I am using mariadb as my application backend.
i need to create a temporary table (which is temporary per connection, so when the connection is lost it will gone; that is what i want), but i need store a value which should be constant so the user only read it (no update, delete or ... only select), and this value is different in every connection.
so my question is can i grant only select privilege on a specific temporary table in mysql or mariadb?
according to the MySQL 5.1 Documenation https://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_create-temporary-tables, it can't be done.
in the documentation it is suggested to use another database dedicated to temporary tables, with specified privilege for it.
Related
I'm trying to create a MySQL user for my data catalog so it can extract metadata from my databases.
I don't want to grant DML permissions but only limit the user to query information_schema for databases, tables, columns and views.
I couldn't find an appropriate permission on the docs as it seems to require SELECT to be granted.
Any ideas?
https://dev.mysql.com/doc/refman/8.0/en/information-schema-introduction.html#information-schema-privileges says:
For most INFORMATION_SCHEMA tables, each MySQL user has the right to access them, but can see only the rows in the tables that correspond to objects for which the user has the proper access privileges.
https://dev.mysql.com/doc/refman/8.0/en/show-create-table.html says:
Shows the CREATE TABLE statement that creates the named table. To use this statement, you must have some privilege for the table.
MySQL doesn't have a distinct privilege for viewing metadata about a table without having some other DML privilege on that table.
In phpmyadmin I want to grant users to create and delete databases but this access should be limited to a specific prefix.
My users have 3 different accounts on PhpMyAdmin: username_ro (for only reading), username_rw (for reading and writing) and username_admin (for creating other databases and tables into their account)
I want them to be able to create a database username_website but I don't want them to be able to create database theother_website. They should also be able to drop username_website but unable to drop theother_website
How can I do this with sql or PhpMyAdmin.
Thanks in advance.
With some trial and error I have found a solution. By doing this query I was able to create and drop database username_website but I wasn't able to create or drop database theother_clients
GRANT ALL PRIVILIGES
ON `username\_%`.*
TO 'username_admin'#'localhost';
PS. the query is a little edited. I changed the rights I actually gave with ALL PRIVILIGESand I changed the actual username with username.
In my prior job, I was able to copy data from our production environment in a breeze by using the following statements:
from tablename#UNIXPROD2
INSERT INTO tablename#UNIXTEST2
My current job's databases aren't setup in this fashion.
So, I did some research on MySQL 5.0+ because that's what we are using for one of our customers. And I came across FEDERATED tables, so as I was reading, I found this (here):
As of MySQL 5.0.46, FEDERATED performs bulk-insert handling such that multiple rows are sent to the remote table in a batch. This provides a performance improvement. Also, if the remote table is transactional, it enables the remote storage engine to perform statement rollback properly should an error occur. This capability has the following limitations:
To me, this indicates that (A) I can copy the data from our prod database to our test database; (B) any actions performed on the federated table will also be processed on the source table, which is not what I want to do. I have some scripts that I need to run and I want to run it against actual prod data to make sure it works before I use it in the prod environment.
My question: Is my interpretation correct?
Assuming it is, I've tried:
select * from database.tablename#ipaddress, but received an error message that told me to check the MySQL manual for the version I'm running, which is what I'm going to do after I hit "Post Your Question."
I would appreciate any help in this matter.
EDIT: After further research, I think might be able to do what I need using OUTFILE and INFILE whereby I would use OUTFILE on the prod table(s) and then INFILE those rows on the test table(s). Thoughts?
My answer:
A - correct
B - correct.
You could set the user permission to read-only, but in your situation I would not use federated tables, instead dump the whole db into file and then restore it on the other server. Easiest way - use MySql Workbench.
and some info about federated tables:
You need federated enabled just on server B
You can access a view on A by making a federated table on B
You can do INSERT UPDATE DELETE on federated table
If you need read-only access you can limit the user privileges
BUT! You can't do any aggregate func. on a view which will be federated (ex. COUNT(), MAX(), UNION...) (you can, however it will lag)
Remember to set the KEY's on the federated table you are creating. (or it will lag horr.)
Remember to use ALGORITHM=MERGE on views
Remember to grant acces to USERNAME(from connection string) on server A
example of a federated table on server B:
delimiter $$
CREATE TABLE `schemaName`.`tableName`(
`keyName` VARCHAR(10) NOT NULL,
`key2Name` DATE DEFAULT '2012-01-01',
KEY `keyName` (`keyName`)
)
ENGINE=FEDERATED
DEFAULT CHARSET=utf8
CONNECTION='mysql://USERNAME:PASSWORD#IPADDRESS:PORTNUMBER/baseSchema/baseTable'
$$
And the view on server A:
CREATE
ALGORITHM = MERGE
DEFINER = `ANOTHERUSERNAME`#`%`
SQL SECURITY DEFINER
VIEW `baseSchema`.`baseTable` AS
SELECT
... AS `keyName`,
... AS `key2Name`
FROM
...
I'm having a problem dropping a temporary table. The user account does not have the 'drop' privilege. I don't want to grant that privilege due to security reasons.
I tried to find a privilege like 'drop temporary' but there isn't. It seems the only option is to remove all the 'drop table' statements. I know that the temporary tables will be automatically dropped after the DB sessions end.
However, I'm not sure if there are any side effects leaving this job to MySQL. Please, advice.
Temporary tables are dropped automatically as soon as you disconnect from database
A TEMPORARY table is visible only to the current connection, and is dropped automatically when the connection is closed
http://dev.mysql.com/doc/refman/5.1/en/create-table.html
So - create them, use and don't bother of theirs deletion
It will use current machine's Ram space.
So better idea is drop the temporary table on the next step ,once its use is over
If the user has CREATE TEMPORARY TABLES privilege, he can perform DROP TABLE, INSERT, UPDATE and SELECT.
Please see: https://dev.mysql.com/doc/refman/5.7/en/privileges-provided.html#priv_create-temporary-tables
Our users log into the production database as a fairly low-level user, with SELECT granted at the database level, and INSERT/UPDATE/DELETE granted on the specific tables they need access to.
They also have permissions to create temporary tables (we need them for some of the more complicated queries). The problem is that whilst they can create the temporary tables, they don't have access to INSERT into them!
A workaround we have found is to create a "real" (persistent?) table of the same name (but with only one field) and grant access for them to insert into that. Then, when the temporary table is created with the same name, the system will use that, not the persistent table.
mysql> CREATE TEMPORARY TABLE `testing` (`id` INTEGER AUTO_INCREMENT PRIMARY KEY, `name` VARCHAR(30));
Query OK, 0 rows affected (0.04 sec)
mysql> INSERT INTO `testing` (`name`) VALUES ('testing');
ERROR 1142 (42000): INSERT command denied to user 'stduser'#'office.companyname.co.uk' for table 'testing'
If you try to grant access to the table (in another session, as root), you can't:
mysql> GRANT INSERT ON testdb.testing TO 'stduser'#'%';
ERROR 1146 (42S02): Table 'testdb.testing' doesn't exist
So my question is, basically, can we grant INSERT/UPDATE/DELETE on temporary tables without having a "persistent" table of the same name hanging around?
According to the MySQL reference :
MySQL enables you to grant privileges
on databases or tables that do not
exist. For tables, the privileges to
be granted must include the CREATE
privilege.
So, try including CREATE permission on the grant statement above.
One way around this will be to create a special database and grant the user write access to it, and then have it create those temporary tables in that special database.
MySQL grants are independent of the object actually existing - you can grant on tables which don't (yet) exist and those permissions would be assigned to a table if it were to be created. This means that you can grant a user permission to create a specific table.
I'd be tempted to create a database just for temp tables, (called, say, temp) and grant the users access to that database. Database-based permissions are much easier to manage than per-object ones.