We've recently added a few restrictions as to what data an analyst can retrieve - specifically the password column in a users table.
The problem is she has thousands of queries which feature SELECT * from users, or joins, etc etc, in his scripts.
Now, when she attempts to run these, MySQL returns:
SQL Error (1142): SELECT command denied to user 'foo'#'bar' for table 'users'
The RDBMS is actually AWS Aurora MySQL 5.6.10a, if this helps. The analyst is reading from a read-replica, so has no write access, but can use and create temporary tables.
Is there a MySQL setting or something we can do, rather than getting the analyst to specify every single column?
Related
I'm currently in the process of implementing a monitoring system, part of which includes monitoring certain aspects of a MySQL database, such as:
The replication state of the given MySQL instance (sys table)
The number of records in database 1's table x (db1.tableX)
The sum total of a given attribute in another db's table (db2.tableY.column3)
These 3 things can be found using very simple queries:
SELECT viable_candidate FROM sys.gr_member_routing_candidate_status
SELECT COUNT(1) FROM db1.tableX
SELECT SUM(column3) FROM db2.tableY
However, this then requires a user account to be made with at least read access to 3 entire databases / tables.
Is there instead a way to limit access to the results of given queries only? I wondered about making an additional database which is somehow linked to the output of the above 3 queries, and then creating a new user with access only to this database, but I'm not sure what this technology is, or how it would work?
Thanks in advance!
Create a view based on each query and then grant only a select permission to such view.
Example:
CREATE VIEW dbo.view_name AS
SELECT viable_candidate
FROM sys.gr_member_routing_candidate_status
And then
GRANT SELECT ON dbo.view_name TO 'user1'#'localhost'
I am trying to select from one database using condition in another but my problem is how to do this in my editor i used this code in my phpmyadmin environment and it work fine, but how will write same query in my source code,my problem here is how to connect to two different db in one statement
select * from users.message where sender in( select id from secured.reg_users)
As long as the 2 databases are in the same mysql server, the above query will work with a single connection. (Remember, phpmyadmin will connect to a single database as well at any point of time!) If not, then you can experiment with federated tables, but most likely you will not be able to do this in sql only.
In the latter case, your code needs to retrieve the list of ids from the secured.reg_users table, then use that list as parameter to the main query.
I've found that it's possible to grant user access to only specific tables in a DB. The next part of the puzzle is restricting the scope of select queries.
Should my frontend server ever be compromised by someone able to script, they may attempt to use mysql credentials from the server to dump the database.
If everything is limited to only select, update, and insert queries via mysql privileges, the supposed malicious user could still select * on the tables the mysql user has access to. Perhaps I'm overly paranoid, but I'm wondering if anything can be done to restrict that too.
The assumption here is that if the server is compromised, the mysql user can be used via a script on the server to get a copy of everything in the DB. I'm trying to find the options to protect my (and my users' data).
By design, the frontend application that will use this mysql user will never need to return more than 20 rows (mostly due to hardcoded . I'm therefore happy to restrict the mysql user from ever getting more than 20 rows from a select query.
Can this be done using mysql privileges for that mysql user?
You could create view as select ... limit 20, remove select privilege from the table and grant it only for the view instead.
I have a web application which takes sql queries and produces the output in the form of a report. I don't want the user to MODIFY the existing database any way. To do this I decided to block all the CREATE,ALTER,DELETE,DROP commands at the web application level by just looking at the first word of the supplied query. This would stop the user from altering the existing schema or the instance of the database.
Recently I discovered that Microsoft SQL Server has the command SELECT * INTO NEW_TABLE FROM OLD_TABLE which allows us to create a copy of the the existing table. Are there any more commands of this kind which would allow us to modify the schema or instance of the existing DB by passing the web application filter ?
Any better ways to block the commands according to my requirements are also welcomed but I do not wish to take away the freedom of creating report using SQL queries at the cost of security.
Why Cannot I use Grant
I see that grant is one good option that I see from the comment as well as the answers but I will not be able to use them because the user supplies the DB details which I use to create the report along with the username and password. It is for the DB's table the user points to that I create the report
You can generate the reports from results of a query performed by a user with only read permissions. This implies management of the database connection to allow other parts of the application to manipulates the data ( you will need to connect as different users).
CREATE USER 'foouser'#'localhost' IDENTIFIED BY 'barpass';
GRANT SELECT ON db.table TO 'foouser'#'localhost';
Even if you use "SELECT * INTO NEW_TABLE FROM OLD_TABLE" you have to create the new_table first using create statement then you can use that statement.
Short version: How can I write an SQL procedure to list which of several tables in a MySQL database a particular user has access to?
Longer version:
I'm writing a multi-user app that accesses a database with data for several branches of a company. The database has a number of lookup tables that any user can access, and a table for each branch that only authorized users can access. My strategy is:
Write a stored procecure that returns a list of the relevant tables for which the user has SELECT privilege.
From the app, call the procedure. If there's only one table returned, use it, otherwise let the user select which branch they want to access (e.g. for managers).
I'm having trouble figuring out how to write such a stored procedure. SHOW GRANTS FOR CURRENT_USER is an obvious possibility, but parsing something like:
GRANT SELECT ON Company.BranchABC TO 'auser'#'%clientdomain.com'
in SQL to figure out what the tables are seems way too messy. Doing a SELECT from the actual tables that hold the permissions also seems problematic, because I'd have to duplicate MySQL's logic for combining the permissions from the various tables (user, db, host, etc.)
Any words of wisdom?
You can see what privileges on which tables a user has:
show grants for 'user'#'host';
For example, to see the privileges of user1 (all machines in the network 10.25), run:
show grants for 'user'#'10.25.%.%';
I have never granted per table permissions to MySQL users before, but to do this, you would check that the TABLE_PRIVILEGES table in the information_schema database.
That should point you in the right direction.
MySQL users list and its privilege can be check with the Query.
select * from mysql.user\G;
http://www.thedevheaven.com/2012/04/retrieve-mysql-users-list-and-its.html