Still trying to figure out RDS on AWS. I setup an EC2 instance that I can SSH into. I then created an RDS instance of MariaDB. I can SSH into my EC2 and then use MySQL to connect to the RDS instance using the username/password I created when I setup the RDS instance. When I look at the users I see
'myusername'#'%'
'rdsadmin'#'localhost'
While logged in as 'myusername' to the mysql db, I create a new user with more limited hosts:
CREATE USER 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'good_password'
No problems so far. Now give 'otheruser' some permissions:
GRANT ALL PRIVILEGES ON mydatabase.* TO 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'same_password';
Seems to work. From my IP address I can use Navicat to connect as 'otheruser' to 'mydatabase' and can create tables, add data, drop tables, create indexes no problem. However, when I do this, all privileges show 'N':
SELECT * FROM mysql.user WHERE user = 'otheruser'\G
If I look in information_schema the only privilege is 'usage'
SELECT * FROM information_schema.user_privileges;
If, as my root user created during RDS setup I try to specify a specific privilege for 'otheruser' I get an access denied error.
So if all of the permissions are showing 'N', and information_scheme just shows 'usage', how is Navicat able to connect as that user and do pretty much everything?
What's the correct way of creating a restricted user on an RDS instance? It seems the user created during instance creation is slightly limited vs. the 'rdsadmin'#'localhost', but AFAIK there's now way to connect to the RDS from localhost?
The privileges in the mysql.user table are global privileges. They apply to all databases on the server, present and future. You didn't issue a statement that would grant any of those.
SELECT * FROM mysql.db; will show you where the navicat user's permissions you granted can be found.
You can GRANT ALL PRIVILEGES ON some_database.* in RDS, which grants only the database-level permissions for that one database.
...but you cannot GRANT ALL PRIVILEGES ON *.* because you, the master user, do not possess all global privileges. RDS doesn't give them to you. To do global grants, you have to grant specific privileges.
SHOW GRANTS FOR 'myusername#'%';
The privileges you see listed there are the only global (server-level) privileges you can grant.
Yes, the things you can do with the privileges provided by RDS are limited, presumably because it's a managed service... so they don't want you to be able to break anything that they would have to fix for you... which they would, because it's a managed service. That's one of the drawbacks of RDS. You trade some flexibility for ease of administration (point in time recovery, creation/monitoring/destruction of read replicas, backup snapshots, etc.).
rdsadmin#localhost is the account the RDS infrastructure uses to manage and monitor your instance. That's why it has all those privs. You're correct -- you can't log in from localhost. Only the RDS supervisory process can.
Related
I am logged into MySQL with a user with full admin privileges, and wish to update the root user to only allow login via localhost.
Currently, the root user has full privileges via 'root'#'%', and I'd like to change that to 'root'#'localhost'. I've tested this out on a local mysql install and it worked fine. However, in GCP Cloud SQL I'm unable to do so.
Running:
RENAME USER 'root'#'%' TO 'root'#'localhost';
Yields the error:
ERROR 1221 (HY000): Incorrect usage of RENAME and SYSTEM USER
Is there any way to achieve what I want to do in locking down where the root user can login from? I would like to avoid any MySQL downtime if possible. I am using MySQL 5.7.
As per the document, because Cloud SQL is a managed service, it restricts access to certain system procedures and tables that require advanced privileges and that includes restricting the hostname for the default root user account.
What I can suggest is that you create another MySQL user on cloud console. That user have the same privileges as the root user plus you'll be able to restrict the hostname or limit the privileges for this user. In a way you can say that Cloud SQL encourages you to create separate user accounts for different purposes because the root user is a very common target for unauthorized access.
I create a MySQL database on Azure with a "Mercury" princing level, I log myself in MySQL Workbench, but I can't add an user or change privileges with "GRANT ALL PRIVILEGES ON ... " I get "Access denied for user x". (I logged with the username and password that Azure give me).
Any idea ?
Some Cloud Mysql restrict user's privileges just like alisql. You even can not access the mysql.user table.
You can just use the account which is created in web page and create users in web page. The account you used has not super privilege. So you can not execute "GRANT ALL PRIVILEGES ON ... " to create super privilege account.
If you want to get super privileges, you can try as follows:
Buy the azure host and install mysql yourself
Ask azure supportwhether you can have root account
Change another cloud mysql which has root privileges like 'UCloud'
This is not a problem with root privileges, this functionality is not available for this specific database provider. The default MySQL database provider in Azure for now is ClearDB, and I'm afraid you are not able to create more users for the database:
Can I create additional users for my ClearDB MySQL database cluster solution?
No. You cannot create additional users but you can create additional databases on your ClearDB database cluster
I tried to create a user to grant access to a database hosted at amazon RDS, the user was created, but I can't access to the database that it has allowed to manage, here's the code I used:
GRANT ALL PRIVILEGES ON my_db.* TO 'admin'#'my.rds.domain' IDENTIFIED BY
'xxxyyyzzz';
FLUSH PRIVILEGES ;
I ran that from my mysql client — DataGrid– also, I verified that the user was created using:
SELECT * FROM mysql.user;
And effectively, the user is listed.
Is there any special configuration I have to make at RDS console, or what?
In the GRANT command, 'admin'#'my.rds.domain' means that admin user connecting from my.rds.domain host is granted all privileges on my_db's all objects.
If this admin user attempts to log on from hostname abc.microsoft.com, no access will be given. If the hostname is not understood by MySQL server, it uses IP to form a user#hostname (e.g. 'admin'#'88.99.11.22'). If that entry is not in mysql.users table access will be denied.
If we use 'admin'#'%', it means that admin user logging in from any system is granted the rights. So when you changed hostname to %, access was granted. For better security, if you know that the user is going to log on from a particular IP or hostname only, it would be best to do like you did ('admin'#'hostname').
I am in the process of migrating my current production applications to Amazon Web Services Cloud.
I am migrating my MySQL database to MySQL RDS DB service for my production applications. In order to save cost, I am planning to use shared RDS db for some of the applications that are not that much critical.
I have certain queries:
If I create an RDS instance to be shared among 4 applications, than will there be any possibility that some other user of one database can n check out the other databases.
what are the security issues that I need to take care while doing this.
Can I create and grant admin rights (import/export/create) to other user using the user/password that I created while creating RDS DB.
Any lead is highly appreciated.
This entirely depends on your permissions granted and is completely
within your control.
If you're looking for complete separations between your applications, you just need to make sure you:
Create as many users as you have applications.
Create as many databases as you have applications.
Grant permission to each user only on the database corresponding to that particular application. You can do this by using your root account to issue a command in the console as follows -
GRANT ALL PRIVILEGES ON applicationdb1.* TO 'appuser1'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb2.* TO 'appuser2'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb3.* TO 'appuser3'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb4.* TO 'appuser4'#'%' WITH GRANT OPTION;
This makes sure appuer1 can only access the tables in applicationdb1 and so on.
Lastly, as a root user, you can grant similar permissions to your individual users as you see fit.
So, a couple of days ago, our master instance of MySQL started blocking me from accessing all but a couple of databases but only when connecting from a specific IP address. I can connect and see all the databases when connecting from any other IP address and I can connect and see all databases when connecting to a slave instance. Credentials are the same regardless. I've never seen anything like this.
To gain access to all databases you need to run these commands as a privileged user (eg on the machine itself):
grant all privileges on *.* to YOUR_USER_ID#REMOTE_IP_ADDRESS_YOU_WANT_TO_BE_ALLOWED;
flush privileges;
To get the YOUR_USER_ID#REMOTE_IP_ADDRESS_YOU_WANT_TO_BE_ALLOWED run the select user(); command. This will let you know how you are accessing the database, you can grant privileges accordingly
I think what you'll want to do to start exploring this problem is:
http://dev.mysql.com/doc/refman/5.0/en/show-grants.html
show grants for 'user'#'host';
Try run this script
GRANT ALL ON . to user#'%' IDENTIFIED BY 'password';
It would allow you to access from any IP Address and any machines and access all databases.
Good Luck :)