automated way to check that all grants are really required for these users base on query set which these users use?
For example:
you have user1 and user2 and known that user1 do query1, query2, query3. user2 do others query4, query5, query6. Could I predict in automatic way, which grants are required for these users, base on these queries, to compare these autogenerated grants set with grants which already exists in our db server to remove excesive grants?
Related
TLDR;
Target:
Is it possible to grant privileges to a certain "audit" user to access to MySQL metadata only (schema,table,column at least) without access to exact data in tables?
Version
MySQL 8+
Try:
Before this issues,
I've been already tried or known:
review MySQL official docs on privileges (notice me if I missed the answer in it)
search keywords on SOF: mysql, privilege, metadata, etc.
find solutions with my DBA friends
grant show databases to users, but it could get the schema lists only
all grants to infomatica_schema was in vain, as known to all
SELECT ON *.* is another answer, but my leader dont wanna data leak through it
Background:
My company ordered devops to collect MySQL metadata for some issues of audits or security monitoring or else (I don't know the details of whole story). Unnecessary data leak would not be expected to my leader.
BTW, I dont know the specific method where they, audit depts maybe, are going to collect metadata. All I've been required to do is to create a granted user for them.
I think I found a workaround for this, but it's kind of a hack, not a true solution.
https://dev.mysql.com/doc/refman/8.0/en/show-tables.html says:
If you have no privileges for a base table or view, it does not show up in the output from SHOW TABLES or mysqlshow db_name.
That is, you can't use SHOW TABLES, or see the tables in queries against INFORMATION_SCHEMA (because SHOW TABLES is really just a query against those system views).
But the language of "no privileges" got me thinking. Is there a privilege that the user could have, but which does not allow reading or writing data?
https://dev.mysql.com/doc/refman/8.0/en/grant.html says:
The permissible priv_type values at the table level are ALTER, CREATE VIEW, CREATE, DELETE, DROP, GRANT OPTION, INDEX, INSERT, REFERENCES, SELECT, SHOW VIEW, TRIGGER, and UPDATE.
How about SHOW VIEW? This would only allow viewing metadata, not querying a table or a view.
So I tried it:
mysql> create user 'auditor'#'%';
mysql> grant show view on test.* to 'auditor'#'%';
Then I logged in as that user, and tried it:
mysql> show grants;
+----------------------------------------------+
| Grants for auditor#% |
+----------------------------------------------+
| GRANT USAGE ON *.* TO `auditor`#`%` |
| GRANT SHOW VIEW ON `test`.* TO `auditor`#`%` |
+----------------------------------------------+
mysql> use test
mysql> show tables;
+----------------+
| Tables_in_test |
+----------------+
| Accounts |
| Bugs |
| BugsProducts |
| BugStatus |
...
I could also view columns, etc.
To be clear, those are concrete tables, not views. But since my auditor user has more than no privileges on the tables (even an irrelevant privilege), it qualifies for purposes of letting them view metadata about the tables.
In MySQL 8.0.20, they added the SHOW ROUTINES privilege. Prior to that, you needed SELECT privilege to view the body of stored procedure or functions. But you didn't mention auditors viewing routines in your question.
I am trying to revoke select privilege from a particular table from a MySQL DB.
Database level restriction is working but table level is not.
When I write "show grants"
This is what I get :
| GRANT USAGE ON *.* TO 'rachit'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT ALL PRIVILEGES ON `test123`.* TO 'rachit'#'localhost' |
| GRANT INSERT, UPDATE, DELETE ON `test123`.`names123` TO 'rachit'#'localhost'
As you can see above I want to
revoke select privilege from rachit user on 'names123' table of 'test123' database, but SELECT is working.
I have attached a screenshot below for better understanding.
https://ibb.co/GRtjXX7
If you GRANT ALL ON test123.* TO 'rachit'#'localhost' you cannot remove one table by running REVOKE ALL ON test123.* TO 'rachit'#'localhost'.
some DBMS systems specifically DENY option for specifically denying access to specific table but this is not the case for mysql.
you may consider to write script and give access to each table one by one
Discussion:
If it wasn't specifically GRANTed, it can't be REVOKEd. This is an unfortunate side effect of the not-so-user-friendly Grant/Revoke syntax and implementation.
You can use a SELECT against information_schema.TABLES to automate the discovery of all the other tables. And have the SELECT build the desired GRANTs.
Possible workaround:
Another approach to your particular problem is to move that one table to a different database. Then GRANT different permissions to that db.
I want to see the GRANTS for all the users on a concrete DATABASE.
I use
SELECT * FROM mysql.user;
but it shows the GRANTS for all the databases (I suppose).
I want to see, for example, if I apply:
GRANT ALL ON Movies TO 'jNavarro';
I want to see how the GRANTS are changed to Y on the Movies Database, because If i apply the SELECT shown before the Grants for jNavarro doesn't change.
Thanks
If you are an admin then running this will get you what you want
select user from mysql.db where db='DB_NAME';
How can I give one user the identical set of privileges as another (pre-existing) user?
I can do:
SHOW GRANTS FOR 'user1'
But not:
GRANT (SHOW GRANTS for 'user1') to 'user2';
or
CREATE USER 'user1' LIKE 'user2'
So I can't see a way programmatically add all these grants a different user2 in an SQL way (other than writing a script in an app language to iterate thru that SHOW GRANTS)
Maybe there is a way going to the mysql.user table? Or is that a bad idea in general? I am not particularly knowledgeable about, or comfortable messing around with, that table.
i'm looking for a way to find all privileges for a specific user.
Provided I have a User "John" who has read-only rights on some tables, is there any "select" or "show" to retrieve me the names of the tables "john" has the rights for? So far, i looked in information_schema but couldn't find any specific information on grants for tables.
Or if i set up a role via mysqlworkbench, where is the formation on this role stored in?
how can i manually assign a new user to this role?
Thank you!
SHOW GRANT FOR user will display multiple rows of data for the user.
SELECT * from mysql.user where User = 'user'
will get the grants for the whole server.
SELECT * from mysql.db where User = 'user'
will get the grants by database.
mysql.tables_priv mysql.columns_priv, and mysql.procs_priv show the fine-grained grants if any happen to exist.