I was hoping someone could help me with a mySQL / phpMyAdmin problem. (I don't even know if it is possible...)
Here is the problem:
I have 2 databases: DB1 and DB2
I have a user DB1user. This user has full access to DB1 and has select access to specific tables in DB2.
I was hoping that there was a way to hide DB2 from the user. I.e. when user types in 'SHOW DATABASES;', I would like that user to see only DB1. However, when user types in 'SELECT * FROM DB2.TABLE1;', he should see results of his query.
Is this possible? Doable?
Thanks for the help!
These two queries will restrict a user to a single database, so that the user can only see, update, and delete tables from that single database:
Replace USER with the MySQL username
Replace USERDATABASE with the single MySQL database you wish the user to have access to.
REVOKE ALL PRIVILEGES,GRANT OPTION from USER;
GRANT ALL ON USERDATABASE.* TO 'USER';
Did you try using the Privileges page in phpMyAdmin where you can create users and restrict their access to specific databases as well as operations?
Related
I have a database that is used to store data for various applications. I want to grant users permissions to select data from these tables, however there is one table that has sensitive information that only one specific 'special' user should have access to.
How do i grant permissions to all tables EXCEPT that one table. If i grant all, then revoke on that table, it won't work as it says that there is no permission on that table.
I thought about writing a query that could do this, but what happens when tables are added to the database? I would have to go and add that permission to each of the users, which could get quite time consuming. Is there any way to do this easily in MySQL? Perhaps a trigger that on table creation grants permissions? Is that possible?
Put that table in a separate database. Then you can grant access to regulardb.* to all the normal users, and grant access to sensitivedb.specialtable only to the special username.
I have several DB's in my server, and I need to allow one user to select records from a view in one of the DB's. But I need for this user to not even see that there are other DB's nor see that there are other tables in the DB where the view belongs. Is this possible?
I had an account with a hosting company, a shared hosting account, and I could only see my DB when I accessed it through phpmyadmin. This is similar to what I need. Thank you for your help.
I've found the overview contained in this article even more helpful than the actual MySQL documentation for describing the big picture of how MySQL privileges are granted or denied.
The gist of the overview article is that privileges are controlled by a series of increasingly finer-grained permissions tables in the mysql database: mysql.user, mysql.db, mysql.host, mysql.tables_priv, mysql.columns_priv, mysql.procs_priv. The general rule is that a "Y" value for a privilege in a more fine-grained table overrules a "N" value in a more coarse-grained table. So the recommended strategy is to start by denying most privileges in the user table (which gives the coarsest control), and then make only the specific overrides that you want in the more fine-grained tables.
In particular, there is a privilege called SHOW_DATABASES which is determined by the Show_db_priv column in the mysql.user table; you'll want to set this to "N" for the user in question (and as described above, you may want to set most other permissions in the user table to "N" as well) and then grant only the privileges that the user actually needs in the mysql.db or mysql.tables_priv table or whatever would be appropriate for your particular case.
You have to add a user to a database using grant privileges.
Create new databases and simply don't add the user to it then the user won't be able to see it.
The only way the user will be able to find the database is if they try to access it and guess the database name. So basically a user/hacker would have to attempt to connect to a bunch of random database names in order to find one that says "access denied"
i was wondering if there is a way to limit the number of databases a user can create in mysql? I would like to give a user the right to create databases, but he should not be able to create an infinite number of databases.
Thanks,
Gerold
If your users only have granted permissions on their own databases, you can check information_schema.SCHEMA_PRIVILEGES prior to permitting creation how many databases they already have. However, for this to work, you would have to prohibit CREATE DATABASE by the users directly and instead create the databases in application code via another privileged database user then grant access to the users to their newly created databases.
SELECT
GRANTEE,
COUNT(DISTINCT TABLE_SCHEMA) AS NUM_DBS
FROM information_schema.SCHEMA_PRIVILEGES
GROUP BY GRANTEE
If NUM_DBS is greater than your limit, don't create a new database for them.
Note that if you are granting permissions to users for databases other than the ones they "own", you will need to account for that in your query by excluding those via something like
WHERE TABLE_SCHEMA NOT IN ('other','dbs','you','grant','access','on')
Short version: How can I write an SQL procedure to list which of several tables in a MySQL database a particular user has access to?
Longer version:
I'm writing a multi-user app that accesses a database with data for several branches of a company. The database has a number of lookup tables that any user can access, and a table for each branch that only authorized users can access. My strategy is:
Write a stored procecure that returns a list of the relevant tables for which the user has SELECT privilege.
From the app, call the procedure. If there's only one table returned, use it, otherwise let the user select which branch they want to access (e.g. for managers).
I'm having trouble figuring out how to write such a stored procedure. SHOW GRANTS FOR CURRENT_USER is an obvious possibility, but parsing something like:
GRANT SELECT ON Company.BranchABC TO 'auser'#'%clientdomain.com'
in SQL to figure out what the tables are seems way too messy. Doing a SELECT from the actual tables that hold the permissions also seems problematic, because I'd have to duplicate MySQL's logic for combining the permissions from the various tables (user, db, host, etc.)
Any words of wisdom?
You can see what privileges on which tables a user has:
show grants for 'user'#'host';
For example, to see the privileges of user1 (all machines in the network 10.25), run:
show grants for 'user'#'10.25.%.%';
I have never granted per table permissions to MySQL users before, but to do this, you would check that the TABLE_PRIVILEGES table in the information_schema database.
That should point you in the right direction.
MySQL users list and its privilege can be check with the Query.
select * from mysql.user\G;
http://www.thedevheaven.com/2012/04/retrieve-mysql-users-list-and-its.html
I have a MySQL user added to a database that I would like to prevent from viewing certain tables.
I can limit their privileges through MySQL by preventing them from running statements like DROP or ALTER. But is it possible to prevent them from viewing certain tables in phpMyAdmin?
If there isn't a MySQL privilege that controls this (I wouldn't imagine there would be), is there a configuration in phpMyAdmin that allows this?
I understand one workaround here is to move the tables to a new database that they're not added to. This isn't an option for my application.
Yes, you can hide a particular database in phpmyadmin.
In order to do that, just open config.inc.php in your phpmyadmin directory in your webserver root or where it is placed. or search for config.inc.php
if you want to hide information_schema and mysql add this line after:
$cfg['Servers'][$i]['extension'] = 'mysql';
$cfg['Servers'][$i]['hide_db'] = '^information_schema|mysql$';
This is It.
You could move the tables to another database and then restrict the user account to only access the 1 database with the public tables. Trying to modify phpmyadmin would be a massive mistake, the user could just write a custom query to access the tables, thats a dead simple hack.
This has to be done on the database side or there is absolutely no point. SE-Postgresql is the only project i know of that allows for table by table permissions. This is the only database that can do this because very few people need this feature.
phpMyAdmin connects to the database as a certain MySQL user. If that user does not have any permissions on the given tables no phpMyAdmin user can access that. That would hold for all mypMyAdmin users of course.