I have an OpenShift app with a MySQL database that I configured an ODBC connection for, such that users can use Access as a read only front end to the tables. I created such a user, but they are able to update data from the Access front end and it is reflected in the database. Here's what I did:
I created a user named 'reports', to be given read only access to only one schema, 'reviews'.
GRANT SELECT ON reviews.* TO reports#'%' IDENTIFIED BY `password`;
When I run
SELECT * FROM mysql.user WHERE user = 'reports';
I get all N's and 0's. I understand there's no 'Y' for "Select_priv" because it's not a global select priv, only on one schema, so I figured it was okay.
When I run
SHOW GRANTS FOR 'reports'#'%';
I get
GRANT USAGE ON . TO 'reports'#'%' IDENTIFIED BY PASSWORD 'stringstringstring'
GRANT SELECT ON 'reviews'.* TO 'reports'#'%';
Which I expected.
SELECT * FROM db where User = 'reports';
|Host|Db |User |Select_priv|Insert_priv|Update_priv|...
|% |reviews|reports|Y |N |N |...
But when I go into Access, edit some data, then ssh into the database and view the database, the UPDATES are working.
I am using rhc port-forward -a applicationname before I connect in Access, and I use rhc ssh applicationname to view the MySQL from the server.
There is a bug in Access where if you feed it a Data Source, then try to change it, it won't actually let go of your initial Data Source even though it has appeared to. I had initially set my Access DB up with an All Privileges account, then changed the Data Source to a read only account, but it continued to use my All Access account behind the scenes. Deleting the Data Source using odbcad32.exe proved this, as I just got connection errors, even though it said I was connected via my valid Read Only account. I created a new Access DB using the Read Only data source from the beginning and it worked as expected.
Related
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
Deployed a new version of our app on heroku and migrated over database from previous free jawsdb instance. However now every time user signs up gives
(Mysql2::Error: INSERT command denied to user <username for instance
what have i missed
migrated using a dump and re-import using mysql command line. eye balled exported data and it seems to be there (user emails etc)
all config vars look ok (DATABASE_URL is mysql2...)
i can login to the database via the url
I have not had to grant access or anything like that before, anyone come across this?
thanks
Ben
My guess is they disabled your INSERT grant because you have reached your max Storage Capacity for your plan.
To validate this is a permissions problem, log into a MySQL prompt with the user the app is running as, and enter this query:
SHOW GRANTS;
It probably list many, but no INSERT.
See this link. As explained in given link, jawsdb preliminary plan does not give you permission to add a new database. You are provided with one schema with some random name and you have to work with that only.
Check your migration
e.g. Make sure the database name matches.
For me, I got the same error as OP when trying to migrate my data. This was a fresh account with only a 50kb'ish database; nowhere close to the free-plan 5mb limit.
In my SQL export statement, my local database name is being used, however the remote MySQL (ie JawsDB) service auto-generates a db name, which will obviously not be the same. Simply used find-replace to change the database name to match remote; everything works.
I try to execute query in phpmyadmin and get error:
#1142 - SELECT command denied to user 'cpses_tkdpmnyjWW'#'localhost' for table 'user'
So, user cpses_tkdpmnyjWW'#'localhost is created dynamically and I can not set privileges for this user.
How to fix this?
Use SHOW GRANTS to show your current user privileges. It sounds as though the output may be similar to:
GRANT USAGE ON *.* TO 'Unnamed'#'localhost'
This would mean the account could sign into the server but do little else. This page gives a more detailed breakdown, as you'll see there are quite a few permutations.
The solution is you need to either find an account with more privileges or create/update one.
If the above is not an option, one quick trick I may try is connecting to '127.0.0.1' instead of 'localhost'. In MySQL the source of the connection can form part of the username so it's plausible that connecting on an IP instead of socket if you are on Unix flavoured OS.
Additionally, if you have admin/root access to the server, it is possible to create users when MySQL starts which is very useful in some scenarios.
I am using MySQL workbench 6.2.3. I want limit user access to an individual database.When one trying to open a database after getting in a connection, he/she should enter user name and password. Is there any provision to grant access to a database after entering valid username and password?
There's no way to require an additional password for a user once he logged in. Control access via the normal MySQL login. The user name used for that can be configured to have only access to the objects you want. The used user name decides what is allowed and what is not.
For commercial MySQL editions you can also use the new MySQL Firewall, which allows only a set of previously learned queries to be run by a given user. It's not a second login, but you can fine tune access levels for a given user.
I am not sure if this is what you are trying to achieve but you can do the following to grant a user the access to a single database and all its tables.
You login as root with "mysql -u root"
Then execute : GRANT ALL PRIVILEGES ON SpecificUserDB.* To 'TheUser'#'yourserver' IDENTIFIED BY 'secretpwd';
Hope this helps.
Say you created a blog application, and it's data is stored in a MySQL database. In your application configuration you set the data source name to myBlog user root password whatever
Now, when users start using your blog to access, post to, and comment on threads, etc... I am assuming they connect as root through the application myblog ...
So... users connect to the application myBlog who in turn connects to MySQL as user root , using password whatever --- it's not really the users that are connecting to MySQL, it's the application. Correct?
Is there not a security issue with this approach? Should I create a new username in MySQL for the application myBlog with specific privileges and leave root only for administering the database?
yes, the application connects to the db. you should create a new mysql user for your application, do something like
CREATE DATABASE myblog_env;
CREATE USER 'myblogenv-user'#'%' IDENTIFIED BY 'your pw';
GRANT ALL PRIVILEGES ON myblog_env.* TO 'myblogenv-user'#'%' WITH GRANT OPTION;
something like the above should do it. The 'env' part of the above is for if you want to create a new db for difference environments, like dev, stage, prod, whatever....
this way your application user has complete access to its db, but no other dbs in the mysql instance.
First of all, you should NEVER use the root account of a mysql database for anything else then admin work.
Second of all, in theory yes the user of your blog would be the "root" in your mysql database, but hopefully there is a lot of sanatizing and cleaning up in your blogs code before any queries are executed...anything else would be know as an "sql inject"
You are exactly right. This is called the principle of least privilege. You should give the application the minimum access rights that it needs to complete the job. This would not be root.
The short answer is: Yes.
Long answer:
Security: You should have a different user for your application than you do for yourself as the administator. That application user should only have read (and write if necessary) privileges on the specific database it needs to access. Also, it should not have privilege-granting privileges, nor drop table privileges, nor database creation/dropping privileges, nor anything else that is reserved for you.
Convenience: If you ever need to change your password, you don't want to have to change your application, and vice versa.