Is there a way to create a user in MySQL that have login access but no databases, but it allows the user to create a new database to a limit of 5 or what ever I decide.
So basically what I want is to give a user access to create his own databases, but I dont want him to see other databases, also he should be limited to create only 5 databases
There is no notion of "Database Owner" or "Database Creator" in MySQL, therefore there is no way to limit the number of databases created by a user.
Note: it is possible to put some restrictions at account-level, but not the ones you are looking for. You will need a third-party management tool for this.
Related
Let's say we have a public DNA database running on mysql. Database contains only complete data. In this scenario, some special users want to add experimental data to the database, which may not be complete or they don't want it to be visible to everyone. Instead they want the experimental data to only be visible to users with correct privileges. What approach would you take to achieve this?
Presumably these datasets are large, and performance is important. That means the privilege system should be as coarse as possible.
If I were doing this, I'd create a "public" database, and use the MySQL GRANT command to allow guest users to SELECT on that database.
For example:
CREATE USER 'guest'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'guest'#'%';
Then, for the nonpublic datasets, I'd put them into other databases, and be more selective about the users GRANTed privileges. For example, these GRANTs give two different users access to private information and the public information.
CREATE USER 'venter'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'venter'#'%';
GRANT SELECT ON celera.* TO 'venter'#'%';
CREATE USER 'collins'#'%' IDENTIFIED BY 'changethispassword';
GRANT SELECT ON public.* TO 'collins'#'%';
GRANT SELECT ON hgp.* TO 'collins'#'%';
A user who has SELECT privileges on, let us say, the public database and the celera database, can issue queries like this allowing seamless (if not optimally performing) merging of private and public data.
SELECT whatever
FROM public.AGCT
UNION ALL
SELECT whatever
FROM celera.AGCT
Of course, it has to make scientific sense to take the union of these datasets. That may or may not be the case.
Don't be alarmed at the idea of creating multiple databases. They really are nothing more complex than directories in a computer file system. A single server can deliver dozens of them without any problems.
MySQL is definitely up to this kinds of security. Hosting providers run multi-tenant servers routinely.
I would consider MariaDB (a MySQL-compatible database written by MySQL's founder) over MySQL, as it supports roles.
Neither of them support Row Security like Oracle does, but you can mimic it by adding an "owner" column with the name of the role that can select/update the row.
Add a WITH CHECK OPTION view that checks that the current_user is in the role specified in that column.
Add a trigger to set owner value properly.
update: If you can't alter the table but can add new ones, add a new one w same key as original, and add owner column, and join the tables in your view.
See
http://www.sqlmaestro.com/resources/all/row_level_security_mysql/
I have a web application which takes sql queries and produces the output in the form of a report. I don't want the user to MODIFY the existing database any way. To do this I decided to block all the CREATE,ALTER,DELETE,DROP commands at the web application level by just looking at the first word of the supplied query. This would stop the user from altering the existing schema or the instance of the database.
Recently I discovered that Microsoft SQL Server has the command SELECT * INTO NEW_TABLE FROM OLD_TABLE which allows us to create a copy of the the existing table. Are there any more commands of this kind which would allow us to modify the schema or instance of the existing DB by passing the web application filter ?
Any better ways to block the commands according to my requirements are also welcomed but I do not wish to take away the freedom of creating report using SQL queries at the cost of security.
Why Cannot I use Grant
I see that grant is one good option that I see from the comment as well as the answers but I will not be able to use them because the user supplies the DB details which I use to create the report along with the username and password. It is for the DB's table the user points to that I create the report
You can generate the reports from results of a query performed by a user with only read permissions. This implies management of the database connection to allow other parts of the application to manipulates the data ( you will need to connect as different users).
CREATE USER 'foouser'#'localhost' IDENTIFIED BY 'barpass';
GRANT SELECT ON db.table TO 'foouser'#'localhost';
Even if you use "SELECT * INTO NEW_TABLE FROM OLD_TABLE" you have to create the new_table first using create statement then you can use that statement.
I would like to understand how hard this is to implement.
In unix, there are unix groups where certain people with a group can access certain folders and files.
I would like to apply the same concept into MYSQL where people could only access, view certain tables or even same tables but different rows ...
How can I achieve this? Would I have to use a different database system?
Gordon
This is a very common and simple approach. You can create users and specify which databases/tables they can access and what type of operations they can execute. See the mysql documentation on this
For instance:
--create the user
CREATE USER 'gordon'#'localhost' IDENTIFIED BY 'yourpassword';
--specify table and specific operations for that user
GRANT SELECT,UPDATE,DELETE,INSERT ON database.table TO 'gordon'#'localhost';
I am trying to create a separate set of privileges for a database that contains both "read only" tables and "read write" tables. To be more specific, the database contains 10 tables that I want the user to only read from (i.e. select only). It also contains around 30 tables which the user is free to read and write to and from. Lastly, I would also like the user to be able to create/drop/alter tables created by him thus granting him full access to his own tables under the same database.
Is something like this possible? I have tried to think of the ways I can use GRANT but my head is getting stuck.
Thanks
What you want is possible except I'm not sure about the last sentence. I don't think mySQL tables have "owners" as such, but you can limit access to tables with certain prefixes. Maybe that is a way to go.
Obligatory manual reference: 12.4.1.3. GRANT Syntax
I recommend using a GUI like HeidiSQL (for Windows) to point-and-click the required privilege rules. It produces proper SQL to look at and learn from as well. Here is a screen shot of its excellent user manager.
I have a MySQL user added to a database that I would like to prevent from viewing certain tables.
I can limit their privileges through MySQL by preventing them from running statements like DROP or ALTER. But is it possible to prevent them from viewing certain tables in phpMyAdmin?
If there isn't a MySQL privilege that controls this (I wouldn't imagine there would be), is there a configuration in phpMyAdmin that allows this?
I understand one workaround here is to move the tables to a new database that they're not added to. This isn't an option for my application.
Yes, you can hide a particular database in phpmyadmin.
In order to do that, just open config.inc.php in your phpmyadmin directory in your webserver root or where it is placed. or search for config.inc.php
if you want to hide information_schema and mysql add this line after:
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['hide_db'] = '^information_schema|mysql$';
This is It.
You could move the tables to another database and then restrict the user account to only access the 1 database with the public tables. Trying to modify phpmyadmin would be a massive mistake, the user could just write a custom query to access the tables, thats a dead simple hack.
This has to be done on the database side or there is absolutely no point. SE-Postgresql is the only project i know of that allows for table by table permissions. This is the only database that can do this because very few people need this feature.
phpMyAdmin connects to the database as a certain MySQL user. If that user does not have any permissions on the given tables no phpMyAdmin user can access that. That would hold for all mypMyAdmin users of course.