Im trying to remove all permissions for a user on a database.
REVOKE ALL PRIVILEGES ON database.* FROM 'user'#'%';
This just gives an error saying:
ERROR 1141 (42000): There is no such grant defined for user 'user' on host '%'
I am logged in as root user when running the query. And running show grants for user query shows that the user has permissions on all databases
Output from show grants query:
GRANT USAGE ON *.* TO 'user'#'%' IDENTIFIED BY PASSWORD 'xxxxxx'
Revoke statement has to match the grants issued. If grant is issued to *.*, you can only revoke *.* as well.
since SHOW GRANTS for 'user'#'%' shows a line like:
GRANT USAGE ON *.* TO 'user'#'%' IDENTIFIED BY PASSWORD 'xxxxxx'
You need to revoke that!
This should work:
REVOKE ALL PRIVILEGES ON *.* FROM 'user'#'%';
database.* denotes all tables in the "database" database
*.* denotes all tables in all databases
You can execute the below queries,
1) REVOKE ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, EVENT, EXECUTE, FILE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SELECT, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER, UPDATE ON . FROM ‘user'#'%’;
OR
REVOKE ALL PRIVILEGES ON . FROM ‘user'#'%';
2) REVOKE GRANT OPTION ON . FROM ‘user'#'%';
Related
I have MyCloudMirror NAS box and I accidentally delete root user from MySQL now I can't login to mysql.
I have uninstall and reinstall the phpmyadmin app but that did not make any different
I also try following but nothing is working
mysqld_safe --skip-grant-tables &
below command show that all permission are assign
CREATE USER 'root'#'localhost' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' WITH GRANT OPTION;
this doesnt assign all permission the trigger are uncheck
CREATE USER 'root'#'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
If I try to check triger from myphpadmin and click on apply i get error message
GRANT ALL PRIVILEGES ON . TO 'root'#'%' REQUIRE NONE WITH GRANT
OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; MySQL said:
Documentation
#1045 - Access denied for user 'root'#'localhost' (using password: NO)
GRANT ALL PRIVILEGES is not enough.
On MySQL 8+ you must execute the next statements:
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS,
FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE,
REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE,
CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE
ON *.* TO `root`#`localhost` WITH GRANT OPTION;
GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,
AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,
CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,
FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,
INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,
PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,
RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,
SERVICE_CONNECTION_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,
SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN
ON *.* TO `root`#`localhost` WITH GRANT OPTION;
GRANT PROXY ON ``#`` TO `root`#`localhost` WITH GRANT OPTION;
FLUSH PRIVILEGES;
This is how I fixed the issue
Run /usr/bin/mysql_reset.py --reset
The above command reset all settings on DB
I am logged in as root user and i just reinstalled the mysql server. login_manager isn't created as is shown when i execute SELECT * FROM mysql.user;. I now execute
CREATE USER 'login_manager'#'localhost' IDENTIFIED BY 'login_manager'; and when i check if the user is created, i can find it. Executing
GRANT INSERT
ON clients
TO login_manager;
where client is a table gives me the error i put in the title. Executing FLUSH PRIVILEGES; after creating the user didn't help either. I flushed privileges before creating the user. I looked that up, and normally this error comes when you try to create the user in the grant statement, which i am not doing.
I know this is long, but here are the Grants that root has:
'GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`#`localhost` WITH GRANT OPTION'
and
'GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`#`localhost` WITH GRANT OPTION'
and
'GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION'
Your login_manager user has a Host entry, likely localhost or %.
Because of this, your GRANT technically isn't for that user, it's for a login_manager with no Host entry - so mysql knows it would have to create the user with no Host first.
Asuming you used localhost when you created the user, use this to do the grants:
GRANT INSERT
ON clients
TO 'login_manager'#'localhost';
I have a user, called "user_creator", in my MySQL 5.5.60 server. This user was created to add new user and databases and grant privileges to this new created users (so and "admin", but with fewer rights).
Following privileges for this "user_creator" are granted:
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE USER, EXECUTE, TRIGGER ON *.* TO 'user_creator'#'x.x.x.x' IDENTIFIED BY PASSWORD <secret> WITH GRANT OPTION
This configuration works well. If the "user_creator" creates a new user with...
GRANT SELECT, INSERT, UPDATE, DELETE ON foo.* TO 'foo_01'#'x.x.x.x' IDENTIFIED BY 'foo';
... it works.
But, if the "user_creator" want to grant the EXECUTE privilege to the new user, like
GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON foo.* TO 'foo_01'#'x.x.x.x' IDENTIFIED BY 'foo';
an error occurred:
ERROR 1044 (42000) at line 1: Access denied for user
‘user_creator'#'x.x.x.x’ to database ‘foo’;
Has anyone an idea which privilege the "user_creator" needs to grant the EXECUTE-privilege to a new created user? I don't want to user the root- or an root-like-user to do this action.
I am trying to give explicit permissions to an user on mysql and im doing this (to an already created user)
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, ALTER, SHOW DATABASES,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER
ON mydatabase.*
TO 'myuser'#'localhost' ;
But im getting this weird error:
Incorrect usage of DB GRANT and GLOBAL PRIVILEGES
I tried on other schemas with other users making a GRANT ALL PRIVILEGES and seems is working. Any idea?
Some privileges only make sense when the grant references ON *.* as the schema.table.
The manual page https://dev.mysql.com/doc/refman/5.7/en/grant.html lists all the available privileges, and notes each for global, database, table, based on whether you can grant them at different levels of scope.
The SHOW DATABASES privilege can only be granted at the global level.
So you'll have to do it this way:
GRANT SHOW DATABASES
ON *.*
TO 'myuser'#'localhost' ;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, ALTER,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER
ON mydatabase.*
TO 'myuser'#'localhost' ;
I had the strange thing that the "root" user had the rights to grant rights, but I still had to use the user "admin" instead.
With root, I got:
SQL Error [1045] [28000]: Access denied for user 'root'#'%' (using password: YES)
It might just be the setup, but when I look it up in the GUI of DBeaver (Connection --> Users --> Grants --> View Grants), they both have all of the rights checked, and I still cannot grant rights with the "root" user.
Perhaps it helps someone with another weird db setup.
Admin:
Root:
From: http://dev.mysql.com/doc/refman/5.0/en/drop-database.html
...when a database is dropped, user privileges on the database are not automatically dropped.
So the question becomes, how do you revoke all privileges for all users on a MySQL DB? I imagine it's simple, but I'm surprised I haven't been able to find this anywhere.
REVOKE ALL PRIVILEGES ON *.* FROM '<user_name>'#'localhost';
REVOKE ALL PRIVILEGES ON *.* FROM '<user_name>'#'%';
Eg.:
REVOKE ALL PRIVILEGES ON *.* FROM 'jeffrey'#'localhost';
REVOKE ALL PRIVILEGES ON *.* FROM 'jeffrey'#'%';
You can revoke all privileges for a specific user with this syntax:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
FLUSH PRIVILEGES;
which drops all global, database, table, column, and routine privileges for the named user or users
Not sure if there's a way to do this for all users at once, though.
REVOKE ALL PRIVILEGES FROM '%'#'%';
The above could be dangerous as i suppose it will delete all the privileges from all the users including root
Modify it to:
REVOKE ALL PRIVILEGES FROM 'user'#'localhost';
or
REVOKE ALL PRIVILEGES FROM 'user'#'%';
before execute
I suppose you can do:
REVOKE ALL PRIVILEGES FROM '%'#'%';
FLUSH PRIVILEGES;
(Don't modify MySQL tables directly)