Azure MySQL root privilege - mysql

I create a MySQL database on Azure with a "Mercury" princing level, I log myself in MySQL Workbench, but I can't add an user or change privileges with "GRANT ALL PRIVILEGES ON ... " I get "Access denied for user x". (I logged with the username and password that Azure give me).
Any idea ?

Some Cloud Mysql restrict user's privileges just like alisql. You even can not access the mysql.user table.
You can just use the account which is created in web page and create users in web page. The account you used has not super privilege. So you can not execute "GRANT ALL PRIVILEGES ON ... " to create super privilege account.
If you want to get super privileges, you can try as follows:
Buy the azure host and install mysql yourself
Ask azure supportwhether you can have root account
Change another cloud mysql which has root privileges like 'UCloud'

This is not a problem with root privileges, this functionality is not available for this specific database provider. The default MySQL database provider in Azure for now is ClearDB, and I'm afraid you are not able to create more users for the database:
Can I create additional users for my ClearDB MySQL database cluster solution?
No. You cannot create additional users but you can create additional databases on your ClearDB database cluster

Related

CREATE DATABASE using phpmyadmin in online server

I install phpMyAdmin on my subdomain for my clients to access their Databases, Because I can't give my Cpanel Login to them.
But my problem is when they need to create a new database, they can't do it from phpMyAdmin and they face this error
ALTER USER 'root'#'localhost' IDENTIFIED WITH mysql_native_password BY
'root';
And I try to create a DB using phpMyAdmin, login from cPanel but I had the same error.
No worry I can create and manage user and DB from cPanel, But the problem is I have to create a database myself when my client needs DBS.
So has I have an option for this, any type?
In your case, this error means the MySQL user does not have the required privilege to create a database. These are some options you could do:
Grant their user all privileges on all databases (not recommended):
GRANT ALL PRIVILEGES ON . TO 'sserver_sserver'#'localhost';
Create the database yourself and give their user all privileges on that specific database:
CREATE DATABASE my;
GRANT ALL PRIVILEGES ON my.* TO 'sserver_sserver'#'localhost';
Give their user all privileges to databases beginning with a certain prefix such as their business name which will allow them to create and work on as many databases as they need:
GRANT ALL PRIVILEGES ON 'businessname_%'.* TO 'sserver_sserver'#'localhost';

How to restrict the root MySQL system user to a single host in GCP Cloud SQL?

I am logged into MySQL with a user with full admin privileges, and wish to update the root user to only allow login via localhost.
Currently, the root user has full privileges via 'root'#'%', and I'd like to change that to 'root'#'localhost'. I've tested this out on a local mysql install and it worked fine. However, in GCP Cloud SQL I'm unable to do so.
Running:
RENAME USER 'root'#'%' TO 'root'#'localhost';
Yields the error:
ERROR 1221 (HY000): Incorrect usage of RENAME and SYSTEM USER
Is there any way to achieve what I want to do in locking down where the root user can login from? I would like to avoid any MySQL downtime if possible. I am using MySQL 5.7.
As per the document, because Cloud SQL is a managed service, it restricts access to certain system procedures and tables that require advanced privileges and that includes restricting the hostname for the default root user account.
What I can suggest is that you create another MySQL user on cloud console. That user have the same privileges as the root user plus you'll be able to restrict the hostname or limit the privileges for this user. In a way you can say that Cloud SQL encourages you to create separate user accounts for different purposes because the root user is a very common target for unauthorized access.

Issue creating users on mysql/mariadb on amazon RDS

Still trying to figure out RDS on AWS. I setup an EC2 instance that I can SSH into. I then created an RDS instance of MariaDB. I can SSH into my EC2 and then use MySQL to connect to the RDS instance using the username/password I created when I setup the RDS instance. When I look at the users I see
'myusername'#'%'
'rdsadmin'#'localhost'
While logged in as 'myusername' to the mysql db, I create a new user with more limited hosts:
CREATE USER 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'good_password'
No problems so far. Now give 'otheruser' some permissions:
GRANT ALL PRIVILEGES ON mydatabase.* TO 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'same_password';
Seems to work. From my IP address I can use Navicat to connect as 'otheruser' to 'mydatabase' and can create tables, add data, drop tables, create indexes no problem. However, when I do this, all privileges show 'N':
SELECT * FROM mysql.user WHERE user = 'otheruser'\G
If I look in information_schema the only privilege is 'usage'
SELECT * FROM information_schema.user_privileges;
If, as my root user created during RDS setup I try to specify a specific privilege for 'otheruser' I get an access denied error.
So if all of the permissions are showing 'N', and information_scheme just shows 'usage', how is Navicat able to connect as that user and do pretty much everything?
What's the correct way of creating a restricted user on an RDS instance? It seems the user created during instance creation is slightly limited vs. the 'rdsadmin'#'localhost', but AFAIK there's now way to connect to the RDS from localhost?
The privileges in the mysql.user table are global privileges. They apply to all databases on the server, present and future. You didn't issue a statement that would grant any of those.
SELECT * FROM mysql.db; will show you where the navicat user's permissions you granted can be found.
You can GRANT ALL PRIVILEGES ON some_database.* in RDS, which grants only the database-level permissions for that one database.
...but you cannot GRANT ALL PRIVILEGES ON *.* because you, the master user, do not possess all global privileges. RDS doesn't give them to you. To do global grants, you have to grant specific privileges.
SHOW GRANTS FOR 'myusername#'%';
The privileges you see listed there are the only global (server-level) privileges you can grant.
Yes, the things you can do with the privileges provided by RDS are limited, presumably because it's a managed service... so they don't want you to be able to break anything that they would have to fix for you... which they would, because it's a managed service. That's one of the drawbacks of RDS. You trade some flexibility for ease of administration (point in time recovery, creation/monitoring/destruction of read replicas, backup snapshots, etc.).
rdsadmin#localhost is the account the RDS infrastructure uses to manage and monitor your instance. That's why it has all those privs. You're correct -- you can't log in from localhost. Only the RDS supervisory process can.

MySQL revoke permissions for external connections

I need to give a remote user access to a MySQL database. I also need to limit the permissions they have to the MySQL database tables. The current database contains approx. 50+ tables so rather than revoke permissions table by table, I'm trying to give the user access with no privileges and then add those that are needed. What I've done appears to work when:
I'm logged in as root (via SSH)
I login using "mysql -u username -p" - enter my password for the newly created user.
This users account honors all the privileges I've set up. However, when this user tried to connect via their desktop client - they can connect but can not view the database. When using "use databasename" they get this error:
Error Code: 1044. Access denied for user 'username'#'%' to database 'database_name'
Not sure if this helps but I'm using Media Temple DV w/ Plesk. I've first added the user. Then I SSH in and revoked ALL privileges. Then I added the privileges for the user and did command "flush privileges". Nothing is working. As I said, if I'm accessing via the command line (after SSHing in as root) the permissions are honored and I can access the database - just not remotely.
Any help would be greatly appreciated.
May be network that is allowed to connect is localhost, but not users network IP.
And check max connections amount.
If you're logged in as root via SSH and MySQL database is on the same machine, then i guess that if you run:
mysql -u username -p
you try to connect to MySQL as 'username'#'localhost' user.
If you want to connect to MySQL database from outside of this server, you need to:
create user like 'username'#'%' which allow to connect to MySQL using 'username' from anywhere ('%')
allow mysql server to connect from outside by setting bind-address more details here

delete MySQL entire database. Database not showing in MySQL Databases

Every time I create a database using a custom joomla template quick install the database is created but does not show up in MySQL Database management despite the fact that it most definitely does exist and MySQL database management knows it does because it wont let me create a database with that name due to error "Database already exists".
I want to delete joomlasall database.
Full size image
http://img99.imageshack.us/img99/4995/tempkh.png
If you can not see database but you are sure that it exists, this is definitely permissions issue.
Do
SHOW GRANTS
More info here
You will see that you does not hold global SELECT privilege.
You need to explicitly GRANT permissions with similar command like:
GRANT ALL PRIVILEGES ON DBNAME.* TO 'username'#'localhost';
Instead of ALL you can specify SELECT, INSERT, UPDATE, DELETE , EXECUTE, etc... check this
replace DBNAME with your DB name, username with user for whom you want to grant access and localhost with hostname if DB is used remotly.
To do this, you need GRANT privilege or to be root user.
use same mysql user credentials for Joomla DB connectivity also the one you are using in phpmyadmin.