Creating MySQL users and granting privileges - unable to connect to server - mysql

I've just tried to create a bunch of users for a (currently local) database but I'm having issues connecting to the database and not too sure what I'm doing wrong.
The users exist after creation but I can't connect to the database with their credentials while using Workbench for connection testing.
I've created my users and then granted them permission straight after as so:
CREATE USER 'username'#'%' IDENTIFIED BY 'password';
GRANT ALL ON DATABASE.* TO 'username'#'%';
If I run SELECT * FROM mysql.user; to see the users, I can see that the users are there.
I've tried flushing privileges but it doesn't seem to make any difference.
When trying to connect to the server via Workbench as one of the users I've created I get re-prompted for my password. It then seems to either hang or tell me the password is wrong.
This is initially local for development purposes but I'll be setting this up on a server once I've got this working. Could this be down to it being ran locally?

As mentioned in the MySQL documentation for adding users, when connecting locally a user must be created #'localhost' as well as to wildcard locations:
Two of the accounts have a user name of monty and a password of
some_pass. Both accounts are superuser accounts with full privileges
to do anything. The 'monty'#'localhost' account can be used only when
connecting from the local host. The 'monty'#'%' account uses the '%'
wildcard for the host part, so it can be used to connect from any
host.
It is necessary to have both accounts for monty to be able to connect
from anywhere as monty. Without the localhost account, the
anonymous-user account for localhost that is created by
mysql_install_db would take precedence when monty connects from the
local host. As a result, monty would be treated as an anonymous user.
The reason for this is that the anonymous-user account has a more
specific Host column value than the 'monty'#'%' account and thus comes
earlier in the user table sort order. (user table sorting is discussed
in Section 6.2.4, “Access Control, Stage 1: Connection Verification”.)
With a user only being denoted with a host name of '%' to allow for connection anywhere MySQL will instead use the anonymous <anonymous>''#'localhost' account because it will attempt to match the localhost location first and then not find the related user name for localhost and so use the <anonymous> user instead.
Alternatively, the anonymous user can be deleted and this should also fix the problem rather than having to duplicate users.

Related

How to restrict the root MySQL system user to a single host in GCP Cloud SQL?

I am logged into MySQL with a user with full admin privileges, and wish to update the root user to only allow login via localhost.
Currently, the root user has full privileges via 'root'#'%', and I'd like to change that to 'root'#'localhost'. I've tested this out on a local mysql install and it worked fine. However, in GCP Cloud SQL I'm unable to do so.
Running:
RENAME USER 'root'#'%' TO 'root'#'localhost';
Yields the error:
ERROR 1221 (HY000): Incorrect usage of RENAME and SYSTEM USER
Is there any way to achieve what I want to do in locking down where the root user can login from? I would like to avoid any MySQL downtime if possible. I am using MySQL 5.7.
As per the document, because Cloud SQL is a managed service, it restricts access to certain system procedures and tables that require advanced privileges and that includes restricting the hostname for the default root user account.
What I can suggest is that you create another MySQL user on cloud console. That user have the same privileges as the root user plus you'll be able to restrict the hostname or limit the privileges for this user. In a way you can say that Cloud SQL encourages you to create separate user accounts for different purposes because the root user is a very common target for unauthorized access.

Is there another safer solution for accessing remotely to sql server than 'username'#'%'?

I am trying to access mysql server in office remotely from home by mysql workbench.
I already solved to connect remotely. I created an user by:
mysql> CREATE USER 'myusername'#'%' IDENTIFIED BY 'some_pass';
And, with this user, I can access the database remotely. But, I don't think it's safe. #'%' means that all hosts can access once they find out 'myusername' and 'some_pass'.
Instead of that, I would like to get it done by an user whose IP is specified. (after removing the user above), I created the user below by:
mysql> CREATE USER 'myusername'#'123.456.789.012' IDENTIFIED BY 'some_pass';
'123.456.789.012' here is the IP address of my home computer.(the number is dummy, though.). With user like this, it allows only the specified host to access. I think it is safer. But, I have already tried this and didn't work. I got the error below on mysql workbench on home computer when trying to connect remotely (by test connection from mysql workbench):
Failed to Connect to MySQL at XXX.XX.XX.XXX:3306 with user myname
Host 'XXX-XXX-XXX-XX-XX.abc.defg.hi.jk' is not allowed to connect to this MySQL server
I don't know why this error pops up.
and also, I tried the user with IP addresses like '123.456.789.%' or '%.456.789.012' which got the same error.
Is there another way to accomplish remote connection safer?

phpmyadmin share specific DB with more machines

I'm doing a web project and im using wamppserver to take care of the server and database. And now I'm facing a problem, I have to share the project. So it would be useful if i could share the specific DB that I use in the project, so that other people can access from their machines and get all the data previously stored in the DB. Is it possible to do it? How?
If you need to grant access to other machines to one database on local mysql server, you need to do some things:
You need to open MySQL to network interface: Check my.cnf, and do this:
Comment the line skip-networking.
Change the line bind-address to hold your LAN IP address / WAN IP address (if the machine itself have the WAN IP) / 0.0.0.0 (for all IPv4 addresses of the machine) / :: (for all IPv4 and IPv6 addresses of the machine). After reconfigure, restart MySQL server.
Check / configure your firewall for port 3306 opened (You can configure firewall for accept connections only from the required IPs) (Configuration for doing this will depend on your firewall software).
Grant access to the user(s) from the IPs you will need.
You can give access to one user from all IPs, for doing this, execute command [1] on MySQL cli or phpmyadmin, with a user with SUPER privileges (usually root).
You can give access to one user from one IP. Execute command [2].
[1]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'%' IDENTIFIED BY 'password';
[2]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'host' IDENTIFIED BY 'password';
You need to replace database with the name of the database to give privileges, user with the username accessing, host with the IP address of the client accessing, and password, with the desired password.
You can also, repeat command [2] if you want the same username to have access from two different IPs for example. Also, you can use a combination of [1] and [2], using a host with this example format: #'192.168.0.%', for giving access to these user from all computers on the 192.168.0.0/24 network.
Also, you can give really fine privileges, for example, changing GRANT ALL PRIVILEGES with GRANT SELECT, INSERT, these user only can do SELECT and INSERT statements, but not UPDATE or DELETE ones for example. You can check MySQL doc or StackOverflow for more info about this.

Can't connect remotely without bind-address, can't connect locally with it

I'm having an issue with mysql. I am trying to allow remote access. I found that if I write in my.cnf:
bind-address=my.ip.address
It works remotely, but using a php script that tries to access the database using the same ip doesn't work anymore!
If I remove this line, I can connect locally, but not remotely.
I tried setting it to 0.0.0.0, which has the same effect as if it were not there at all.
I saw that you can't bind to multiple addresses unfortunately. Any way to resolve?
MYSQL User accounts have 2 parts
The userid
The domain from which they can connect to this MYSQL Server instance
EG 'root'#'localhost'
So you need to create a new user account, you dont want to give access to the root id externally, and make this new userid allowed to connect from either a specific ip address (more secure) or any ip address
From the command line mysql.exe processor you woudl do this
CREATE USER 'somone'#'11.22.33.44' IDENTIFIED BY 'mypass';
for a specific ip address
Or
CREATE USER 'somone'#'%' IDENTIFIED BY 'mypass';
To allow access from any ip adddress in the universe, so better make the password a good strong one
Then you allocate privilages to one or more databases to this new account
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON database_name.*
TO 'someone'#'%';
References
CREATE USER http://dev.mysql.com/doc/refman/5.7/en/create-user.html
Grant http://dev.mysql.com/doc/refman/5.7/en/adding-users.html

Create a user on mysql database at RDS

I tried to create a user to grant access to a database hosted at amazon RDS, the user was created, but I can't access to the database that it has allowed to manage, here's the code I used:
GRANT ALL PRIVILEGES ON my_db.* TO 'admin'#'my.rds.domain' IDENTIFIED BY
'xxxyyyzzz';
FLUSH PRIVILEGES ;
I ran that from my mysql client — DataGrid– also, I verified that the user was created using:
SELECT * FROM mysql.user;
And effectively, the user is listed.
Is there any special configuration I have to make at RDS console, or what?
In the GRANT command, 'admin'#'my.rds.domain' means that admin user connecting from my.rds.domain host is granted all privileges on my_db's all objects.
If this admin user attempts to log on from hostname abc.microsoft.com, no access will be given. If the hostname is not understood by MySQL server, it uses IP to form a user#hostname (e.g. 'admin'#'88.99.11.22'). If that entry is not in mysql.users table access will be denied.
If we use 'admin'#'%', it means that admin user logging in from any system is granted the rights. So when you changed hostname to %, access was granted. For better security, if you know that the user is going to log on from a particular IP or hostname only, it would be best to do like you did ('admin'#'hostname').