I am in the process of migrating my current production applications to Amazon Web Services Cloud.
I am migrating my MySQL database to MySQL RDS DB service for my production applications. In order to save cost, I am planning to use shared RDS db for some of the applications that are not that much critical.
I have certain queries:
If I create an RDS instance to be shared among 4 applications, than will there be any possibility that some other user of one database can n check out the other databases.
what are the security issues that I need to take care while doing this.
Can I create and grant admin rights (import/export/create) to other user using the user/password that I created while creating RDS DB.
Any lead is highly appreciated.
This entirely depends on your permissions granted and is completely
within your control.
If you're looking for complete separations between your applications, you just need to make sure you:
Create as many users as you have applications.
Create as many databases as you have applications.
Grant permission to each user only on the database corresponding to that particular application. You can do this by using your root account to issue a command in the console as follows -
GRANT ALL PRIVILEGES ON applicationdb1.* TO 'appuser1'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb2.* TO 'appuser2'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb3.* TO 'appuser3'#'%' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON applicationdb4.* TO 'appuser4'#'%' WITH GRANT OPTION;
This makes sure appuer1 can only access the tables in applicationdb1 and so on.
Lastly, as a root user, you can grant similar permissions to your individual users as you see fit.
Related
yesterday I deployed a MySQL database image from the Azure marketplace. It is this one issued by Microsoft. I can connect with the user I specified in the Azure portal and was able to create an additional user for testing purposes and grant it all privileges on two different databases. However, if try to do the same today I get the infamous Error Code: 1044. Access denied for user 'admin'#'%' to database 'mysql'. I have read that some MySQL versions on Azure do not support user privilege handling, but I was already able to do it with this image version. I even verified that the created user had access to the specified databases and inserting/selecting data from it was also working. I have tried setting up a fresh database with a new testuser to no avail, as i received the same error. This is basically what I did:
CREATE USER 'user'#'%' IDENTIFIED BY 'pw';
GRANT INSERT ON db.* TO 'user'#'%' IDENTIFIED BY 'pw';
FLUSH PRIVILEGES;
After the user was created I also checked with SHOW GRANTS FOR 'user'#'%' for the given permissions and they were there. The admin user specified in the Azure portal also has grant_priv privileges. Can someone please help me to understand why all of a sudden it is not possible for me to grant even simple privileges to newly created users? It should be possible as this Blogpost from an Microsoft employee suggests. Clearly I am missing something as such a basic feature should be included.
Still trying to figure out RDS on AWS. I setup an EC2 instance that I can SSH into. I then created an RDS instance of MariaDB. I can SSH into my EC2 and then use MySQL to connect to the RDS instance using the username/password I created when I setup the RDS instance. When I look at the users I see
'myusername'#'%'
'rdsadmin'#'localhost'
While logged in as 'myusername' to the mysql db, I create a new user with more limited hosts:
CREATE USER 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'good_password'
No problems so far. Now give 'otheruser' some permissions:
GRANT ALL PRIVILEGES ON mydatabase.* TO 'otheruser'#'nnn.nnn.nnn.nnn' IDENTIFIED BY 'same_password';
Seems to work. From my IP address I can use Navicat to connect as 'otheruser' to 'mydatabase' and can create tables, add data, drop tables, create indexes no problem. However, when I do this, all privileges show 'N':
SELECT * FROM mysql.user WHERE user = 'otheruser'\G
If I look in information_schema the only privilege is 'usage'
SELECT * FROM information_schema.user_privileges;
If, as my root user created during RDS setup I try to specify a specific privilege for 'otheruser' I get an access denied error.
So if all of the permissions are showing 'N', and information_scheme just shows 'usage', how is Navicat able to connect as that user and do pretty much everything?
What's the correct way of creating a restricted user on an RDS instance? It seems the user created during instance creation is slightly limited vs. the 'rdsadmin'#'localhost', but AFAIK there's now way to connect to the RDS from localhost?
The privileges in the mysql.user table are global privileges. They apply to all databases on the server, present and future. You didn't issue a statement that would grant any of those.
SELECT * FROM mysql.db; will show you where the navicat user's permissions you granted can be found.
You can GRANT ALL PRIVILEGES ON some_database.* in RDS, which grants only the database-level permissions for that one database.
...but you cannot GRANT ALL PRIVILEGES ON *.* because you, the master user, do not possess all global privileges. RDS doesn't give them to you. To do global grants, you have to grant specific privileges.
SHOW GRANTS FOR 'myusername#'%';
The privileges you see listed there are the only global (server-level) privileges you can grant.
Yes, the things you can do with the privileges provided by RDS are limited, presumably because it's a managed service... so they don't want you to be able to break anything that they would have to fix for you... which they would, because it's a managed service. That's one of the drawbacks of RDS. You trade some flexibility for ease of administration (point in time recovery, creation/monitoring/destruction of read replicas, backup snapshots, etc.).
rdsadmin#localhost is the account the RDS infrastructure uses to manage and monitor your instance. That's why it has all those privs. You're correct -- you can't log in from localhost. Only the RDS supervisory process can.
Hey I'm trying to grant my USER in mySQL the DBA role, because we are connecting to a AWS amazon server but no matter what we do, we can't grant that role to our user admin5 that's in the only user that we created. So please help because we need that privilege to create a Job that sends emails automatically at midnight.
This is how you can grant privileges to other users:
WITH GRANT OPTION clause gives the user the ability to give to other users any privileges the user has at the specified privilege level.
You can check if your user has this option by running show grants for 'youruser'#'yourhost';
The root user usually has these privileges by default. Try logging in with root and granting the permissions you need.
Also, presumably your cron that you are going to be running does not need to have DBA permissions. Here is a list of Mysql permissions and what they do. Select and execute privileges would probably be sufficient enough for what you need.
In MongoDB 2.4, i want a user can access to mongod instance from only allowed hosts as MySQL can handle.
In MySQL, as you know when giving rights to a user, you can specify this user from this host etc... like below;
GRANT ALL PRIVILEGES ON *.* TO 'monty'#'localhost' WITH GRANT OPTION;
But i couldn't find equivalent of this in MongoDB even i searched a lot at google.
Any ideas?
Thanks in advance.
Is it possible to have database level credentials for MySQL?
In our current system we have multiple databases in one database server, if we connect to the server using any tool we can see all databases in that server, to have more secure system.
Can we have credentials for each database.
You can't have credentials for databases. But you can have credentials for created users and grant/restrict access to any tables/databases according your policy.
create user
grant
priviledges
Yes, absolutely, you can set up access privileges on per-database basis. In fact, MySQL allows very fine-grained privileges down to table and even column level. E.g.:
-- Creates a user
GRANT USAGE ON *.* TO 'username'#'hostname' IDENTIFIED BY PASSWORD '*SOMEPASSWORD';
-- Gives the user access to a single database `database_name`
GRANT SELECT, INSERT, UPDATE, DELETE ON `database_name`.* TO 'username'#'hostname';
You probably want to read more about GRANT syntax and MySQL privileges.
Worth adding, that you are allowed to have usernames identical to database names.