I am using MySQL workbench 6.2.3. I want limit user access to an individual database.When one trying to open a database after getting in a connection, he/she should enter user name and password. Is there any provision to grant access to a database after entering valid username and password?
There's no way to require an additional password for a user once he logged in. Control access via the normal MySQL login. The user name used for that can be configured to have only access to the objects you want. The used user name decides what is allowed and what is not.
For commercial MySQL editions you can also use the new MySQL Firewall, which allows only a set of previously learned queries to be run by a given user. It's not a second login, but you can fine tune access levels for a given user.
I am not sure if this is what you are trying to achieve but you can do the following to grant a user the access to a single database and all its tables.
You login as root with "mysql -u root"
Then execute : GRANT ALL PRIVILEGES ON SpecificUserDB.* To 'TheUser'#'yourserver' IDENTIFIED BY 'secretpwd';
Hope this helps.
Related
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
I try to execute query in phpmyadmin and get error:
#1142 - SELECT command denied to user 'cpses_tkdpmnyjWW'#'localhost' for table 'user'
So, user cpses_tkdpmnyjWW'#'localhost is created dynamically and I can not set privileges for this user.
How to fix this?
Use SHOW GRANTS to show your current user privileges. It sounds as though the output may be similar to:
GRANT USAGE ON *.* TO 'Unnamed'#'localhost'
This would mean the account could sign into the server but do little else. This page gives a more detailed breakdown, as you'll see there are quite a few permutations.
The solution is you need to either find an account with more privileges or create/update one.
If the above is not an option, one quick trick I may try is connecting to '127.0.0.1' instead of 'localhost'. In MySQL the source of the connection can form part of the username so it's plausible that connecting on an IP instead of socket if you are on Unix flavoured OS.
Additionally, if you have admin/root access to the server, it is possible to create users when MySQL starts which is very useful in some scenarios.
I want to restore an owncloud installation by restoring the database and all web files.My problem is, that I used the root user for the mysql database and owncloud created another user called oc-michael (my account name is michael). Now I need the password of this user to be able to create a user with this password.
Or how can I do this?
The password of the MySQL user oc-michael is written in your /config/config.php at the 'dbpassword' variable.
Hint: Please note that this looks like a hash but its just a very long plaintext password which was auto-generated.
I was wondering if it was possible to have 1 database, but multiple logins (so that when a developer leaves, we don't have to change the entire db password and all instances of it).
If that's possible, how would I do it? (I have NO experience with phpmyadmin aside from code related queries, I'm doing research for a friend who would be able to implement it)
Thanks in advanced!
phpMyAdmin has a simple way of creating new SQL users. From the home screen, click on the database in the left column for which you want to add a new user. Click on the Privileges tab. At the bottom, there is a command labeled, "Add new user"; click that. Type in the username and password that you want to assign to the account. To restrict the user to that database, select "Grant all privileges on database."
Note: I'm using phpMyAdmin 3.4.7.1.
Yes that is possible. If you are using localhost, just login and create a new user and give the privileges for the database.
http://wiki.phpmyadmin.net/pma/user_management#Creating_a_new_user
If you are hosted server on Linux, there is an option to create new users and and assign to the databases with different privileges.
Yes, it's quite simple. PhpMyAdmin validates logins against MySQL's user permissions list. Simply create multiple MySQL users with full privileges on the DB in question and give each admin their own user.
It's easy to set this up from directly inside PhpMyAdmin. Just log in as a high-privilege user and click the "Privileges" tab. Then "Add New User" and specify the username, the host (generally localhost), a password and then create the user (with no privileges checked). Once the user is created, go back to the user list on the Privileges tab and click the edit button next to your new user. Then, under "Database-specific privileges", select the database you'd like to grant privileges... then just select all the rights you want to give this user and click "Go". This new MySQL user and password can now be issued to an admin so he/she can log into PhpMyAdmin, and it revoked at any time in the future.
Say you created a blog application, and it's data is stored in a MySQL database. In your application configuration you set the data source name to myBlog user root password whatever
Now, when users start using your blog to access, post to, and comment on threads, etc... I am assuming they connect as root through the application myblog ...
So... users connect to the application myBlog who in turn connects to MySQL as user root , using password whatever --- it's not really the users that are connecting to MySQL, it's the application. Correct?
Is there not a security issue with this approach? Should I create a new username in MySQL for the application myBlog with specific privileges and leave root only for administering the database?
yes, the application connects to the db. you should create a new mysql user for your application, do something like
CREATE DATABASE myblog_env;
CREATE USER 'myblogenv-user'#'%' IDENTIFIED BY 'your pw';
GRANT ALL PRIVILEGES ON myblog_env.* TO 'myblogenv-user'#'%' WITH GRANT OPTION;
something like the above should do it. The 'env' part of the above is for if you want to create a new db for difference environments, like dev, stage, prod, whatever....
this way your application user has complete access to its db, but no other dbs in the mysql instance.
First of all, you should NEVER use the root account of a mysql database for anything else then admin work.
Second of all, in theory yes the user of your blog would be the "root" in your mysql database, but hopefully there is a lot of sanatizing and cleaning up in your blogs code before any queries are executed...anything else would be know as an "sql inject"
You are exactly right. This is called the principle of least privilege. You should give the application the minimum access rights that it needs to complete the job. This would not be root.
The short answer is: Yes.
Long answer:
Security: You should have a different user for your application than you do for yourself as the administator. That application user should only have read (and write if necessary) privileges on the specific database it needs to access. Also, it should not have privilege-granting privileges, nor drop table privileges, nor database creation/dropping privileges, nor anything else that is reserved for you.
Convenience: If you ever need to change your password, you don't want to have to change your application, and vice versa.