I tried to grants information_schema but it gave me this error
first I showed my grants but nothing:
mysql> show grants for root;
ERROR 1141 (42000): There is no such grant defined for user 'root' on host '%'
then I tried to grant:
mysql> grant select on information_schema.* to 'root'#'%' identified by 'password123';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'identified by 'password123'' at line 1
but with show grants; :
mysql> show grants;
+-------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- -----------------------------------------------------------------------+
| Grants for root#localhost |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`#`localhost` WITH GRANT OPTION |
| GRANT BACKUP_ADMIN,BINLOG_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION _ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`#`localhost` WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `testdb`.* TO `root`#`localhost` |
| GRANT ALL PRIVILEGES ON `%`.* TO `root`#`localhost` |
| GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
5 rows in set (0.00 sec)
I tried also this but with error:
mysql> GRANT ALL PRIVILEGES ON 'information_schema'.* TO 'root'#'localhost';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''information_schema'.* TO 'root'#'localhost'' at line 1
How can I grant my information_schema?
The syntax for granting privileges should be like:
GRANT ALL PRIVILEGES ON testDB.* TO 'root'#'localhost' identified by 'test';
Note: The database name won't be inside quotes.
After overcoming syntax error also, we don't have permission to grant any privilege to the information_schema database.
SHOW GRANTS; or SHOW GRANTS FOR CURRENT_USER; both shows all the granted privileges for the current user. To see grants of root user you need to log in as root and then execute the above command.
Related
how do I grant a new user the privilege to create a new database in MySQL
Specifically:
the database does not exist yet
I have successfuly created a new DB user account (that is not admin)
I want that non-admin user to create a new database
I do NOT want the 'admin' user to create the database and then grant privs to the database to the new user
as 'admin', I want to grant the new user the privilege to create a new database
I do not want to grant the new user any additional privileges on existing databases
This is not covered anywhere in the documentation that I can find.
Monday 2022-04-04
Update:
I created user 'scott' and then logged in as MySQL user 'admin' When I run this command
Note: The 'test' database does not yet exist
mysql>GRANT CREATE ON test.* to 'scott'#'localhost';
I get an error
==> ERROR 1410 (42000): You are not allowed to create a user with GRANT
Why do I get this error? I am not attempting to create a user, but rather grant a user access to a non-existent database (as is the approach with MySQL to grant a user privileges to create a database).
If up update the SQL statement to:
mysql>GRANT CREATE ON test.* to scott;
It runs OK
Query OK, 0 rows affected (0.07 sec)
And so now I login as user 'scott and run this statement:
mysql>create database rum;
==> ERROR 1049 (42000): Unknown database 'test'
Why do I get this error?
At this point, I am still not able to create a database as a non-admin user.
Example: grant "scott" the privilege to create the test3 database, which does not exist yet:
mysql> select user();
+----------------+
| user() |
+----------------+
| root#localhost |
+----------------+
mysql> grant create on test3.* to 'scott'#'localhost';
Query OK, 0 rows affected (0.01 sec)
Now try as scott to create the database:
mysql> select user();
+-----------------+
| user() |
+-----------------+
| scott#localhost |
+-----------------+
mysql> show grants;
+---------------------------------------------------------+
| Grants for scott#localhost |
+---------------------------------------------------------+
| GRANT USAGE ON *.* TO `scott`#`localhost` |
| GRANT ALL PRIVILEGES ON `test`.* TO `scott`#`localhost` |
| GRANT CREATE ON `test3`.* TO `scott`#`localhost` |
+---------------------------------------------------------+
mysql> create database test3;
Query OK, 1 row affected (0.00 sec)
mysql> use test3;
Database changed
MySQL has one privilege called CREATE which is for creating both databases and tables. See https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_create
You can either grant the user privilege to create a database of a specific name, or else grant them the privilege to create a database of any name, but that means they can also create other tables, either in the new database or in other existing databases. Sorry, there may not be a solution for you to allow them to create any new database without specifying the name when you grant the privilege, but then only have privilege in that database.
You are not allowed to create a user with GRANT
You did not create the user scott. Older versions of MySQL allows GRANT to implicitly create a user if one does not exist, but that has been disabled on more recent versions because folks realized it is a security weakness.
To be clear, the user "scott" is just an example I used. Don't literally use the name "scott" if that's not the user to whom you want to grant privileges.
The other errors you got seem to be that you granted the user privileges on a database named test.* but then you tried to create a database with a different name. The example I showed only grants the privilege to create the specific named database, not a database named rum or any other database.
I understand you want to grant privilege to create a database of any name. The syntax for that would be GRANT CREATE ON *.* TO... but that would grant the user privileges on all the other existing databases too.
There is no combination of syntax to grant privileges on any database name wildcard that means any database, provided that it is not yet created.
I configured MySQL as follows:
CREATE DATABASE IF NOT EXISTS foodb;
CREATE USER IF NOT EXISTS 'foo'#'localhost';
ALTER USER 'foo'#'localhost' IDENTIFIED BY 'qux';
GRANT ALL ON foodb.* to 'foo'#'localhost';
SHOW GRANTS FOR 'foo'#'localhost';
FLUSH PRIVILEGES;
SELECT user, host, authentication_string FROM mysql.user ORDER BY user, host;
When I run
python manage.py dbshell
I get the following error:
ERROR 1045 (28000): Access denied for user 'foo'#'localhost' (using password: YES)
CommandError: "mysql --user=foo --host=localhost foodb" returned non-zero exit status 1.
Also, this query
SHOW GRANTS for 'foo'#'localhost';
returns
+--------------------------------------------------------------+
| Grants for foo#localhost |
+--------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'#'localhost' |
| GRANT ALL PRIVILEGES ON `foodb`.* TO 'foo'#'localhost' |
+--------------------------------------------------------------+
2 rows in set (0.00 sec)
Finally, switching user to root and the root account password works just fine. So I think the issue must be with the user permissions on MySQL itself.
What additional permissions does 'foo'#'localhost' need for this to work?
I have a user 'adminuser' with the following privileges:
mysql> show grants for 'adminuser'#'localhost';
+----------------------------------------------------------+
| Grants for adminuser#localhost |
+----------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'adminuser'#'localhost' |
+----------------------------------------------------------+
1 row in set (0.00 sec)
Now I am trying to grant privileges to another user who was just created
mysql> grant delete, insert, update, select, create, index on simpledb.* to 'jobuser'#'localhost';
but I get an error:
ERROR 1044 (42000): Access denied for user 'adminuser'#'localhost' to database 'simpledb'
Why?
I'm trying to grant all privileges to a specific IP but when I try to get the list of privileged IPs it always shows only localhost, I followed the instructions in this question but it doesn't do any changes, what am I doing wrong?
MariaDB [(none)]> GRANT ALL ON database.* TO 'root'#'192.168.3.1' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------+
| Grants for root#localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show slave status;
ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER,REPLICATION CLIENT privilege(s) for this operation
mysql> show grants;
+------------------------------------------------------------------+
| Grants for root#192.168.1.5 |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'#'192.168.1.5' |
| GRANT ALL PRIVILEGES ON `western_star`.* TO 'root'#'192.168.1.5' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
Note:
I still get denied even though I logged in with my user remotely and I have the permissions.
mysql> show slave status;
ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER,REPLICATION CLIENT privilege(s) for this operation
mysql> show grants;
+------------------------------------------------------------------+
| Grants for root#192.168.1.5 |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'#'192.168.1.5' |
| GRANT ALL PRIVILEGES ON `western_star`.* TO 'root'#'192.168.1.5' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
Try running this statement:
SHOW GRANTS FOR 'root'#'192.168.3.1' ;
And compare to the return from this:
SHOW GRANTS FOR 'root'#'localhost' ;
SHOW GRANTS shows the grants for the current user.
Note that "root#localhost" is not the same user as "root#192.168.3.1". MySQL identifies a user by both user AND host. (Those are two different users.)
FOLLOWUP
The SUPER and REPLICATION CLIENT privileges are global privileges, not database privileges. Syntax for granting those privileges is ON *.*. For example:
GRANT REPLICATION CLIENT ON *.* TO 'root'#'192.168.1.5' ;
I have to provide direct access to my database to some users for auditing purposes, and should add a restriction to avoid that these new users don't have deleting, updating and altering privileges.
Just create a user and grant only SELECT privilege.
CREATE USER user_name#host_name identified by 'password';
GRANT SELECT ON db_name.* TO user_name#host_name;
To check what privileges a user has use
SHOW GRANTS FOR user_name#host_name;
and make sure that a user only has GRANT USAGE and GRANT SELECT ON db_name.*
Lets say I have my_db database with test table in it and I want to create a user with a name user1 who will be allowed to connect only from local host and will be able to read data from all tables in this database but won't be able to insert, change, and delete data.
mysql> create user user1#localhost identified by 'password';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for user1#localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user1#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> grant select on my_db.* to user1#localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for user1#localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user1#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT SELECT ON `my_db`.* TO 'user1'#'localhost' |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Now lets see what our user1 can and can't do
$ mysql -uuser1 -p
mysql> use mysql
ERROR 1044 (42000): Access denied for user 'user1'#'localhost' to database 'mysql'
mysql> use test
ERROR 1044 (42000): Access denied for user 'user1'#'localhost' to database 'test'
mysql> use my_db
Database changed
As you can see our user1 can only connect to my_db database.
Now let see what that user can do with data in table test (the only table in that database)
mysql> select * from test;
+------+
| id |
+------+
| 1 |
| 2 |
+------+
2 rows in set (0.00 sec)
mysql> insert into test values (3);
ERROR 1142 (42000): INSERT command denied to user 'user1'#'localhost' for table 'test'
mysql> delete from test where id = 1;
ERROR 1142 (42000): DELETE command denied to user 'user1'#'localhost' for table 'test'
mysql> update test set id = 10 where id = 1;
ERROR 1142 (42000): UPDATE command denied to user 'user1'#'localhost' for table 'test'
Again as you can the user can only select from the table.