What are the minimum required permissions for a mysql user to perform a backup using mysqldump/xtrabackup? I do not want permissions to power like root, but just enough to perform a backup. This is becasue innobackupex requires you to add the password on command line, which is not too secure. So i would like to create another user with not so much privileges to be used.
On MySQL this would be these permissions as far as I know:
GRANT SELECT, LOCK TABLES, RELOAD, SHOW VIEW ON *.* TO 'user'#'localhost' IDENTIFIED BY 'password';
Note that it may vary if you use views, functions, procedures etc
Related
I am trying to grant privileges to another user using phpmyadmin, I have access to the root user (cl43-flexfit) and have tried querying the following
GRANT ALL PRIVILEGES ON `cl43-flexfit`.* TO 'supuser'#'localhost';
But receive a response of:
Access denied for user 'cl43-flexfit'#'%' to database 'cl43-flexfit'
Although I use that database with the cl43-flexfit user frequently.
I have also looked at what the root users privileges are using SHOW GRANT
and was shown these:
GRANT USAGE ON *.* TO 'cl43-flexfit'#'%' IDENTIFIED BY PASSWORD 'password'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `cl43-flexfit`.* TO 'cl43-flexfit'#'%' WITH GRANT OPTION
and even when I try to add permissions to the user for every database (replacing cl43-flexfit.* with * .*) I get an error saying I do not have permission
Access denied for user 'cl43-flexfit'#'%' (using password: YES)
I have been in contact with my hosting service and they have said that everything is correct on their end.
I also do not have access to the privileges tab in PHPMyAdmin and therefore can not use the GUI, it must be done through written commands.
Thanks in advance and apologise if I have a lack of understanding
You cannot GRANT ALL unless you also hold all privileges, along with GRANT OPTION, which you do not.
You have to grant explictly, and list only the permissions that you have (and want to grant).
You can't grant anything ON *.* unless you globally hold the privilege you are trying to grant, on all objects, plus GRANT OPTION. Again, you don't have this.
USAGE means only that you are allowed to log in to the server, nothing more. This is a special case of ON *.* carrying no significant meaning, because merely logging into the server is associated with no particular object.
The hosting service is correct.
If you have other users, you can make only explicit grants of listed permissions, using the format shown in your own SHOW GRANTS output.
GRANT SELECT, INSERT, [more...], TRIGGER ON `cl43-flexfit`.* TO 'my-other-existing-user'#'%';
When creating new tables and a user to go along with it, I usually just invoke the following commands:
CREATE DATABASE mydb;
GRANT ALL PRIVILEGES ON mydb.* TO myuser#localhost IDENTIFIED BY "mypassword";
I have never ever needed to utilize the FLUSH PRIVILEGES command after issuing the previous two commands. Users can log in and use their database and run PHP scripts which connect to the database just fine. Yet I see this command used in almost every tutorial I look at.
When is the FLUSH PRIVILEGES command really needed and when is it unnecessary?
Privileges assigned through GRANT option do not need FLUSH PRIVILEGES to take effect - MySQL server will notice these changes and reload the grant tables immediately.
From MySQL documentation:
If you modify the grant tables directly using statements such as
INSERT, UPDATE, or DELETE, your changes have no effect on privilege
checking until you either restart the server or tell it to reload the
tables. If you change the grant tables directly but forget to reload
them, your changes have no effect until you restart the server. This
may leave you wondering why your changes seem to make no difference!
To tell the server to reload the grant tables, perform a
flush-privileges operation. This can be done by issuing a FLUSH
PRIVILEGES statement or by executing a mysqladmin flush-privileges or
mysqladmin reload command.
If you modify the grant tables indirectly using account-management
statements such as GRANT, REVOKE, SET PASSWORD, or RENAME USER, the
server notices these changes and loads the grant tables into memory
again immediately.
TL;DR
You should use FLUSH PRIVILEGES; only if you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE.
Just to give some examples. Let's say you modify the password for an user called 'alex'. You can modify this password in several ways. For instance:
mysql> update* user set password=PASSWORD('test!23') where user='alex';
mysql> flush privileges;
Here you used UPDATE. If you use INSERT, UPDATE or DELETE on grant tables directly you need use FLUSH PRIVILEGES in order to reload the grant tables.
Or you can modify the password like this:
mysql> set password for 'alex'#'localhost'= password('test!24');
Here it's not necesary to use "FLUSH PRIVILEGES;"
If you modify the grant tables indirectly using account-management statements such as GRANT, REVOKE, SET PASSWORD, or RENAME USER, the server notices these changes and loads the grant tables into memory again immediately.
2 points in addition to all other good answers:
1:
what are the Grant Tables?
from dev.mysql.com
The MySQL system database includes several grant tables that contain information about user accounts and the privileges held by them.
clarification: in MySQL, there are some inbuilt databases , one of them is "mysql" , all the tables on "mysql" database have been called as grant tables
2:
note that if you perform:
UPDATE a_grant_table SET password=PASSWORD('1234') WHERE test_col = 'test_val';
and refresh phpMyAdmin , you'll realize that your password has been changed on that table but even now if you perform:
mysql -u someuser -p
your access will be denied by your new password until you perform :
FLUSH PRIVILEGES;
Hey I'm trying to grant my USER in mySQL the DBA role, because we are connecting to a AWS amazon server but no matter what we do, we can't grant that role to our user admin5 that's in the only user that we created. So please help because we need that privilege to create a Job that sends emails automatically at midnight.
This is how you can grant privileges to other users:
WITH GRANT OPTION clause gives the user the ability to give to other users any privileges the user has at the specified privilege level.
You can check if your user has this option by running show grants for 'youruser'#'yourhost';
The root user usually has these privileges by default. Try logging in with root and granting the permissions you need.
Also, presumably your cron that you are going to be running does not need to have DBA permissions. Here is a list of Mysql permissions and what they do. Select and execute privileges would probably be sufficient enough for what you need.
Is it possible for a user other than root to create a database?
GRANT SELECT, CREATE ON *.* TO 'myguy'#'thatmachine' IDENTIFIED BY PASSWORD '*12057DFA2BFBD8760D4788735B1C3E26889D7ECE' |
GRANT ALL PRIVILEGES ON `db1`.* TO 'myguy'#'thatmachine'
GRANT ALL PRIVILEGES ON `db2`.* TO 'myguy'#'thatmachine'
I wonder what privilege is missing here? Also, why does the first line have a password attached to it?
UPDATE
Let me further clarify what the point of my question is. I have two database machines, source and target. There are many customer databases on the source machine. I need to move those source databases to the other target machine.
The databases are in the form of mysqldump'ed .sql files, which are sftp'd from source to target. Target user, not root, must then recreate the databases locally from each .sql file, perform some actions, then drop the database.
I can't find a way to give these privileges to the target user without giving him global privileges on *.*, which effectively makes that user as dangerous as root.
Absolutely you can.
http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_create
As Izkata and Evan Donovan have mentioned in the comments, the best way to achieve this is to give myguy all privileges on the database myguy_%.
You can do this with the following sql:
grant all privileges on 'myguy_%'.* to myguy#localhost identified by 'password';
This way you don't have to bother with other existing databases, and myguy is able to create new databases to his heart's content.
The password field is what that particular user's password is when logging into MySQL itself. I'm not exactly sure what you mean when you say you wonder what privileges are missing. What exactly are you trying to do?
When connecting to my server (from a different machine) I get
Error Code: 1044 Access denied for user 'username'#'%' to database 'dbname'
when I try to create a function. But when I look at my permissions
SHOW GRANTS FOR CURRENT_USER;
I get
'GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE ROUTINE ON *.* TO ''username''#''%'' IDENTIFIED BY PASSWORD ''--stripped--'' WITH GRANT OPTION'
In particular, this includes CREATE ROUTINE. Why can't I make a function? How can I change it so I can?
I think there is a CREATE FUNCTION that is separate from CREATE ROUTINE. But either way, since it looks like your user has 100% full access anyway you could do:
GRANT ALL PRIVILEGES ON *.* TO user#'%' INDENTIFIED BY 'password' WITH GRANT OPTION
However I would note it would be much better to set the '%' to 'localhost' and only access the database in this manner from a local machine (or at least a trusted IP). The lack of security with this could cause you trouble.
Definitely don't use this user/password to connect to the database from a web script!
Edit
I forgot: routines and functions have to be granted globally. Adding . tries to add the grant to the tables themselves which is why it doesn't work. Try:
GRANT ALTER ROUTINE,CREATE ROUTINE, EXECUTE ON * TO user#'%' IDENTIFIED BY 'password'
There's a longer description of it here: http://dev.mysql.com/doc/refman/5.0/en/grant.html