I am trying to create a stored procedure on my db.
When I try to execute the creation script I get an
1044 - Access denied for user 'cocpit_si_dbo'#'%' to database 'OTEST'
I am sure that my script Is ok bc i execute it on my local machine and It runs just fine.
My question Is can you disable the execution of certain commands ?
On the same machine I Can create drop alter tables BUT I cannot create a procedures.
For that you need create sp privilege. Have a look into Stored Routines and MySQL Privileges
Related
We created a user/login for some devs, and we have an issue where this user/login cannot view stored procedure code.
This is for MySQL 5.6.
I checked the GRANTS and also the information_schema (schema_privileges) and things look "good" to me.
Here are the commands I used to GRANT the database access and privileges:
GRANT SELECT, INSERT, UPDATE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `mydatabase`.* TO 'dev-user'#'%' ;
After that, I run the FLUSH PRIVILEGES command.
And, when I run SHOW GRANTS for `dev-user` , I get the following response:
GRANT SELECT, INSERT, UPDATE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON mydatabase.* TO 'dev-user'#'%'
After that the user runs the command SHOW CREATE procedure mydatabase.sp_test and the output has NULL in the CREATE PROCEDURE Column.
This same user/login can create a new procedure and running SHOW CREATE procedure has the procedure code visible in that CREATE PROCEDURE column.
And, as a quick test, i created another user with GRANT ALL PRIVILEGES on the database and i get the same results. That user also not see the stored procedure code.
When I run a query on the information_schema.SCHEMA_PRIVILEGES system table, i can see that the user has included:
ALTER
ALTER ROUTINE
CREATE
CREATE ROUTINE
Does anyone have any suggestions or can see something i am missing, or forgot?
Thanks for any help
As stated in the documentation:
To use either statement, you must be the user named in the routine DEFINER clause or have SELECT access to the mysql.proc table.
So grant them that access:
GRANT SELECT ON mysql.proc TO 'dev-user'#'%';
BTW, it's not necessary to use FLUSH PRIVILEGES after the GRANT statement. See MySQL: When is Flush Privileges in MySQL really needed?
I am preparing to write a complex stored procedure. I figure will need a debugger going so I am trying to use ocelotgui. I have installed it and can connect to my database in mysql. When I type $INSTALL which is required to set up the debugger I am getting this error:
$INSTALL
Need create privilege on xxxmdbug.. Need select privilege on xxxmdbug.. Need insert privilege on xxxmdbug.. Need delete privilege on xxxmdbug.. Need update privilege on xxxmdbug.. Need drop privilege on xxxmdbug.. Need create routine privilege on xxxmdbug.. Need alter routine privilege on xxxmdbug..
It seems that ocelotgui creates a database called xxxmdbug but for some reason it can't on my system. I am running mySQL in Docker and I have modified the mysql.sql to have the following lines dealing with xxxmdbug.
CREATE DATABASE IF NOT EXISTS subs;
CREATE DATABASE IF NOT EXISTS xxxmdbug;
GRANT ALL PRIVILEGES ON subs.* To 'admin'#'%';
GRANT ALL PRIVILEGES ON xxxmdbug.* To 'admin'#'%';
It seems that I can't login with root so that I can GRANT my actual user the privileges. I though that the password for root was "", but I guess not. Anyone?
I assume you downloaded ocelotgui 1.2 from https://github.com/ocelot-inc/ocelotgui.
You might be seeing an error if database xxxmdbug already exists
(if so, drop it). But if the problem is lack of privileges
(you need create, drop, create routine, alter routine, select, insert, update, delete, select on xxxmdbug.*), then there's
nothing ocelotgui can do, good luck finding the root password.
Hello everybody.
I am using MariaDB 10.0.24 on Windows 7.
I made a user using this command.
GRANT ALL ON target_DB.* TO `user_name`#`%` IDENTIFIED BY 'user_pass';
This works fine. But when the user 'user_name' tries to alter or drop stored procedures, below error is occurred.
Unable to retrieve information. Please check your privileges. For
routines (stored procedures and functions) you need SELECT privilege
to mysql.proc if you are not the owner of the routines.
After googling, I found this. https://dev.mysql.com/doc/refman/5.7/en/stored-routines-privileges.html
My questions are...
'GRANT ALL' does not cover privileges for the stored routines?
If above answer is yes, what should I do for the 'user_name' to alter or drop stored routines?
Create procedure:
CREATE DEFINER=`gnysoftxuser`#`%` PROCEDURE `insertadmin`(IN adi VARCHAR(150))BEGIN Insert Into mekan_tablo (mekan_adi) values (adi); END;
Mysql query
CALL insertadmin('test');
Mysql error:
execute command denied to user 'gnysoftxuser'#'%'for routine 'xdb.insertadmin'
That means that the MySQL user that you are connecting with does not have the EXECUTE priviledge for the database. https://dev.mysql.com/doc/refman/5.5/en/privilege-system.html
I can find no documentation on it but it seems that DEFINER user has to have EXECUTE granted even though it is not doing any executing(1).
Create user userexecuteonly
Grant userexecuteonly EXECUTE
Create user userselectonly
Grant userselectonlySELECT
Create procedure setting DEFINER as userselectonlythat selects data
Connect as userexecuteonly
Call procedure
note error SQL Error (1370): execute command denied to user userselectonly
Grant userselectonlyEXECUTE
Call procedure
Procedure runs and returns data.
(1) There is no reason the procedure would not call another procedure
Which could be a concern if userselectonly is used elsewhere and should not be able to EXECUTE procedures.
You need to grant execute privileges. From the MYSQL command line, logged in as a user with the ability to grant, you would write:
GRANT EXECUTE ON PROCEDURE 'xdb'.'insertadmin' TO 'gnysoftxuser'#'localhost';
flush privileges;
(in your case localhost would be replaced by %, which is a wildcard and used alone allows any IP address or localhost. You may want to use a specific IP, localhost or a wildcard for a part such as '192.168.1.%')
After executing those 2 lines, try again.
I was wondering if I can switch the "connected" user within an sql script that is executed by mysql.
Here's a description of my goal. Perhaps, it's not necessary to swich the user and another solution gives me what I want.
I want to write a database creation script like so:
create databse some_db;
create user u#localhost identified by 'pw';
grant all on u.* to u;
-- Here's where I want to switch the user, but *obviously* the
-- following command fails
connect u#localhost/pw;
-- Now, as new user, create the tables:
use some_db;
create table t (...
This script would then be called from the command line like
$ mysql -u root -p"....." < create_db.sql
Is this possible or do I have to leave the script in order to switch the connected user?
AFAIK, you can not change the user in the middle of the script unless you create a brand new connection with the credentials of the other user.
BTW, connect command only reconnects but there are only two optional parameters as documentation states: db and host.
I am not aware of a regular way to switch the user from within an SQL script.
An irregular could be the usage of a stored procedure or the usage of table triggers. Both allow setting a DEFINER. So you could try to put the "special user code" into a stored procedure or a trigger, call the stored procedure or trigger the trigger and get the code executed.
If even that does not work, you need one script:
#!/bin/sh -eu
mysql --host localhost --user root --password root_pw < create_user.sql
mysql --host localhost --user u --password pw < create_table.sql