I want to code an application which, when it runs for the first time on a user's machine, will create a new database, then create a new user and grant it access to the database.
I can manage that, but I want only that user and no other to be able to access the database.
So, just in case the existing installation has superuser where root has access to everything, I would like to revoke for all but the newly created user.
How do I do that?
I am guessing something like
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysql.user WHERE user<>[single user name] but can't seem to get it right.
I guess that I have to FLUSH PRIVILEGES afterwards?
You can ONLY give privileges to access database for your user - using GRANT command.
All other users, except root users, should not have such privileges.
Do you need to run FLUSH PRIVILEGES after GRANT/REVORE? No, you do not need. That is all)
Related
I had no problems making a test MySQL server and applying permissions a week ago with their MySQL 5.7, but trying out the new 8.0 version, I can't seem to alter permissions as easily, if at all. I'm logged in as root remotely, but a local cloud shell instance does the same.
I'm trying to create a new user that only has access to one database, but I can't seem to get past the part where I revoke all default permissions first.
My method:
CREATE USER 'test_user'#'%' IDENTIFIED BY '{password}';
Gives no error. (I've also tried creating a user through GCP's admin panel)
SHOW GRANTS FOR 'test_user'#'%'; returns GRANT USAGE ON *.* TO `test_user`#`%` (I assume this means the new user has full permissions?)
Then, trying to remove all privileges to start fresh with the user,
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'test_user'#'%';
shows:
Error: UNKNOWN_CODE_PLEASE_REPORT: Access denied for AuthId `root`#`%` to database 'mysql'.
I'm pretty new to Mysql, so I'm unsure if this is my fault or just a bug. Thank you!
First, I would like to point out that GRANT USAGE ON *.* TO test_user#% means the inverse, it means that the user has no privileges ! ( more info: Mysql Reference )
Secondly, I think that's what causing the error is the ALL PRIVILEGES keyword, it may have been removed in v8.0, so just go straight after user creation and grant him the privileges that you want on a table/database.
I am trying to grant privileges to another user using phpmyadmin, I have access to the root user (cl43-flexfit) and have tried querying the following
GRANT ALL PRIVILEGES ON `cl43-flexfit`.* TO 'supuser'#'localhost';
But receive a response of:
Access denied for user 'cl43-flexfit'#'%' to database 'cl43-flexfit'
Although I use that database with the cl43-flexfit user frequently.
I have also looked at what the root users privileges are using SHOW GRANT
and was shown these:
GRANT USAGE ON *.* TO 'cl43-flexfit'#'%' IDENTIFIED BY PASSWORD 'password'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `cl43-flexfit`.* TO 'cl43-flexfit'#'%' WITH GRANT OPTION
and even when I try to add permissions to the user for every database (replacing cl43-flexfit.* with * .*) I get an error saying I do not have permission
Access denied for user 'cl43-flexfit'#'%' (using password: YES)
I have been in contact with my hosting service and they have said that everything is correct on their end.
I also do not have access to the privileges tab in PHPMyAdmin and therefore can not use the GUI, it must be done through written commands.
Thanks in advance and apologise if I have a lack of understanding
You cannot GRANT ALL unless you also hold all privileges, along with GRANT OPTION, which you do not.
You have to grant explictly, and list only the permissions that you have (and want to grant).
You can't grant anything ON *.* unless you globally hold the privilege you are trying to grant, on all objects, plus GRANT OPTION. Again, you don't have this.
USAGE means only that you are allowed to log in to the server, nothing more. This is a special case of ON *.* carrying no significant meaning, because merely logging into the server is associated with no particular object.
The hosting service is correct.
If you have other users, you can make only explicit grants of listed permissions, using the format shown in your own SHOW GRANTS output.
GRANT SELECT, INSERT, [more...], TRIGGER ON `cl43-flexfit`.* TO 'my-other-existing-user'#'%';
Hey I'm trying to grant my USER in mySQL the DBA role, because we are connecting to a AWS amazon server but no matter what we do, we can't grant that role to our user admin5 that's in the only user that we created. So please help because we need that privilege to create a Job that sends emails automatically at midnight.
This is how you can grant privileges to other users:
WITH GRANT OPTION clause gives the user the ability to give to other users any privileges the user has at the specified privilege level.
You can check if your user has this option by running show grants for 'youruser'#'yourhost';
The root user usually has these privileges by default. Try logging in with root and granting the permissions you need.
Also, presumably your cron that you are going to be running does not need to have DBA permissions. Here is a list of Mysql permissions and what they do. Select and execute privileges would probably be sufficient enough for what you need.
I have four websites, each of which were being accessed with a singular username/password which had privileges on all of the databases.
However, for security reasons, I've finally set up a new user for each site, with each user only having access to the necessary database. Here is the code that I used to create the user and grant privileges for one particular database -
CREATE USER 'wedding1'#'localhost' IDENTIFIED BY 'somepass';
GRANT ALL PRIVILEGES ON wedding1.localhost TO 'wedding1'#'localhost';
However, when I log in to PHPMyAdmin using the credentials for the user I just created, the database is shown as expected but none of the tables are listed.
No entries are placed in my logs and I have tried to FLUSH PRIVILEGES;
Am I missing something from the above lines that could be causing this behaviour? Thanks.
You only granted privileges on a table called localhost within wedding1 DB. I am guessing this is not what you want. Change your grant statement as follows:
GRANT ALL PRIVILEGES ON wedding1.* TO 'wedding1'#'localhost';
Is it possible for a user other than root to create a database?
GRANT SELECT, CREATE ON *.* TO 'myguy'#'thatmachine' IDENTIFIED BY PASSWORD '*12057DFA2BFBD8760D4788735B1C3E26889D7ECE' |
GRANT ALL PRIVILEGES ON `db1`.* TO 'myguy'#'thatmachine'
GRANT ALL PRIVILEGES ON `db2`.* TO 'myguy'#'thatmachine'
I wonder what privilege is missing here? Also, why does the first line have a password attached to it?
UPDATE
Let me further clarify what the point of my question is. I have two database machines, source and target. There are many customer databases on the source machine. I need to move those source databases to the other target machine.
The databases are in the form of mysqldump'ed .sql files, which are sftp'd from source to target. Target user, not root, must then recreate the databases locally from each .sql file, perform some actions, then drop the database.
I can't find a way to give these privileges to the target user without giving him global privileges on *.*, which effectively makes that user as dangerous as root.
Absolutely you can.
http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html#priv_create
As Izkata and Evan Donovan have mentioned in the comments, the best way to achieve this is to give myguy all privileges on the database myguy_%.
You can do this with the following sql:
grant all privileges on 'myguy_%'.* to myguy#localhost identified by 'password';
This way you don't have to bother with other existing databases, and myguy is able to create new databases to his heart's content.
The password field is what that particular user's password is when logging into MySQL itself. I'm not exactly sure what you mean when you say you wonder what privileges are missing. What exactly are you trying to do?