I am creating a user app_root identified by a password with limited permission. This user should only be able to create a database with prefix, create a new user, and grant permission to new user to access the database. So this is what I am doing.
CREATE USER app_root#localhost IDENTIFIED BY 'password';
GRANT CREATE USER ON *.* TO app_root#localhost WITH GRANT OPTION;
GRANT CREATE ON `myapp\_%`.* TO app_root#localhost WITH GRANT OPTION;
FLUSH PRIVILEGES;
The user is duly created. Now I log in to mysql with app_root user and execute following:
CREATE DATABASE test;
It fails as expected because name of database does not contain myapp_ prefix.
CREATE DATABASE myapp_test;
CREATE USER myapp_test#localhost IDENTIFIED BY 'ABC';
Both database and user are successfully created. But if I execute grant statement, error occurs.
GRANT ALL PRIVILEGES ON myapp_test.* TO myapp_test#localhost;
It generates ERROR 1044 (42000): Access denied for user 'app_root'#'localhost' to database 'myapp_test'. Could anyone please tell me what is wrong with my approach?
MySQL Version - Server version: 5.5.37-0ubuntu0.14.04.1 (Ubuntu)
Edit - As suggested, I granted all privileges to app_root user. But it still does not change anything.
GRANT ALL ON `myapp\_%`.* TO app_root#localhost WITH GRANT OPTION;
FLUSH PRIVILEGES;
Related
I want to have a non-root mysql user that can create another databases and users and grant access to that users to created databases. To do this as root I firstly created a user
CREATE USER asusi_admin#localhost IDENTIFIED BY '123';
Then I grant create user PRIVILEGE to this user
GRANT CREATE USER ON *.* TO 'asusi_admin'#localhost';
Then I grant all privileges to this user for the every database he creates
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
Now I'm flushing privileges
FLUSH PRIVILEGES;
Now I'm logging on to MySQL as newly created user asusi_admin and creating a new database
Now I'm creating a new database
CREATE DATABASE asusi_database;
Now I'm checking that I can use this database
USE asusi_database;
I can use this database, good
Now I'm creating a new user
CREATE USER 'asusi_user'#'localhost' IDENTIFIED '123';
Now I want to grant select privilege to the created user
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
And here I'm getting an error: 'Access denied for user 'asusi_admin'#'localhost' to database 'asusi_superdb'
Should I relogin as root and explicitly grant access to this database to a asusi_user
GRANT ALL PRIVILEGES ON `asusi_database`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
and then relog in as asusi_admin and run the command again
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
this time it gives me no error and user asusi_user can read database asusi_database. Apparently MySQL wants me to explicitly grant access to the user asusi_admin for the every created database via root account. But I don't want to use the root account. I thought that after executing this command
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
user asusi_admin will be able to grant access to other users to the ecery database that stats with 'asusi_' prefix. May be I missed something or this behavior is designed to be that way?
It seems this is a confirmed bug, that was not fixed yet https://bugs.mysql.com/bug.php?id=75097, so nothing you can do right now with it.
Oddly enough it seems my mysql will not allow creating a user with access to a specific database. Using MySQL Workbench:
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName TO 'testUser'#'localhost' WITH GRANT OPTION;
SHOW GRANTS;
I see nothing mentioning granted privileges for the created user. This explains why I get mysqli::mysqli(): (28000/1045): Access denied for user 'testUser'
What step am I missing?? Update: Even when I mistype the username I still get a success with 0 rows affected: GRANT ALL PRIVILEGES ON testDatabaseName TO 'testkUser'#'%' WITH GRANT OPTION; so I think something's seriously wrong with my local mysql. Any ideas on a fix?
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName.* TO 'testUser'#'localhost' WITH GRANT OPTION;
SELECT sql_grants FROM common_schema.sql_show_grants;
What changed? I simply added a .* after database name. It's necessary so the user has access to all tables inside the database.
Also for the latest mysql, I believe you need to put user password when using grant.
So do as follows:
CREATE USER 'testUser'#'localhost' IDENTIFIED BY 'thepasswordhere';
GRANT ALL PRIVILEGES ON testDatabaseName.* TO testUser#localhost IDENTIFIED BY 'pass' WITH GRANT OPTION;
FLUSH PRIVILEGES;
SELECT sql_grants FROM common_schema.sql_show_grants;
As mentioned by Michael in the question comments:
SHOW GRANTS FOR 'testUser'#'localhost';... otherwise, SHOW GRANTS;
shows your privileges -- the ones associated with the account that is
currently logged in.
grant select ON . TO 'username'#'%' with GRANT OPTION;
grant select ON . TO 'username'#'IPaddress' with GRANT OPTION;
All the above statements errors out with the Error Code: 1044. Access denied for user 'user'#'IPAddress' to database
FYI I am logged in as a user with all the permissions -- 'GRANT ALL PRIVILEGES ON . '
With the current user I am able to perform all operation , but I want to add more users.
You need to be logged in with a user that has WITH GRANT OPTION as well, such as root#'localhost'. Otherwise, you can do everything else, BUT create new user and issue new grants/permissions.
GRANT OPTION Enable privileges to be granted to or removed from other accounts. Levels: Global, database, table, procedure.
You can read more here are dev.mysql.
I have foo_bar_test database existing on my mysql server on host 127.0.0.1.
But there's no user that can access it but root, and I don't want to use root user anywhere in my code. So I created new user, fb_test, and granted him privileges for this database:
create user fb_test#'127.0.0.1' identified by password 'some_password';
grant all on 'foo_bar_test.*' to fb_test#'127.0.0.1';
flush privileges;
Ok, that should work, but when I log in as this user, I don't have any database available!
What's wrong?
I checked it using show grants for fb_test#'127.0.0.1', but it shows some strange results:
grant usage on *.* to fb_test#'127.0.0.1' identified by password '*another_password_dont_know_which_one'
How do I solve this?
you have an error in grant statement. Use the query:
grant all on 'foo_bar_test'.* to fb_test#'127.0.0.1';
In fact your grant command results an error which I think you ignored.
I want to create an user that can access from any hosts to Mysql server
I use
create user abc#10.10.131.17 identified by 'abc123'
and
grant all privileges mydb.* to 'abc'#'%';
But when i run client,the error occurs:
"java.sql.SQLException: Access denied for user 'abc'#'10.10.0.7' (using password: YES)
help me,please!
One obvious guess would be that you didn't do FLUSH PRIVILEGES; after issuing GRANT statement.
Another obvious guess (not sure if typo in the question) is that syntax of GRANT is GRANT ALL PRIVILEGES ON mydb.* TO 'abc'#'%';, with ON in it.
You have created an user with allowing IP 10.10.131.17 and you are trying to connect MySQL Server from IP 10.10.10.7. So it won't work.
To access MySQL Server you have to create user allowing IP 10.10.10.7 or allowing all IPs using %.
CREATE USER `abc`#`10.10.10.7` IDENTIFIED BY 'abc123'
GRANT ALL PRIVILEGES mydb.* TO `abc`#`10.10.10.7`;
OR
CREATE USER `abc`#`%` IDENTIFIED BY 'abc123'
GRANT ALL PRIVILEGES mydb.* TO `abc`#`%`;