Mysql Revoke permission for root user - mysql

I need to revoke permission for root user in mySql. root user should not be able to create and drop tables in the database.
I checked revoke command but somehow it is not working for root user. If I create a new user and revoke permission, it works, what am I missing for root user or we can't revoke permission for 'root'?
SHOW GRANTS FOR root#localhost;
--Displays
GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, SUPER, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER, CREATE TABLESPACE ON *.* TO 'root'#'localhost' IDENTIFIED BY PASSWORD '*7BB96B4D3E986612D96E53E62DBE9A38AAA40A5A'
GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%`.* TO 'root'#'localhost' WITH GRANT OPTION
GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION
Then
REVOKE all on myDb.* from root#'%';
FLUSH PRIVILEGES;
Access denied for user 'root'#'localhost' to database 'myDb'

I think, you don't want to do that. Root user is made that way to have all the privileges of all CRUD operations and creating new users and giving them privileges.
If your motive is to limit the access, make different users depending upon your need. For eg: you may only want to a user to read the records. That's a safe option because you may use that user only for reading purpose. OR just for read, write and edit privileges.
Edit:
If you still want to do this, check this answers How can I restore the MySQL root user’s full privileges? . It might help you.

Related

how to give super permission to (root) user in MYSQL, despite there being no super user?

I'm using MYSQL 8.0.25, running on WAMP server.
By mistake I changed user root's privilege by unchecked (insert) privilege and pressed (go), so the changes are assigned.
The problems are:
the super user (root) can't insert, see databases, create or do anything.
there is not another super user to give super permissions to (root) again or create super user like root
I can't create super user or return super permissions to (root) because there is no super user
I want to return all permissions to root again. What should I do?
could you help me
MySQL 8.0 Reference Manual / ... / How to Reset the Root Password
Perform generic operation described in "B.3.3.2.3 Resetting the Root Password: Generic Instructions". Instead of ALTER USER ... execute the next statements:
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE,
REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES,
LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW,
SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER,
CREATE TABLESPACE, CREATE ROLE, DROP ROLE
ON *.* TO `root`#`localhost` WITH GRANT OPTION;
GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,
BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,
FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,
GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,
PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,
RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,
SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,
TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN
ON *.* TO `root`#`localhost` WITH GRANT OPTION;
GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION;

Granting privilege to existing user gives "you are not allowed to create a user with grant" even though the user already exists

I am logged in as root user and i just reinstalled the mysql server. login_manager isn't created as is shown when i execute SELECT * FROM mysql.user;. I now execute
CREATE USER 'login_manager'#'localhost' IDENTIFIED BY 'login_manager'; and when i check if the user is created, i can find it. Executing
GRANT INSERT
ON clients
TO login_manager;
where client is a table gives me the error i put in the title. Executing FLUSH PRIVILEGES; after creating the user didn't help either. I flushed privileges before creating the user. I looked that up, and normally this error comes when you try to create the user in the grant statement, which i am not doing.
I know this is long, but here are the Grants that root has:
'GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`#`localhost` WITH GRANT OPTION'
and
'GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`#`localhost` WITH GRANT OPTION'
and
'GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION'
Your login_manager user has a Host entry, likely localhost or %.
Because of this, your GRANT technically isn't for that user, it's for a login_manager with no Host entry - so mysql knows it would have to create the user with no Host first.
Asuming you used localhost when you created the user, use this to do the grants:
GRANT INSERT
ON clients
TO 'login_manager'#'localhost';

Access denied to database that I have access to

I am trying to grant privileges to another user using phpmyadmin, I have access to the root user (cl43-flexfit) and have tried querying the following
GRANT ALL PRIVILEGES ON `cl43-flexfit`.* TO 'supuser'#'localhost';
But receive a response of:
Access denied for user 'cl43-flexfit'#'%' to database 'cl43-flexfit'
Although I use that database with the cl43-flexfit user frequently.
I have also looked at what the root users privileges are using SHOW GRANT
and was shown these:
GRANT USAGE ON *.* TO 'cl43-flexfit'#'%' IDENTIFIED BY PASSWORD 'password'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `cl43-flexfit`.* TO 'cl43-flexfit'#'%' WITH GRANT OPTION
and even when I try to add permissions to the user for every database (replacing cl43-flexfit.* with * .*) I get an error saying I do not have permission
Access denied for user 'cl43-flexfit'#'%' (using password: YES)
I have been in contact with my hosting service and they have said that everything is correct on their end.
I also do not have access to the privileges tab in PHPMyAdmin and therefore can not use the GUI, it must be done through written commands.
Thanks in advance and apologise if I have a lack of understanding
You cannot GRANT ALL unless you also hold all privileges, along with GRANT OPTION, which you do not.
You have to grant explictly, and list only the permissions that you have (and want to grant).
You can't grant anything ON *.* unless you globally hold the privilege you are trying to grant, on all objects, plus GRANT OPTION. Again, you don't have this.
USAGE means only that you are allowed to log in to the server, nothing more. This is a special case of ON *.* carrying no significant meaning, because merely logging into the server is associated with no particular object.
The hosting service is correct.
If you have other users, you can make only explicit grants of listed permissions, using the format shown in your own SHOW GRANTS output.
GRANT SELECT, INSERT, [more...], TRIGGER ON `cl43-flexfit`.* TO 'my-other-existing-user'#'%';

Cannot grant privileges to a user using root on mysql

I am trying to give explicit permissions to an user on mysql and im doing this (to an already created user)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, ALTER, SHOW DATABASES,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER
ON mydatabase.*
TO 'myuser'#'localhost' ;
But im getting this weird error:
Incorrect usage of DB GRANT and GLOBAL PRIVILEGES
I tried on other schemas with other users making a GRANT ALL PRIVILEGES and seems is working. Any idea?
Some privileges only make sense when the grant references ON *.* as the schema.table.
The manual page https://dev.mysql.com/doc/refman/5.7/en/grant.html lists all the available privileges, and notes each for global, database, table, based on whether you can grant them at different levels of scope.
The SHOW DATABASES privilege can only be granted at the global level.
So you'll have to do it this way:
GRANT SHOW DATABASES
ON *.*
TO 'myuser'#'localhost' ;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, ALTER,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER
ON mydatabase.*
TO 'myuser'#'localhost' ;
I had the strange thing that the "root" user had the rights to grant rights, but I still had to use the user "admin" instead.
With root, I got:
SQL Error [1045] [28000]: Access denied for user 'root'#'%' (using password: YES)
It might just be the setup, but when I look it up in the GUI of DBeaver (Connection --> Users --> Grants --> View Grants), they both have all of the rights checked, and I still cannot grant rights with the "root" user.
Perhaps it helps someone with another weird db setup.
Admin:
Root:

mysql create database and user from non root user

I have a non root user in mysql database. It has grant, create, create user permissions. I need to create a new database and user using that account. Then i need to grant basic usage permissions to newly created user on the newly created database..
I was able to create a new database and user using the non root user. Now when it comes to granting permission for newly created user on newly created database using the non root user i get permission denied for non-root user on newly created user... Any workaround?
Included from OP's comments:
Executing:
SHOW GRANTS FOR 'non_root_account_name'#'his_host'
Resulted the following:
GRANT CREATE, INDEX, ALTER, CREATE USER
ON *.*
TO 'non_root_account_name'#'localhost'
IDENTIFIED BY PASSWORD 'password'
WITH GRANT OPTION
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE,
DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, SHOW VIEW
ON non_root_account_name.*
TO 'non_root_account_name'#'localhost'
WITH GRANT OPTION`
GRANT SELECT
ON mysql`.*
TO 'non_root_account_name'#'localhost'`
As per documentation on GRANT privileges :
To use GRANT, you must have the GRANT OPTION privilege, and you must have the privileges that you are granting.
Meaning, your account to grant privileges to other users, it should have a GRANT OPTION privilege.
Connect as root and re-execute grant on your account to grant the above privilege.
Example:
GRANT
-- list of privileges here
-- to your account name # host
WITH GRANT OPTION