I was playing around with MySQL on OS X and I removed all the 'root' users using DROP USER. I then added some of them back and did GRANT ALL on *.* to 'root'#'localhost';, and then logged out after verifying that yes indeed, I could log in and do a few privileged operations.
Unfortunately, one of the privileged operations I did not try was GRANT ALL on *.*. It turns out that you don't get the privilege to grant privileges with the GRANT ALL command. So now I'm stuck. I can't give anybody any privileges to do anything else.
At this point I don't actually have any data in MySQL. I could just wipe the install and do it over. But I would like to fix this without resorting to that extreme. How do I do that?
Put the following in a file:
GRANT ALL ON *.* TO 'root'#'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
The restart mysqld with the --init-file option specifying that file.
Related
I have a docker container with mariadb on a synology nas.
The mariadb version is 10.4.12.
By trying to access the mariadb from a linux client by latest dBeaver I got following behavior.
Access with root user from client is successfull.
Access with root user out of inside the docker is successfull.
so far so fine!
Then I created following user, by following command:
CREATE USER 'myUser'#'%' IDENTIFIED BY 'secretPassword';
GRANT select, update, insert, delete ON mydb.* TO 'myUser'#'%';
After this I flushed privileges
With this user I am not able to login from inside the docker container and also not possible from the client.
Dependig from where I tried, I got 'Access denied for user 'myUser'#'172.17.0.1'.
The mariadb charset is UTF8.
The plugin in mysql.user is set to: mysql_native_password
In /etc/mysql/my.cnf the bind is enabled and set to 0.0.0.0
I tried to create the same user with above listet command with localhost and clientIP also without success.
I restartet the docker container without success.
I grant ALL to this user and flushed privileges again, without success.
I deleted all myUser's and created the myUser#% new with additional usage rights, also without success.
Are there any idea what I can do/ how to fix this behavior?
Any help will be apreciated!
Thank you in advance
I found the solution!!
I used for the user an automatic generated password:
G(m&>JBR,9รค
This did not work.
After I changed the password to a new one. Everything worked fine!
Are there any restrictions which charactes are possible in a password?
Simply remove the "%"
For more convenient, I also add couple of combinations.
CREATE USER 'myUser'#'localhost' IDENTIFIED BY 'secretPassword';
GRANT select, update, insert, delete ON mydb.* TO 'myUser'#'localhost';
CREATE USER 'myUser'#'%' IDENTIFIED BY 'secretPassword';
GRANT select, update, insert, delete ON mydb.* TO 'myUser'#'%';
CREATE USER 'myUser'#'' IDENTIFIED BY 'secretPassword';
GRANT select, update, insert, delete ON mydb.* TO 'myUser'#'';
Need to access one mysql database for a user remotely. I know it will work if grant all privileges on all databases to that user, like:
grant all on \*.* to 'someone'#'%'
But I just want grant access permission to that user on the database specified, not every database, like:
grant all on mydb.* to 'someone'#'%'.
Unfortunately, remote access will be failed in this case.
Any idea to solve this? Thanks a lot.
Try this,
GRANT SELECT,UPDATE,INSERT,DELETE ON yourdb.* To your_user#'192.162.1.1' identified by 'password';
After updating mysql version 5.7.8-rc-log, I granted privileges like this:
GRANT select ON test_db.* TO 'test'#'host';
and getting following error:
SELECT command denied to user 'test'#'host' for table 'session_variables'
but when I grant privileges like this:
GRANT select ON *.* TO 'test'#'host';
it works. Can anybody help?
Here are the article1, article2, article3 related to this issue.
As per these articles, Workaround is setting show_compatibility_56 = on in /etc/my.cnf and restart mysql server.
MySQL 5.7 introduces a change in the way we query for global variables and status variables: the INFORMATION_SCHEMA.(GLOBAL|SESSION)_(VARIABLES|STATUS) tables are now deprecated and empty. Instead, we are to use the respective performance_schema.(global|session)_(variables|status) tables.
But the change goes farther than that; there is also a security change.
So non-root user gets:
mysql> show session variables like 'tx_isolation';
ERROR 1142 (42000): SELECT command denied to user 'normal_user'#'my_host' for table 'session_variables'
Solutions?
The following are meant to be solutions, but do not really solve the problem:
SHOW commands. SHOW GLOBAL|SESSION VARIABLES|STATUS will work properly, and will implicitly know whether to provide the results via information_schema or performance_schema tables.
But, aren't we meant to be happier with SELECT queries? So that I can really do stuff that is smarter than LIKE 'variable_name%'?
And of course you cannot use SHOW in server side cursors. Your stored routines are in a mess now.
This does not solve the GRANTs problem.
show_compatibility_56: an introduced variable in 5.7, boolean. It truly is a time-travel-paradox novel in disguise, in multiple respects.
Documentation introduces it, and says it is deprecated.
time-travel-paradox :O
But it actually works in 5.7.8 (latest)
time-travel-paradox plot thickens
Your automation scripts do not know in advance whether your MySQL has this variable
Hence SELECT ##global.show_compatibility_56 will produce an error on 5.6
But the "safe" way of SHOW GLOBAL VARIABLES LIKE 'show_compatibility_56' will fail on a privilege error on 5.7
time-travel-paradox :O
Actually advised by my colleague Simon J. Mudd, show_compatibility_56 defaults to OFF. I support this line of thought. Or else it's old_passwords=1 all over again.
show_compatibility_56 doesn't solve the GRANTs problem.
This does not solve any migration path. It just postpones the moment when I will hit the same problem. When I flip the variable from "1" to "0", I'm back at square one.
Suggestion
I claim security is not the issue, as presented above. I claim Oracle will yet again fall into the trap of no-easy-way-to-migrate-to-GTID in 5.6 if the current solution is unchanged. I claim that there have been too many changes at once. Therefore, I suggest one of the alternative two flows:
Flow 1: keep information_schema, later migration into performance_schema
In 5.7, information_schema tables should still produce the data.
No security constraints on information_schema
Generate WARNINGs on reading from information_schema ("...this will be deprecated...")
performance_schema also available. With security constraints, whatever.
In 5.8 remove information_schema tables; we are left with performance_schema only.
Flow 2: easy migration into performance_schema:
In 5.7, performance_schema tables should not require any special privileges. Any user can read from them.
Keep show_compatibility_56 as it is.
SHOW commands choose between information_schema or performance_schema on their own -- just as things are done now.
In 5.8, performance_schema tables will require SELECT privileges.
Hope this will help you.
Try this, it worked for me:
GRANT SELECT ON performance_schema.session_variables TO stevejobs;
GRANT SELECT ON performance_schema.session_status TO stevejobs;
Try with the following way, maybe you will get the result.
GRANT ALL PRIVILEGES ON bedgeaj_medmax.transactions to 'bedgeaj_root'#'%' IDENTIFIED BY 'password';
(OR)
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'%' WITH GRANT OPTION;
For accessing GLOBAL|SESSION VARIABLES try with command in MYSQL:-
$ GRANT ALL ON sonar.* TO 'sonar'#'%' IDENTIFIED BY 'sonar';
$ GRANT ALL ON sonar.* TO 'sonar'#'localhost' IDENTIFIED BY 'sonar';
If it is not working then you should try(It only provide SELECT permission to 'sonar' user for all DATABASES):
$ GRANT SELECT ON *.* TO 'sonar'#'%' IDENTIFIED BY 'sonar';
$ GRANT SELECT ON *.* TO 'sonar'#'localhost' IDENTIFIED BY 'sonar';
It provides permission to sonar user to access all the databases with all the privilege SELECT,INSERT,UPDATE,DELETE (ALL possible moves on DB.
$ GRANT ALL ON *.* TO 'sonar'#'%' IDENTIFIED BY 'sonar';
$ GRANT ALL ON *.* TO 'sonar'#'localhost' IDENTIFIED BY 'sonar';
I have foo_bar_test database existing on my mysql server on host 127.0.0.1.
But there's no user that can access it but root, and I don't want to use root user anywhere in my code. So I created new user, fb_test, and granted him privileges for this database:
create user fb_test#'127.0.0.1' identified by password 'some_password';
grant all on 'foo_bar_test.*' to fb_test#'127.0.0.1';
flush privileges;
Ok, that should work, but when I log in as this user, I don't have any database available!
What's wrong?
I checked it using show grants for fb_test#'127.0.0.1', but it shows some strange results:
grant usage on *.* to fb_test#'127.0.0.1' identified by password '*another_password_dont_know_which_one'
How do I solve this?
you have an error in grant statement. Use the query:
grant all on 'foo_bar_test'.* to fb_test#'127.0.0.1';
In fact your grant command results an error which I think you ignored.
I forgot the root password, so followed a few different methods to reset, which eventually worked.
Now I am unable to create new databases on PHPmyAdmin, the message "no privileges" is displayed.
So I try to add all the permissions to ROOT again using:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
But then I get the error:
#1290 - The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
So I remove the "skip-grant-tables" from my.ini, then my MySQL based sites stop working.
Have I officially fudged it up?
Make sure you flush the privileges:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
From the documentation:
FLUSH PRIVILEGES
Reloads the privileges from the grant tables in the mysql database.
The server caches information in memory as a result of GRANT and CREATE USER statements. This memory is not released by the corresponding REVOKE and DROP USER statements, so for a server that executes many instances of the statements that cause caching, there will be an increase in memory use. This cached memory can be freed with FLUSH PRIVILEGES.