Is it possible to have database level credentials for MySQL?
In our current system we have multiple databases in one database server, if we connect to the server using any tool we can see all databases in that server, to have more secure system.
Can we have credentials for each database.
You can't have credentials for databases. But you can have credentials for created users and grant/restrict access to any tables/databases according your policy.
create user
grant
priviledges
Yes, absolutely, you can set up access privileges on per-database basis. In fact, MySQL allows very fine-grained privileges down to table and even column level. E.g.:
-- Creates a user
GRANT USAGE ON *.* TO 'username'#'hostname' IDENTIFIED BY PASSWORD '*SOMEPASSWORD';
-- Gives the user access to a single database `database_name`
GRANT SELECT, INSERT, UPDATE, DELETE ON `database_name`.* TO 'username'#'hostname';
You probably want to read more about GRANT syntax and MySQL privileges.
Worth adding, that you are allowed to have usernames identical to database names.
Related
I have multiple MySQL databases on the server, DB 1, mysql and DB 2. I created a user User A. I want to revoke access for User A only for a single DB, say mysql, as this would have several log tables. I tried basic REVOKE syntax which is not working.
revoke select on mysql.* from user#localhost;
Please note that the revoke should only happen for mysql DB and not for DB 1 and DB 2.
Before MySQL 8.0.16, you cannot substract privileges,
The privileges that a user holds for a database, table, column, or routine are formed additively as the logical OR of the account privileges at each of the privilege levels, including the global level. It is not possible to deny a privilege granted at a higher level by absence of that privilege at a lower level.
Trying to do so should give you an error like
Error Code: 1141. There is no such grant defined for user 'user' on host 'localhost'
You have to add permissions for all databases individually, e.g. allow db1 and db2 specifically, instead of allowing all and removing mysql.
Starting with MySQL 8.0.16, you can finally remove access to individual databases (but for now only on databases, not on e.g. individual tables or columns):
As of MySQL 8.0.16, it is possible to explicitly deny a privilege granted at the global level by revoking it for particular databases, if the partial_revokes system variable is enabled:
GRANT SELECT, INSERT, UPDATE ON *.* TO u1;
REVOKE INSERT, UPDATE ON db1.* FROM u1;
The partial_revokes system variable has to be set for this:
Enabling this variable makes it possible to revoke privileges partially. Specifically, for users who have privileges at the global level, partial_revokes enables privileges for specific schemas to be revoked while leaving the privileges in place for other schemas. For example, a user who has the global UPDATE privilege can be restricted from exercising this privilege on the mysql system schema. (Or, stated another way, the user is enabled to exercise the UPDATE privilege on all schemas except the mysql schema.) In this sense, the user's global UPDATE privilege is partially revoked.
The bold marked part is exactly what you are trying to do.
I know that I can create a user with the create user privileges like so:
create user primary_user identified by 'pass';
grant all on *.* to primary_user with grant option;
This will in turn allow me to create users whilst logged in with primary_user.
Now let's assume I have a subset of databases, all with prefix abc_, and that I want my primary_user to only be able to access these databases.
Then the grant query above would look like so:
grant all on `abc_%`.* to `primary_user` with grant option;
The problem now, however, is that when I log in with my primary_user and try to create a secondary_user, I get the following error:
ERROR 1227 (42000): Access denied; you need (at least one of) the
CREATE USER privilege(s) for this operation
TL;DR
Basically what I want is primary_user to only be able to access databases with the abc_ prefix, and to also be able to create secondary users that in turn also only have access to databases with an abc_ prefix.
Is this possible? Or is my only option to create the secondary users with a user account that has create user privileges on *.*?
As mentioned in MySQL Documentation:
To use CREATE USER, you must have the global CREATE USER privilege or
the INSERT privilege for the mysql database.
Thus, users with privileges in specific databases cannot create users. Ofcourse, since you have with grant option, your primary_user can grant all database level privileges to other already created users (for the abc_ databases).
Note #1: Here you can find an interesting table with the various privileges and the different levels that they can be granted.
Note #2: Be extra cautious when giving GRANT OPTIONS to non-admin users because they can modify the privileges of other users which can lead to chaos. The Open Web Application Security Project states:
[Grant privilege]... should be appropriately restricted to the DBA and Data (Table)
owners. Give specific permissions on an as needed basis and use
different logins for different purposes.
Hey I'm trying to grant my USER in mySQL the DBA role, because we are connecting to a AWS amazon server but no matter what we do, we can't grant that role to our user admin5 that's in the only user that we created. So please help because we need that privilege to create a Job that sends emails automatically at midnight.
This is how you can grant privileges to other users:
WITH GRANT OPTION clause gives the user the ability to give to other users any privileges the user has at the specified privilege level.
You can check if your user has this option by running show grants for 'youruser'#'yourhost';
The root user usually has these privileges by default. Try logging in with root and granting the permissions you need.
Also, presumably your cron that you are going to be running does not need to have DBA permissions. Here is a list of Mysql permissions and what they do. Select and execute privileges would probably be sufficient enough for what you need.
Every time I create a database using a custom joomla template quick install the database is created but does not show up in MySQL Database management despite the fact that it most definitely does exist and MySQL database management knows it does because it wont let me create a database with that name due to error "Database already exists".
I want to delete joomlasall database.
Full size image
http://img99.imageshack.us/img99/4995/tempkh.png
If you can not see database but you are sure that it exists, this is definitely permissions issue.
Do
SHOW GRANTS
More info here
You will see that you does not hold global SELECT privilege.
You need to explicitly GRANT permissions with similar command like:
GRANT ALL PRIVILEGES ON DBNAME.* TO 'username'#'localhost';
Instead of ALL you can specify SELECT, INSERT, UPDATE, DELETE , EXECUTE, etc... check this
replace DBNAME with your DB name, username with user for whom you want to grant access and localhost with hostname if DB is used remotly.
To do this, you need GRANT privilege or to be root user.
use same mysql user credentials for Joomla DB connectivity also the one you are using in phpmyadmin.
I've just installed MediaWiki on a web server. Obviously it needs lots of privileges during installation to set up its database correctly. Now that it's installed can I safely revoke some privileges (e.g. create table, drop table?) Or might it need to create more tables later (when they are first needed?) If not then I would prefer to grant it as few privileges as possible.
After the installation, MediaWiki doesn't need to create any more tables. I'd suggest giving the user insert, select, and lock permission.
grant select,lock tables,insert on media_wiki_db.* to 'wiki'#'localhost' identified by 'password';
Change the user that mediawiki connects as in LocalSettings.php and then using phpMyAdmin, you can edit the privileges of that user (that is, if you aren't comfortable granting and revoking privileges from the mysql console).
http://www.phpmyadmin.net/home_page/index.php