I am using a hosted web service account that uses cpanel as its management system. When logged into phpmyadmin, I am trying to import an SQL file that contains tables and some procedures.
CREATE DEFINER=`root`#`localhost` PROCEDURE `getClientDashboardStatsMap` (IN `in_userID` INT) BEGIN
SELECT
rl.city,
rl.state,
rl.zip,
rl.longitude,
rl.latitude,
rl.timestamp,
count(rl.ID) as total
FROM
crowd.redemption_log as rl
JOIN
reward as r
ON
rl.rewardID = r.rewardID
WHERE
r.userID = 1
AND
rl.timestamp BETWEEN NOW() - INTERVAL 30 DAY AND NOW()
GROUP BY
rl.city, rl.state, rl.zip
ORDER BY
total DESC;
END$$
When I try to run this, I get an error about needing super user privileges to do so. Doing some searching, people suggested removing the definer line like so:
CREATE PROCEDURE getClientDashboardStatsMap (IN in_userID INT) BEGIN.
While this allows me to complete the import, I am running into another issue. The procedures are getting a default definer of cpaneluser#localhost. However, the database user that is set up is different than this user so the procedure has no permissions for things like select, update, delete. The database user is cpaneluser_dbusername, which is typical for hosted sites like this so you can associate databases with accounts.
How else can I get this procedures to run, under the correct user? I don't see any settings in PHPMYADMIN for privileges in order to run these as a super user.
There are two ways to solve this problem:
Log into phpmyadmin with the database user cpaneluser_dbusername. I am not familar with phpmyadmin and cpanel, so I'm not sure whether they provide you the option to change the user. You should check it out by yourself. I'm using MySQL Workbench and MySQL Administrator, they both privode me this option.
Grant privileges to cpaneluser#localhost. Such as:
GRANT ALL ON db_name.table_name TO 'cpaneluser#localhost';
It's better if you grant each privilege explicitly, e.g.: GRANT SELECT,INSERT,UPDATE,DELETE ON .... Check GRANT Syntax.
Related
MSSQL DBA here, I know how to do the following in TSQL, I am wondering if the same can be done in MySQL. Basically, set a variable and be able to use it throughout a script. MySQL docs have gotten me only so far, looking for some veteran MySQL devs/dbas for some detail. Thanks.
SET #newuser := `'usr652'#'%.domain.com'`;
SET #pw := `'ge?jJ!ARxbz$qiC6n'`;
CREATE USER #newuser IDENTIFIED BY #pw;
ALTER USER IF EXISTS
#newuser PASSWORD EXPIRE;
GRANT USAGE ON `POP%`.* TO #newuser;
GRANT SELECT ON `POP%`.* TO #newuser;
SHOW GRANTS FOR #newuser;
I'm struggling a little with MySQL stored procedures and getting a bit frustrated. I have a set of SPs created by Bob. As he is the DEFINER, only he can see the CREATE statement for them, amend them etc.
Mary can see Bob's stored procedures in the schema in MySQL Workbench, but can't see what they do - when she clicks on the SP and selects "Send to SQL Editor -> CREATE statement" nothing happens, because she's not the definer.
Coming from a MS SQL background this is a little bizarre to me. Is there any way I can set up a group (e.g. "DB_DEVS") and make this group the definer of the Stored Procs so Bob and Mary can see each other's code?
DEFINER always refers to the user who created the stored procedure. This can only be 1 user.
If Mary wants to see Bobs procedure, she could call:
SHOW CREATE PROCEDURE proc_name
To see the code of the procedure. She could also call the following to see the code:
SELECT ROUTINE_DEFINITION FROM information_schema.ROUTINES WHERE SPECIFIC_NAME='proc_name'
Heres how to enable Mary to access the view of the procedure via MySQL-Workbench:
By default, Mary is not able to send the create statement to the SQL-Editor. But this is just a privilege thing. Mary just needs a basic SELECT privilege in the mysql.proc table. To do this, run the following SQL-Statement (via Command line or directly in the Workbench):
GRANT SELECT ON mysql.proc TO 'mary'#'%'
This command enables Mary to access the Create-Statement from all hosts. If you want to limit it to a specific host you would do something like:
GRANT SELECT ON mysql.proc TO 'mary'#'192.168.2.1'
If Mary has the SELECT privilege she should be able to see the procedure after doing Send to SQL Editor -> CREATE statement
NOTE: In order to run the GRANT-Command you need to be logged in as user who has the privilege to grant privileges (e.g. root-user)
+++++++++++++++++++++++++EDIT+++++++++++++++++++++++++
There is a "quick and dirty" way to achieve this for a large number of users without writing for each user a new command to grant the privilege:
(make sure to do this with a user who has the privilege to insert rows via the Workbench)
Open a new SQL-Tab in your Workbench
Type SELECT * FROM mysql.tables_priv; and run it
Above the result-grid there should be the a small button which allows you to import data from a csv-File.
Create a CSV-File which looks like this:
%,mysql,jane,proc,root#localhost,"2016-02-19 22:51:47",Select,
%,mysql,max,proc,root#localhost,"2016-02-19 22:51:47",Select,
%,mysql,steve,proc,root#localhost,"2016-02-19 22:51:47",Select,
%,mysql,greg,proc,root#localhost,"2016-02-19 22:51:47",Select,
%,mysql,jamie,proc,root#localhost,"2016-02-19 22:51:47",Select,
...further users
jane, max, steve,... would be your users. Leave the other columns the way they are.
Import your csv-File
Run FLUSH PRIVILEGES in an SQL-Window (reloades privileges from priv-tables)
Finished! All your users can now access Stored Procedures
In phpmyadmin I want to grant users to create and delete databases but this access should be limited to a specific prefix.
My users have 3 different accounts on PhpMyAdmin: username_ro (for only reading), username_rw (for reading and writing) and username_admin (for creating other databases and tables into their account)
I want them to be able to create a database username_website but I don't want them to be able to create database theother_website. They should also be able to drop username_website but unable to drop theother_website
How can I do this with sql or PhpMyAdmin.
Thanks in advance.
With some trial and error I have found a solution. By doing this query I was able to create and drop database username_website but I wasn't able to create or drop database theother_clients
GRANT ALL PRIVILIGES
ON `username\_%`.*
TO 'username_admin'#'localhost';
PS. the query is a little edited. I changed the rights I actually gave with ALL PRIVILIGESand I changed the actual username with username.
I create my database and user navid in my shared server with cpanel (databases -> mySQL# Databases -> add new user),and then selected ALL PRIVILEGES for user navid.
I was importing mydatabase.sql when I was confronted with this error.
how do i fix the error? store procedure worked fine in localhost.
what is SUPER privilege?
Error
SQL query:
DELIMITER $$--
-- Procedures
--
CREATE DEFINER = `navid`#`%` PROCEDURE `d_answer` ( OUT `sp_out` INT( 11 ) , IN `sp_id` INT( 11 ) ) NO SQL BEGIN DELETE FROM `tblname` WHERE `a_id` = sp_id;
SET sp_out = ROW_COUNT( ) ;
END$$
MySQL said: Documentation
#1227 - Access denied; you need (at least one of) the SUPER privilege(s) for this operation
From the documentation (my emphasis):
The SUPER privilege enables an account to use CHANGE MASTER TO, KILL
or mysqladmin kill to kill threads belonging to other accounts (you
can always kill your own threads), PURGE BINARY LOGS, configuration
changes using SET GLOBAL to modify global system variables, the
mysqladmin debug command, enabling or disabling logging, performing
updates even if the read_only system variable is enabled, starting and
stopping replication on slave servers, specification of any account
in the DEFINER attribute of stored programs and views, and enables
you to connect (once) even if the connection limit controlled by the
max_connections system variable is reached.
Since you are already navid to the database, you do not need to set the DEFINER attribute in your stored procedure; adding this line is causing the error to show up. If you remove this statement, your procedure will be created and you won't get the permissions error.
You only need to set DEFINER if you are setting up the stored procedure for some other user, by default the stored procedure gets the same security context as the user that is creating it:
All stored programs (procedures, functions, and triggers) and views
can have a DEFINER attribute that names a MySQL account. If the
DEFINER attribute is omitted from a stored program or view definition,
the default account is the user who creates the object.
I got the problem too and fixed it thus in MySQL Workbench.
In my case it is because the "Send to SQL Editor > Create Statement" has extra stuff in there that prevents from being used without modification.
Something like this:
CREATE ALGORITHM=UNDEFINED DEFINER=schemax#localhost SQL
SECURITY DEFINER VIEW viewName AS SELECT ....
Change it to this:
CREATE VIEW viewName AS SELECT ....
Seems to work now, no need to update permissions.
**I am the only user of my database..
I had the same issue - on my local dev server it was fine but on my hosted server (through PHPMyAdmin) it gave me the above error.
Removing the definer attribute seemed to be the easiest way to fix the problem if you're happy with the definer being the current user.
just remove the DEFINER attribute and with it's value, example:
CREATE ALGORITHM=UNDEFINED SQL SECURITY DEFINER VIEW ...
Don't rely on default values, if emptying the definer field in phpMyAdmin or other programs won't solve, check the definer, should not be username#localhost unless explicitly needed, but username#%.
Suppose we have 2 users, A and B for a mysql DB customer.
User A is having all the privileges on a particular DB ,
and user B is having some complex specific privileges like
GRANT SELECT,INSERT
-> ON customer.Table1
-> TO 'user B'#'server.domain'
-> IDENTIFIED BY 'pwrd';
Now if I run a query on customer DB on Table1 table, then will there be any difference in the execution times of the query when run separately each through User A and User B ?
And how does the Privileges are actually checked at the time of the query execution or they are checked at the time of connection building itself and stored some where else?
what I know is that the privileges are stored in table named as 'user (Host,User,Password)' .
Permissions are checked for the login user at compile time of sql statement just before executing a sql statement.
The permissions are checked for only the resources e.g. table, views, stored procedure, functions used in that particular sql statement.
User's Priviledges or user level does not affect the execution time.
When a user tries to connect to the database, MySQL checks that that particular username/host/password combination has permission to connect. Once the connection has been made, before any operations are carried out, MySQL again checks to see whether the user/host combination has the right level of access to carry out that operation. The user table is the first table MySQL checks. All user/host/password combinations must be listed in this table before any access can be granted.