There is a MySQL user with database level privileges, as shown in the screen shot below. However, when an attempt is made to revoke privileges for this user, an error 1141 is the result. Why is this error being generated? How can the privileges be revoked?
I entered show grants for 'api_user'#'localhost'; and got the ERROR 1141 message.
Edit:
Here I entered REVOKE ALL PRIVILEGES FROM 'api_user'#'localhost'; and got a syntax error message.
Since the user only has grants on a single database, I think you need to specify that database in the REVOKE command:
REVOKE ALL PRIVILEGES ON api_example.* FROM api_user#localhost;
If that doesn't work, try dropping the user:
DROP USER api_user#localhost;
From the documentation:
The DROP USER statement removes one or more MySQL accounts and their privileges. It removes privilege rows for the account from all grant tables.
If the grant tables hold privilege rows that contain mixed-case database or table names and the lower_case_table_names system variable is set to a nonzero value, REVOKE cannot be used to revoke these privileges. It will be necessary to manipulate the grant tables directly. (GRANT will not create such rows when lower_case_table_names is set, but such rows might have been created prior to setting the variable.)
MySQL Revoke LowerCase
Related
So I did created a new user, granted all privilages, and flushed the privilages.
The newly created user can also see the information_schema, mysql, performance_schema and sys databases. However, I don't want the user to access those 4. I just want him to have CREATE/DROP/DELETE/INSERT/SELECT (All the required ones), etc permissions on newly created databases.
I did the following:
CREATE USER 'newuser'#'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON * . * TO 'newuser'#'localhost';
FLUSH PRIVILEGES;
Run REVOKE for the given databases:
REVOKE ALL PRIVILEGES ON mysql.* FROM 'newuser'#'localhost';
I would skip the information_schema revoke. You can see if the user still works without it, but I somehow doubt that.
Privileges: Privileges defines the access rights provided to a user on a database object. There are two types of privileges.
1) System privileges allows the user to CREATE, ALTER, or DROP database objects.
2) Object privileges allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply.
You need to revoke the privilege here you want to remove .Below is the syntax
REVOKE privilege_name
ON object_name
FROM {user_name |PUBLIC |role_name}
I have granted all permissions on a database to a user 'demo' with this command:
grant all privileges on wordpress.* to demo#localhost;
Now i want to revoke the user permissions on the table wp_users. I used this command:
revoke all privileges on wordpress.wp_users from demo#localhost;
But i get this error:
ERROR 1147 (42000): There is no such grant defined for user 'demo' on host 'localhost' on table 'wp_users'
Why i am getting this error?
Because, as indicated, you're trying to revoke a grant that doesn't exist.
Making a broad grant makes a broad grant; it doesn't automatically make lots of individual grants that you can then cherry-pick away afterwards.
Simply grant access to the tables you want.
I want to create a mysql user who can only access databases which have names starting with netdata_. I use the following statement to create such user:
GRANT ALL PRIVILEGES ON `netdata_*`.* TO netdata#"%" IDENTIFIED BY "My_Top_Secret";
However, with this user netdata, I can see nothing other than the information_schema. So is there anything wrong in my grant statement? Thanks.
Before you think this is a duplicate question, I believe I have a unique, even if it is somewhat dim-witted, case.
A few days ago, I upgraded the version of MySQL on my Ubuntu 10.04 server to 5.3.3 (it's ahead of the Ubuntu releases for 10.04). Today, I attempted to log into phpMyAdmin for something and discovered the somewhat dreaded Connection for controluser as defined in your configuration failed error.
After following descriptions from several SO questions on how to fix this, I have become stuck.
I attempted to reconfigure phpMyAdmin, with no success.
I attempted to uninstall phpMyAdmin and reinstall it, but it couldn't remove the privileges from the DB and failed.
I then attempted to manually remove the privileges of the user - somewhat foolishly, I might add - from the DB, then dropping the db, then the user (with flush privileges).
I dropped the whole install of phpMyAdmin completely (deleting the application and the /etc/phpmyadmin directory) and reinstalled (using apt-get) but it said the permissions for the phpmyadmin user already existed:
granting access to database phpmyadmin for phpmyadmin#localhost: already exists
So, here is what I'm left with. I have a grant that I cannot modify, nor revoke:
mysql> show grants for 'phpmyadmin'#'localhost';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for phpmyadmin#localhost |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'phpmyadmin'#'localhost' IDENTIFIED BY PASSWORD '*46CFC7938B60837F46B610A2D10C248874555C14' |
| GRANT ALL PRIVILEGES ON `phpmyadmin`.* TO 'phpmyadmin'#'localhost' |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.26 sec)
mysql> revoke usage on *.* from 'phpmyadmin'#'localhost';
ERROR 1141 (42000): There is no such grant defined for user 'phpmyadmin' on host 'localhost'
mysql> revoke usage on *.* from 'phpmyadmin'#'localhost' identified by 'trustno1';
ERROR 1141 (42000): There is no such grant defined for user 'phpmyadmin' on host 'localhost'
(Don't worry, I do not use this password anymore, but it was the password that was used previously and it is not the password I chose for the new phpmyadmin installation).
How do I totally remove these grants/privileges? I am happy to start again from scratch if need be (phpmyadmin that is, not the DB).
The USAGE-privilege in mysql simply means that there are no privileges for the user 'phpadmin'#'localhost' defined on global level *.*. Additionally the same user has ALL-privilege on database phpmyadmin phpadmin.*.
So if you want to remove all the privileges and start totally from scratch do the following:
Revoke all privileges on database level:
REVOKE ALL PRIVILEGES ON phpmyadmin.* FROM 'phpmyadmin'#'localhost';
Drop the user 'phpmyadmin'#'localhost'
DROP USER 'phpmyadmin'#'localhost';
Above procedure will entirely remove the user from your instance, this means you can recreate him from scratch.
To give you a bit background on what described above: as soon as you create a user the mysql.user table will be populated. If you look on a record in it, you will see the user and all privileges set to 'N'. If you do a show grants for 'phpmyadmin'#'localhost'; you will see, the allready familliar, output above. Simply translated to "no privileges on global level for the user". Now your grant ALL to this user on database level, this will be stored in the table mysql.db. If you do a SELECT * FROM mysql.db WHERE db = 'nameofdb'; you will see a 'Y' on every priv.
Above described shows the scenario you have on your db at the present. So having a user that only has USAGE privilege means, that this user can connect, but besides of SHOW GLOBAL VARIABLES; SHOW GLOBAL STATUS; he has no other privileges.
As a side note, the reason revoke usage on *.* from 'phpmyadmin'#'localhost'; does not work is quite simple : There is no grant called USAGE.
The actual named grants are in the MySQL Documentation
The grant USAGE is a logical grant. How? 'phpmyadmin'#'localhost' has an entry in mysql.user where user='phpmyadmin' and host='localhost'. Any row in mysql.user semantically means USAGE. Running DROP USER 'phpmyadmin'#'localhost'; should work just fine. Under the hood, it's really doing this:
DELETE FROM mysql.user WHERE user='phpmyadmin' and host='localhost';
DELETE FROM mysql.db WHERE user='phpmyadmin' and host='localhost';
FLUSH PRIVILEGES;
Therefore, the removal of a row from mysql.user constitutes running REVOKE USAGE, even though REVOKE USAGE cannot literally be executed.
For every new user we create in mySQL using the statement
CREATE USER newuser#localhost IDENTIFIED BY 'password';
"SHOW GRANTS" is showing only "USAGE ON *.* " privilege.
But the user is able to select,insert,.. on "test" and "information_schema" databases and I'm unable to revoke these privileges on "test" using the revoke statement given below.
REVOKE ALL ON test.* FROM newuser#localhost;
ERROR 1141 (42000) : There is no such grant defined for user 'guest' on host 'localhost'
I just don't want the newuser to access the test and information_schema databases.
http://dev.mysql.com/doc/refman/5.6/en/default-privileges.html
By default, the mysql.db table contains rows that permit access by
any user to the test database and other databases with names that
start with test_. (...) This means that
such databases can be used even by accounts that otherwise possess no
privileges. If you want to remove any-user access to test databases,
do so as follows:
mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';
mysql> FLUSH PRIVILEGES;
(...)
With the preceding change, only users who have global database
privileges or privileges granted explicitly for the test database can
use it.
The information_schema database is a read-only pseudo database built on-the-fly on request. Users will always be able to consult this database, but it only presents entries to which they already have access to otherwise.