mysql create database and user from non root user - mysql

I have a non root user in mysql database. It has grant, create, create user permissions. I need to create a new database and user using that account. Then i need to grant basic usage permissions to newly created user on the newly created database..
I was able to create a new database and user using the non root user. Now when it comes to granting permission for newly created user on newly created database using the non root user i get permission denied for non-root user on newly created user... Any workaround?
Included from OP's comments:
Executing:
SHOW GRANTS FOR 'non_root_account_name'#'his_host'
Resulted the following:
GRANT CREATE, INDEX, ALTER, CREATE USER
ON *.*
TO 'non_root_account_name'#'localhost'
IDENTIFIED BY PASSWORD 'password'
WITH GRANT OPTION
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE,
DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, SHOW VIEW
ON non_root_account_name.*
TO 'non_root_account_name'#'localhost'
WITH GRANT OPTION`
GRANT SELECT
ON mysql`.*
TO 'non_root_account_name'#'localhost'`

As per documentation on GRANT privileges :
To use GRANT, you must have the GRANT OPTION privilege, and you must have the privileges that you are granting.
Meaning, your account to grant privileges to other users, it should have a GRANT OPTION privilege.
Connect as root and re-execute grant on your account to grant the above privilege.
Example:
GRANT
-- list of privileges here
-- to your account name # host
WITH GRANT OPTION

Related

mysql: database specific user permission delegation with grant option and wildcard

I want to have a non-root mysql user that can create another databases and users and grant access to that users to created databases. To do this as root I firstly created a user
CREATE USER asusi_admin#localhost IDENTIFIED BY '123';
Then I grant create user PRIVILEGE to this user
GRANT CREATE USER ON *.* TO 'asusi_admin'#localhost';
Then I grant all privileges to this user for the every database he creates
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
Now I'm flushing privileges
FLUSH PRIVILEGES;
Now I'm logging on to MySQL as newly created user asusi_admin and creating a new database
Now I'm creating a new database
CREATE DATABASE asusi_database;
Now I'm checking that I can use this database
USE asusi_database;
I can use this database, good
Now I'm creating a new user
CREATE USER 'asusi_user'#'localhost' IDENTIFIED '123';
Now I want to grant select privilege to the created user
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
And here I'm getting an error: 'Access denied for user 'asusi_admin'#'localhost' to database 'asusi_superdb'
Should I relogin as root and explicitly grant access to this database to a asusi_user
GRANT ALL PRIVILEGES ON `asusi_database`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
and then relog in as asusi_admin and run the command again
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
this time it gives me no error and user asusi_user can read database asusi_database. Apparently MySQL wants me to explicitly grant access to the user asusi_admin for the every created database via root account. But I don't want to use the root account. I thought that after executing this command
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
user asusi_admin will be able to grant access to other users to the ecery database that stats with 'asusi_' prefix. May be I missed something or this behavior is designed to be that way?
It seems this is a confirmed bug, that was not fixed yet https://bugs.mysql.com/bug.php?id=75097, so nothing you can do right now with it.

Mysql Revoke permission for root user

I need to revoke permission for root user in mySql. root user should not be able to create and drop tables in the database.
I checked revoke command but somehow it is not working for root user. If I create a new user and revoke permission, it works, what am I missing for root user or we can't revoke permission for 'root'?
SHOW GRANTS FOR root#localhost;
--Displays
GRANT RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, SUPER, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER, CREATE TABLESPACE ON *.* TO 'root'#'localhost' IDENTIFIED BY PASSWORD '*7BB96B4D3E986612D96E53E62DBE9A38AAA40A5A'
GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%`.* TO 'root'#'localhost' WITH GRANT OPTION
GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION
Then
REVOKE all on myDb.* from root#'%';
FLUSH PRIVILEGES;
Access denied for user 'root'#'localhost' to database 'myDb'
I think, you don't want to do that. Root user is made that way to have all the privileges of all CRUD operations and creating new users and giving them privileges.
If your motive is to limit the access, make different users depending upon your need. For eg: you may only want to a user to read the records. That's a safe option because you may use that user only for reading purpose. OR just for read, write and edit privileges.
Edit:
If you still want to do this, check this answers How can I restore the MySQL root user’s full privileges? . It might help you.

MySQL create new user revoke access to certain DB's

So I did created a new user, granted all privilages, and flushed the privilages.
The newly created user can also see the information_schema, mysql, performance_schema and sys databases. However, I don't want the user to access those 4. I just want him to have CREATE/DROP/DELETE/INSERT/SELECT (All the required ones), etc permissions on newly created databases.
I did the following:
CREATE USER 'newuser'#'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON * . * TO 'newuser'#'localhost';
FLUSH PRIVILEGES;
Run REVOKE for the given databases:
REVOKE ALL PRIVILEGES ON mysql.* FROM 'newuser'#'localhost';
I would skip the information_schema revoke. You can see if the user still works without it, but I somehow doubt that.
Privileges: Privileges defines the access rights provided to a user on a database object. There are two types of privileges.
1) System privileges allows the user to CREATE, ALTER, or DROP database objects.
2) Object privileges allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply.
You need to revoke the privilege here you want to remove .Below is the syntax
REVOKE privilege_name
ON object_name
FROM {user_name |PUBLIC |role_name}

Grant privileges to user in MySQL

From the control panel of my website I have created a new MySQL(5) database Test and a new user admin with password 123. I have tried assigning privileges to the user admin using:
GRANT ALL PRIVILEGES ON *.* TO 'admin'#'localhost'
or
GRANT ALL PRIVILEGES ON *.* TO 'admin'#'Test'
I keep getting the following error:
#1045 - Access denied for user 'admin'#'%' (using password: YES)
I need the following privileges for the user admin:
CREATE, ALTER, DELETE, INSERT, SELECT, UPDATE, LOCK TABLES
How do I make that in a query from phpMyAdmin?
I guess you are trying to change privileges of 'admin'#''%' being logged in as that user. This is strange.
You can display which user you are logged in as using
SELECT USER();
Then check grants that account already has:
SHOW GRANTS FOR 'admin'#''%';
We came to the conclusion you have
GRANT ALL PRIVILEGES ON `Test`.* TO 'admin'#'%'
That says you already have all privileges on all tables in database Test. You cannot further grant those privileges to other users, though (otherwise there would be WITH GRANT OPTION).
During the installation of MySQL, root user is always created. Use it to grant privileges to other accounts.
More info in manual:
2.10.2. Securing the Initial MySQL Accounts
6.3.2. Adding User Accounts
After run these statements try to execute FLUSH:
FLUSH PRIVILEGES;
From MYSQL Reference Manual :
(...) If you change the grant tables directly but forget to reload them, your changes have no effect until you restart the server. This may leave you wondering why your changes do not seem to make any difference!
To tell the server to reload the grant tables, perform a flush-privileges operation. (...)
Login as a root user then grant all privileges to admin user.
GRANT ALL PRIVILEGES ON `test`.* TO 'admin'#'localhost';

Limited Grant Permissions On Mysql

How does one create a privileged user in MySQL( not root ) for the sole purpose of creating other users?
However, this user can only grant access to one database at a time.
Is it possible to give limited GRANT permissions to a user?
yes you can create mysql user and grant limited permissions using phpmyadmin
interface and also by command
use following command for creating user and grant permissions
CREATE USER 'monty'#'localhost' IDENTIFIED BY 'some_pass';
GRANT SELECT ON database.* TO 'user'#'localhost';
you can further explore on
http://dev.mysql.com/doc/refman/5.1/en/adding-users.html
http://dev.mysql.com/doc/refman/5.1/en/grant.html