Trying to write stored function for checking is account verified or not. I want to use it in view.
CREATE
ALGORITHM = UNDEFINED
DEFINER = `root`#`%`
SQL SECURITY DEFINER
VIEW `Admin_Departaments` AS
SELECT
`Departaments`.`Id` AS `Id`,
`Departaments`.`Name` AS `Name`,
`Departaments`.`Email` AS `Email`,
ST_ISEMPTY(`Departaments`.`EmailVerificationToken`) AS `IsVerified`
FROM
`Departaments`
Following show errors and code statements.
ERROR 1227: Access denied; you need (at least one of) the SUPER
privilege(s) for this operation
SQL Statement:
CREATE DEFINER=`%`#`%` FUNCTION `IsEmpty`(str tinytext) RETURNS tinyint(1)
BEGIN
IF str = '' THEN
RETURN true;
else Return false;
END IF;
END
ERROR 1418: This function has none of DETERMINISTIC, NO SQL, or READS
SQL DATA in its declaration and binary logging is enabled (you might
want to use the less safe log_bin_trust_function_creators variable)
SQL Statement:
CREATE DEFINER=`root`#`%` FUNCTION `IsEmpty`(str tinytext) RETURNS tinyint(1)
BEGIN
IF str = '' THEN
RETURN true;
else Return false;
END IF;
END
ERROR 1419: You do not have the SUPER privilege and binary logging is
enabled (you might want to use the less safe
log_bin_trust_function_creators variable)
SQL Statement:
CREATE DEFINER=`root`#`%` FUNCTION `IsEmpty`(str tinytext) RETURNS tinyint(1)
deterministic
BEGIN
IF str = '' THEN
RETURN true;
else Return false;
END IF;
END
Some more info:
-Database is stored in Google Cloud Platform
-Root user is the main user that given from Google
-I already tried to change root privileges from gcloud shell running mysql from sudo, but got error
-The root privileges are all besides FILE. Role is all besides DBA.2
As mentioned in the documentation Cloud SQL FAQ
Cloud SQL does not support SUPER privileges
A viable solution here is to set up MySQL instance on a Compute Engine instance. Doing that you will be able to have SUPER USER privileges on your instance and you will overcome this errors.
Related
I run the following script:
USE MODERN_FAMILY;
DROP FUNCTION IF EXISTS compare_news;
DELIMITER $$
CREATE FUNCTION compare_news(n INT, m INT)
RETURNS VARCHAR(20)
BEGIN
DECLARE s VARCHAR(20);
IF n>m THEN SET s='>';
ELSEIF n=m THEN SET s='=';
ELSE SET s='<';
END IF;
SET s = CONCAT(n, ' ', s, ' ',m);
RETURN s; END;$$
First script returns this error :
Error Code: 1418. This function has none of DETERMINISTIC, NO SQL, or READS SQL DATA in its declaration and binary logging is enabled (you might want to use the less safe log_bin_trust_function_creators variable).
Then, I run this:
USE MODERN_FAMILY;
SELECT compare_news(2,5);
It returns this error:
Error Code: 2014. Commands out of sync; you can't run this command now.
Does someone know if I have an error with the script? Or is related to my SQL configuration?
log_bin_trust_function_creators variable controls whether binary logging should trust the stored function creators for not to create unsafe stored functions.
Reference: Stored Program Logging
When you create a stored function, you must declare either that it is
deterministic or that it does not modify data. Otherwise, it may be
unsafe for data recovery or replication.
By default, for a CREATE FUNCTION statement to be accepted, at least
one of DETERMINISTIC, NO SQL, or READS SQL DATA must be specified
explicitly. Otherwise an error occurs:
ERROR 1418 (HY000): This function has none of DETERMINISTIC, NO SQL,
or READS SQL DATA in its declaration and binary logging is enabled
(you *might* want to use the less safe log_bin_trust_function_creators
variable)
To relax the preceding conditions on function creation (that you must
have the SUPER privilege and that a function must be declared
deterministic or to not modify data), set the global
log_bin_trust_function_creators system variable to 1.
Solution 1: Make your function which doesn't manipulate data or deterministic in nature
CREATE FUNCTION `compare_news`(
`n` INT,
`m` INT
) RETURNS VARCHAR(20) CHARSET latin1 LANGUAGE SQL DETERMINISTIC NO SQL SQL SECURITY DEFINER COMMENT ''
BEGIN
DECLARE s VARCHAR(20);
IF n>m THEN
SET s='>';
ELSEIF n=m THEN
SET s='=';
ELSE
SET s='<';
END IF;
SET s = CONCAT(n, ' ', s, ' ',m);
RETURN s;
END
Solution 2: Enable MySQL to trust such functions by setting mysql log_bin_trust_function_creators variable to ON.
Reference: log_bin_trust_function_creators
SET GLOBAL log_bin_trust_function_creators = 1;
The variable will change upon restart if you do not update the config to reflect the change.
When am trying to create a simple trigger in mysql, am encountering the below error message. Please suggest me how to overcome this.
delimiter $$
create trigger trg_addresses_ins before insert on addresses
for each row
begin
declare msg varchar(128);
if length(new.addressstate) > 2 then
set msg = concat('MyTriggerError: Trying to insert a state value of more than 2 character: ', new.addressstate);
signal sqlstate '45000' set message_text = msg;
end if;
end$$
delimiter ;
`
Error Code: 1419. You do not have the SUPER privilege and binary logging is enabled (you might want to use the less safe log_bin_trust_function_creators variable) 0.078 sec
Super user is enabled but still get the same error and also am unable to change database parameter group associated with mysql aws db instance to 1. I am unable to modify db instance to select newly created group as the parameter group field is read only.
Appreciate your valuable inputs.
Thanks!
I guess you are using the default DB parameter group which you can not modify, the solution is you need to create your own parameter group, and set log_bin_trust_function_creators = 1, and apply your own parameter group to your current instance.
I have an issues in that when i try to execute a stored procedure through my web application, i am shown the following error
SQLSTATE[42000]: Syntax error or access violation: 1142 INSERT command denied to user 'elitecareers_admin'#'%' for table 'user'
Here is my stored procedure just for clarity
DELIMITER $$
CREATE PROCEDURE `sp_create_account`( username_param VARCHAR(40), email_param VARCHAR(60), pass_w VARCHAR(30), category_id TINYINT )
BEGIN
DECLARE salt VARCHAR(60);
DECLARE password_var VARCHAR(128);
SET salt = 'ELiCrs#4$^7EC%?';
SET salt = CONCAT( username_param, salt );
SET password_var = SHA2( CONCAT( pass_w, salt ), 0 );
INSERT INTO elite.user
( user_id, username, email, pass, active, date_joined, user_category_id )
VALUES
( DEFAULT, username_param, email_param, password_var, DEFAULT, DEFAULT, category_id );
END $$
DELIMITER ;
and here is how the stored procedure looks when i run the show command
Here is my server information too
Here are the privileges for the user 'elitecareers_admin'#'%' under which the web application is executing
What i don't understand if the user has all privileges on the database, then why does mysql/maria server keeping those errors?
"The SQL SECURITY characteristic can be DEFINER or INVOKER to specify the security context; that is, whether the routine executes using the privileges of the account named in the routine DEFINER clause or the user who invokes it. This account must have permission to access the database with which the routine is associated. The default value is DEFINER. The user who invokes the routine must have the EXECUTE privilege for it, as must the DEFINER account if the routine executes in definer security context. " -- https://dev.mysql.com/doc/refman/5.7/en/create-procedure.html
So, regardless of who runs the proc, the permissions for 'elitecareers_admin'#'%' will be used for things such as accessing the table elite.user. But that user seems to have privileges only to the database elitecareers\_elite.
Plan A: Recreate the proc with SQL SECURITY INVOKER if that is appropriate.
Plan B: Figure out the difference between databases elite and elitecareers\_elite.
Plan C: Add another GRANT to let that admin get to elite.
Plan D: (There are probably other solutions.)
I'm dipping my toe into using stored functions with MySQL and am having trouble.
Having created a function and tested it, I don't seem to be able to allow other users to execute it. From the documentation, it seems that I need to grant EXECUTE access to the other users, but that doesn't appear to be sufficient.
I've put together a couple of scripts that I believe demonstrate the problem:
# This script creates two databases with a stored function in each.
#
# On one database, tester in granted all privileges.
# On the other, tester only gets a few.
#
# We want to find the minimum privileges required to allow tester to execute the
# stored function.
#
# This script must be run by an administrative user, i.e. root
CREATE DATABASE test1;
DELIMITER $$
CREATE FUNCTION test1.foo () RETURNS VARCHAR(255) DETERMINISTIC
BEGIN
RETURN ('garp');
END$$
DELIMITER ;
GRANT ALL PRIVILEGES ON test1.* TO 'tester'#'localhost';
#
CREATE DATABASE test2;
DELIMITER $$
CREATE FUNCTION test2.foo () RETURNS VARCHAR(255) DETERMINISTIC
BEGIN
RETURN ('garp');
END$$
DELIMITER ;
GRANT EXECUTE ON PROCEDURE test2.foo TO 'tester'#'localhost';
and
# This script tests whether tester can access the stored functions
#
# It should be executed by tester
SELECT 'test1.foo(): ', test1.foo ();
SELECT 'test2.foo(): ', test2.foo ();
When I run execute the second script, I get an error:
$ mysql --user=tester --password=tester --skip-column-names < testScript2.sql
test1.foo(): garp
ERROR 1370 (42000) at line 6: execute command denied to user 'tester'#'localhost' for routine 'test2.foo'
I have no doubt that I'm missing something obvious, but I can't see what that is. I imagine that I've got something wrong in the GRANT EXECUTE... statement in the first script, and am deeply suspicious of my use of single quotes, but I recall trying most of the combinations of placement and inclusion of single quotes without success.
I'd be really grateful to anyone who can point out my error.
For reference, I'm running Server version: 5.1.67-0ubuntu0.10.04.1 (Ubuntu) (on Ubuntu!).
Thanks
test2.foo is a function not a procedure.
Try:
GRANT EXECUTE ON FUNCTION test2.foo TO 'tester'#'localhost';
(I was able to reproduce the problem locally and confirm that this change works.)
I have created an AWS RDS instance, I have created my master user with master password, and it is working/connecting fine.
But when I am going to create a function on that instance, it shows me the following error:
ERROR 1418: This function has none of DETERMINISTIC, NO SQL,
or READS SQL DATA in its declaration and binary logging is enabled
(you might want to use the less safe log_bin_trust_function_creator variable).
In my instance the variable log_bin_trust_function_creators shows OFF, and if I try to change the variable using SET GLOBAL log_bin_trust_function_creators = 1;, it gives me another error "Error Code: 1227. Access denied; you need (at least one of) the SUPER privilege(s) for this operation"
Set log_bin_trust_function_creators = 1 for Parameter group of the RDS instance.
Note: Default Parameter-Group is not editable. Create a new Parameter-Group and assign it to the RDS instance by modifying it from UI (AWS Admin Console) OR maybe using commands
DELIMITER $$
CREATE DEFINER=`DB_USERNAME_HERE`#`%` FUNCTION `GetDistance`(coordinate1 VARCHAR(120), coordinate2 VARCHAR(120)) RETURNS decimal(12,8)
READS SQL DATA
BEGIN
DECLARE distance DECIMAL(12,8);
/*Business logic goes here for the function*/
RETURN distance;
END $$
DELIMITER ;
Here, you have to replace DB_USERNAME_HERE with you RDS database username and function names according to you need.
Important thing is: DEFINER=`DB_USERNAME_HERE`#`%`
This was the problem I was facing after setting log_bin_trust_function_creators = 1 in parameter group. And it worked like a charm.
A better way is to apply your own parameter group, with log_bin_trust_function_creators set to true. (its false by default)
This happens when you try to create a procedure/function/view with a DEFINER that is not the current user.
To solve this remove or update the DEFINER clause.