As in topic I can create and drop table in Maria DB as root, but I can't drop table as normal user. It happens only when tabel engine is connect.
As root:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON test_database.* To 'user'#'localhost' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> SHOW GRANTS FOR user#localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user'#'localhost' IDENTIFIED BY PASSWORD '*EE22D94139EAEE5486C30FBC352B12340EEF82F5' |
| GRANT ALL PRIVILEGES ON `test_database`.* TO 'user'#'localhost' |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Login from root account as normal user:
# mysql -u user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20120
Server version: 10.1.9-MariaDB MariaDB Server
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [test_database]> CREATE TABLE example (id INT, data VARCHAR(100));
Query OK, 0 rows affected (0.61 sec)
MariaDB [test_database]> DROP TABLE example;
Query OK, 0 rows affected (0.03 sec)
MariaDB [test_database]> CREATE TABLE odbc_test ENGINE=CONNECT TABLE_TYPE=ODBC tabname='sample_table' CONNECTION='DSN=mssql_test;UID=test_user;PWD=password';
Query OK, 0 rows affected (0.03 sec)
MariaDB [test_database]> DROP TABLE odbc_test;
ERROR 1045 (28000): Access denied for user 'user'#'localhost' (using password: YES)
MariaDB [test_database]> SHOW GRANTS;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user'#'localhost' IDENTIFIED BY PASSWORD '*EE22D94139EAEE5486C30FBC352B12340EEF82F5' |
| GRANT ALL PRIVILEGES ON `test_database`.* TO 'user'#'localhost' |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [test_database]> select current_user;
+-----------------+
| current_user |
+-----------------+
| user#localhost |
+-----------------+
1 row in set (0.04 sec)
What kind of privileges does user have to drop table with engine=connect?
Update1. Checking with csv file like in this link:
https://mariadb.com/kb/en/mariadb/connect-csv-and-fmt-table-types/
It works as root, but as user with all priviliges I can't even create table.
MariaDB [test_database]> create table people (name char(12) not null, birth date not null date_format='DD/MM/YY', children smallint(2) not null) engine=CONNECT table_type=CSV file_name='test.csv' header=1 sep_char=';' quoted=1;
ERROR 1045 (28000): Access denied for user 'user'#'%' (using password: YES)
Problem solved
GRANT FILE ON *.* TO 'user'#'%';
That solved my problem :-)
GRANT FILE ON *.* TO 'user'#'%';
Related
What is the proper way to create roles, then assign new users to the roles to grant access to the desired database?
It's not working for me the way I expected.
If I try to make a read/write role and a read only role, then grant the permissions to the roles, and then create a user with a default role, I get a database access denied error for the user:
CREATE DATABASE testDb;
CREATE ROLE readOnly;
CREATE ROLE readWrite;
GRANT SELECT ON testDB . * TO readOnly;
GRANT ALL ON testDB . * TO readWrite;
CREATE USER 'testUser'#'%' IDENTIFIED BY 'testPass';
GRANT readOnly TO testUser;
GRANT readWrite TO testUser;
SET DEFAULT ROLE readOnly FOR testUser;
\q
Then, when I try to connect to the database as testUser:
/mysql -u testUser -p -D testDb
ERROR 1044 (42000): Access denied for user 'testUser'#'%' to database 'testDb'
On the other hand, if I don't use roles and grant the permissions directly to the user, user with no roles, I don't get the database access denied error:
DROP USER testUser;
DROP ROLE readWrite;
DROP ROLE readOnly;
GRANT ALL ON testDb . * TO testUser#'%' IDENTIFIED BY 'testPass';
\q
Now, connecting as testUser works:
mysql -u testUser -p -D testDb
Enter password:
MariaDB [testDb]>
I can't reproduce the problem (be careful using uppercase and lowercase in the name of the database objects):
$ mysql -u root -p
Enter password:
MariaDB [(none)]> SELECT VERSION();
+----------------+
| VERSION() |
+----------------+
| 10.3.2-MariaDB |
+----------------+
1 row in set (0.000 sec)
MariaDB [(none)]> CREATE DATABASE `testDb`;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> CREATE ROLE `readOnly`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> CREATE ROLE `readWrite`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT SELECT ON `testDb`.* TO `readOnly`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT ALL ON `testDb`.* TO `readWrite`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> CREATE USER 'testUser'#'%' IDENTIFIED BY '*********';
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT `readOnly` TO `testUser`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT `readWrite` TO `testUser`;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> SET DEFAULT ROLE `readOnly` FOR `testUser`;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> \q
Bye
$ mysql -u testUser -p
Enter password:
MariaDB [(none)]> SELECT CURRENT_USER();
+----------------+
| CURRENT_USER() |
+----------------+
| testUser#% |
+----------------+
1 row in set (0.000 sec)
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| testDb |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> SELECT CURRENT_ROLE;
+--------------+
| CURRENT_ROLE |
+--------------+
| readOnly |
+--------------+
1 row in set (0.000 sec)
I'm trying to grant all privileges to a specific IP but when I try to get the list of privileged IPs it always shows only localhost, I followed the instructions in this question but it doesn't do any changes, what am I doing wrong?
MariaDB [(none)]> GRANT ALL ON database.* TO 'root'#'192.168.3.1' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------+
| Grants for root#localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show slave status;
ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER,REPLICATION CLIENT privilege(s) for this operation
mysql> show grants;
+------------------------------------------------------------------+
| Grants for root#192.168.1.5 |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'#'192.168.1.5' |
| GRANT ALL PRIVILEGES ON `western_star`.* TO 'root'#'192.168.1.5' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
Note:
I still get denied even though I logged in with my user remotely and I have the permissions.
mysql> show slave status;
ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER,REPLICATION CLIENT privilege(s) for this operation
mysql> show grants;
+------------------------------------------------------------------+
| Grants for root#192.168.1.5 |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'#'192.168.1.5' |
| GRANT ALL PRIVILEGES ON `western_star`.* TO 'root'#'192.168.1.5' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
Try running this statement:
SHOW GRANTS FOR 'root'#'192.168.3.1' ;
And compare to the return from this:
SHOW GRANTS FOR 'root'#'localhost' ;
SHOW GRANTS shows the grants for the current user.
Note that "root#localhost" is not the same user as "root#192.168.3.1". MySQL identifies a user by both user AND host. (Those are two different users.)
FOLLOWUP
The SUPER and REPLICATION CLIENT privileges are global privileges, not database privileges. Syntax for granting those privileges is ON *.*. For example:
GRANT REPLICATION CLIENT ON *.* TO 'root'#'192.168.1.5' ;
So I'm trying to export a schema/DB out of mysql and I'm getting a weird error.
I also ran several grant commands (see below) which I believe should be enough to let me export the data. On MySQLWorkbench, I logged in as a user mentioned in the grand commands.
Any ideas what I could be doing wrong? Thanks a lot
Error:
Unhandled exception: Error querying security information: Error executing 'SELECT * FROM mysql.user WHERE User='mydb' AND Host='myhost.com' ORDER BY User, Host'
SELECT command denied to user 'mydb'#'my-ip-here' for table 'user'.
SQL Error: 1142
grant commands:
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> grant all privileges on mydb.* to 'mydb'#'%' identified by 'mypassword';
Query OK, 0 rows affected (0.05 sec)
mysql> grant show databases on *.* to 'mydb'#'%';
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)
mysql> show grants for 'mydb'#'%';
+--------------------------------------------------------------------------------------------------------------+
| Grants for mydb#% |
+--------------------------------------------------------------------------------------------------------------+
| GRANT SHOW DATABASES ON *.* TO 'mydb'#'%' IDENTIFIED BY PASSWORD 'mypassword' |
| GRANT ALL PRIVILEGES ON `mydb`.* TO 'mydb'#'%' |
+--------------------------------------------------------------------------------------------------------------+
AFTER update user set host='%' where user='root, I lost some of the privileges from my MySQL root user. So I stopped the server and started it with --skip-grant-tables
msqld --skip-grant-tables
and I tried
mysql>update mysql.user set grant_priv = 'Y' where user = 'root';
Query OK, 0 rows affected (0.00 sec)
mysql>FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
This doesn't work for me. When I log in as root, I still can't see the MYSQL database.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)
Please help. I've tried all the solutions still can't restore the privileges for ROOT, always got the "0 row affected" result.
Try
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Update
Run this command to check your current privileges
SHOW GRANTS FOR CURRENT_USER;
It is a bad practice to insert/update/delete from mysql.* tables and information_schema.* tables using direct SQL DML statements.
Update 2
Can you post the results of this command
SELECT (
Host,
Grant_priv,
Super_priv
)
FROM mysql.user
WHERE user = 'root';
All of the _priv columns should have a value Y. And the Host should be localhost.
I have to provide direct access to my database to some users for auditing purposes, and should add a restriction to avoid that these new users don't have deleting, updating and altering privileges.
Just create a user and grant only SELECT privilege.
CREATE USER user_name#host_name identified by 'password';
GRANT SELECT ON db_name.* TO user_name#host_name;
To check what privileges a user has use
SHOW GRANTS FOR user_name#host_name;
and make sure that a user only has GRANT USAGE and GRANT SELECT ON db_name.*
Lets say I have my_db database with test table in it and I want to create a user with a name user1 who will be allowed to connect only from local host and will be able to read data from all tables in this database but won't be able to insert, change, and delete data.
mysql> create user user1#localhost identified by 'password';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for user1#localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user1#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> grant select on my_db.* to user1#localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for user1#localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user1#localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'#'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT SELECT ON `my_db`.* TO 'user1'#'localhost' |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Now lets see what our user1 can and can't do
$ mysql -uuser1 -p
mysql> use mysql
ERROR 1044 (42000): Access denied for user 'user1'#'localhost' to database 'mysql'
mysql> use test
ERROR 1044 (42000): Access denied for user 'user1'#'localhost' to database 'test'
mysql> use my_db
Database changed
As you can see our user1 can only connect to my_db database.
Now let see what that user can do with data in table test (the only table in that database)
mysql> select * from test;
+------+
| id |
+------+
| 1 |
| 2 |
+------+
2 rows in set (0.00 sec)
mysql> insert into test values (3);
ERROR 1142 (42000): INSERT command denied to user 'user1'#'localhost' for table 'test'
mysql> delete from test where id = 1;
ERROR 1142 (42000): DELETE command denied to user 'user1'#'localhost' for table 'test'
mysql> update test set id = 10 where id = 1;
ERROR 1142 (42000): UPDATE command denied to user 'user1'#'localhost' for table 'test'
Again as you can the user can only select from the table.