I create my database and user navid in my shared server with cpanel (databases -> mySQL# Databases -> add new user),and then selected ALL PRIVILEGES for user navid.
I was importing mydatabase.sql when I was confronted with this error.
how do i fix the error? store procedure worked fine in localhost.
what is SUPER privilege?
Error
SQL query:
DELIMITER $$--
-- Procedures
--
CREATE DEFINER = `navid`#`%` PROCEDURE `d_answer` ( OUT `sp_out` INT( 11 ) , IN `sp_id` INT( 11 ) ) NO SQL BEGIN DELETE FROM `tblname` WHERE `a_id` = sp_id;
SET sp_out = ROW_COUNT( ) ;
END$$
MySQL said: Documentation
#1227 - Access denied; you need (at least one of) the SUPER privilege(s) for this operation
From the documentation (my emphasis):
The SUPER privilege enables an account to use CHANGE MASTER TO, KILL
or mysqladmin kill to kill threads belonging to other accounts (you
can always kill your own threads), PURGE BINARY LOGS, configuration
changes using SET GLOBAL to modify global system variables, the
mysqladmin debug command, enabling or disabling logging, performing
updates even if the read_only system variable is enabled, starting and
stopping replication on slave servers, specification of any account
in the DEFINER attribute of stored programs and views, and enables
you to connect (once) even if the connection limit controlled by the
max_connections system variable is reached.
Since you are already navid to the database, you do not need to set the DEFINER attribute in your stored procedure; adding this line is causing the error to show up. If you remove this statement, your procedure will be created and you won't get the permissions error.
You only need to set DEFINER if you are setting up the stored procedure for some other user, by default the stored procedure gets the same security context as the user that is creating it:
All stored programs (procedures, functions, and triggers) and views
can have a DEFINER attribute that names a MySQL account. If the
DEFINER attribute is omitted from a stored program or view definition,
the default account is the user who creates the object.
I got the problem too and fixed it thus in MySQL Workbench.
In my case it is because the "Send to SQL Editor > Create Statement" has extra stuff in there that prevents from being used without modification.
Something like this:
CREATE ALGORITHM=UNDEFINED DEFINER=schemax#localhost SQL
SECURITY DEFINER VIEW viewName AS SELECT ....
Change it to this:
CREATE VIEW viewName AS SELECT ....
Seems to work now, no need to update permissions.
**I am the only user of my database..
I had the same issue - on my local dev server it was fine but on my hosted server (through PHPMyAdmin) it gave me the above error.
Removing the definer attribute seemed to be the easiest way to fix the problem if you're happy with the definer being the current user.
just remove the DEFINER attribute and with it's value, example:
CREATE ALGORITHM=UNDEFINED SQL SECURITY DEFINER VIEW ...
Don't rely on default values, if emptying the definer field in phpMyAdmin or other programs won't solve, check the definer, should not be username#localhost unless explicitly needed, but username#%.
Related
I understand why this is so locked down. If I were MySQL, I wouldn't want folks to (easily) shoot themselves in the foot on business critical/internal-use databases either. Nevertheless, it should support legitimate use cases.
Suppose I had a stored procedure:
delimiter //
CREATE DEFINER=CURRENT_USER() PROCEDURE performance_schema.sp_flush_hosts()
BEGIN
-- requires DROP privileges
TRUNCATE TABLE performance_schema.host_cache;
END
//
delimiter ;
for a user called root with ALL permissions on most databases.
In practice, MySQL seems to explicitly forbid this for performance_schema:
Because only a limited set of privileges apply to Performance Schema tables, attempts to use GRANT ALL as shorthand for granting privileges at the database or table leval fail with an error:
Fine. So let's grant some specific permissions:
mysql> GRANT CREATE ROUTINE on perforamnce_schema.host_cache to 'root'#'%';
ERROR 1144 (42000): Illegal GRANT/REVOKE command; please consult the manual to see which privileges can be used
In the same document (above), only: SELECT, UPDATE, DROP are singled out, but it does not say if those are the only available permissions. How would I grant permissions to create this routine? Is that even possible? Thanks.
Inspiration taken from this SO answer: Is there a way to effectively GRANT on either TRUNCATE or DROP TABLE in MySQL?
Perhaps:
Put your SP in your database. Or perhaps a generic database of "utilities".
Be "root" when you CREATE the SP, and declare it with SQL SECURITY DEFINER See https://dev.mysql.com/doc/refman/5.6/en/stored-objects-security.html#stored-objects-security-sql-security This provides a way to elevate the permissions just for the running of the SP. Normally, one would use SQL SECURITY INVOKER -- to use the permissions of the person CALLing the SP.
There is a very strange issue. I have one procedure with a definer named as admin.
There was a case where we had to remove the user "dbadlys". So in order to do so we updated the mysql.proc table with the new account "admin#%" before deletion of account dbadlys and did the flush privileges as well.
I also verified the definer name from information_schema.routines and I saw that new definer name is now admin#%.
Issue:
Even though the definer name was now updated to new name when the code was calling the procedure it was using the old definer name dbadlys and was giving the below error:
The user specified as a definer does not exist
Upon further investigation, I found out that when we reconnect the instance then there was no error, however if we change the definer name and try to execute the procedure again then it doesn't reflect it.
My questions:
Is there anything else which I need to do in this situation or am missing anything?
if there is nothing missing then is there a way that application should see the changes?
Should I restart the application server?
If you have dba privilege, try recreating the SP without definer.
Definers are optional, unless you have a very specific need you don't need to use them.
In MSSQL I'm used to using roles for security and permissions but in MySQL/MariaDB it seems that users are a staple that you can't really get around. One specific case I'm wondering about is a DEFINER on a view or stored procedure. I essentially can't script that object without knowing what user it should run as ahead of time, in my case. Is there a way to define it with a specific role instead of a user?
You can use
CREATE DEFINER=`your role` PROCEDURE / FUNCTION ()
SQL SECURITY DEFINER -- that's the default
begin
....
end
'Your role' must have execute permission for the procedure und all the privileges needed inside the procedure.
I am using a hosted web service account that uses cpanel as its management system. When logged into phpmyadmin, I am trying to import an SQL file that contains tables and some procedures.
CREATE DEFINER=`root`#`localhost` PROCEDURE `getClientDashboardStatsMap` (IN `in_userID` INT) BEGIN
SELECT
rl.city,
rl.state,
rl.zip,
rl.longitude,
rl.latitude,
rl.timestamp,
count(rl.ID) as total
FROM
crowd.redemption_log as rl
JOIN
reward as r
ON
rl.rewardID = r.rewardID
WHERE
r.userID = 1
AND
rl.timestamp BETWEEN NOW() - INTERVAL 30 DAY AND NOW()
GROUP BY
rl.city, rl.state, rl.zip
ORDER BY
total DESC;
END$$
When I try to run this, I get an error about needing super user privileges to do so. Doing some searching, people suggested removing the definer line like so:
CREATE PROCEDURE getClientDashboardStatsMap (IN in_userID INT) BEGIN.
While this allows me to complete the import, I am running into another issue. The procedures are getting a default definer of cpaneluser#localhost. However, the database user that is set up is different than this user so the procedure has no permissions for things like select, update, delete. The database user is cpaneluser_dbusername, which is typical for hosted sites like this so you can associate databases with accounts.
How else can I get this procedures to run, under the correct user? I don't see any settings in PHPMYADMIN for privileges in order to run these as a super user.
There are two ways to solve this problem:
Log into phpmyadmin with the database user cpaneluser_dbusername. I am not familar with phpmyadmin and cpanel, so I'm not sure whether they provide you the option to change the user. You should check it out by yourself. I'm using MySQL Workbench and MySQL Administrator, they both privode me this option.
Grant privileges to cpaneluser#localhost. Such as:
GRANT ALL ON db_name.table_name TO 'cpaneluser#localhost';
It's better if you grant each privilege explicitly, e.g.: GRANT SELECT,INSERT,UPDATE,DELETE ON .... Check GRANT Syntax.
i have two databases, db1 and db2.
User man1 had all privileges to db1 but only executing provileges for all functions and procedures in db2.
Calling function db2.getValue from db1 is successful and returns correct values, also if call for db2.getValue is nested in a stored procedure.
Now i create a stored Procedure proc1 and within this procedure i use a cursor to fetch values (_val1, _val2,--) from a table in db1 and call db2.getValue(_val1).
Now somthing really strange happens:
The first loop from the cursor finish, but the value from db2.getValue is empty. At the end of this loop, the loop ends and stops.
Does anyone have a hint where the problem could be here? Calling db1.getValue(_val1) instead of db2.getValue(_val1) works fine.
Therefore my idea was that within the cursor, the privileges for db2 might be not the same?
Kind Regards Solick
Yes, by design, a cursor can behave differently than the same SELECT query might behave if it were executed by the user who called the procedure.
Stored programs and views are defined prior to use and, when referenced, execute within a security context that determines their privileges. These privileges are controlled by their DEFINER attribute, and, if there is one, their SQL SECURITY characteristic.
— http://dev.mysql.com/doc/refman/5.6/en/stored-programs-security.html
If you don't specify a DEFINER when you create a stored program (proc, function, trigger, or event) or a view, then the object, when accessed, runs with the privileges of the user who originally defined it, not the user who invoked it.
You have three options, here:
Verify or possibly modify the permissions of the current DEFINER user if appropriate; or,
Specify a different DEFINER user when defining the stored program or view... you can do this as long as you (the person creating the object) have the SUPER privilege, and users invoking (accessing) the object will temporarily have the rights of that DEFINER user instead; or,
Add SQL SECURITY INVOKER to the definition of procedures, functions, and views (though not triggers or events), causing the object to run with the privileges of the user who invoked it, instead of the definer, which is the default behavior.
To see the permissions the existing definer has, for example if you see DEFINER=`someguy`#`localhost`:
mysql> SHOW GRANTS FOR 'someguy'#'localhost';
You can find the current definer in the definition of the procedure, with SHOW CREATE PROCEDURE procedure_name;.