I want to have a non-root mysql user that can create another databases and users and grant access to that users to created databases. To do this as root I firstly created a user
CREATE USER asusi_admin#localhost IDENTIFIED BY '123';
Then I grant create user PRIVILEGE to this user
GRANT CREATE USER ON *.* TO 'asusi_admin'#localhost';
Then I grant all privileges to this user for the every database he creates
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
Now I'm flushing privileges
FLUSH PRIVILEGES;
Now I'm logging on to MySQL as newly created user asusi_admin and creating a new database
Now I'm creating a new database
CREATE DATABASE asusi_database;
Now I'm checking that I can use this database
USE asusi_database;
I can use this database, good
Now I'm creating a new user
CREATE USER 'asusi_user'#'localhost' IDENTIFIED '123';
Now I want to grant select privilege to the created user
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
And here I'm getting an error: 'Access denied for user 'asusi_admin'#'localhost' to database 'asusi_superdb'
Should I relogin as root and explicitly grant access to this database to a asusi_user
GRANT ALL PRIVILEGES ON `asusi_database`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
and then relog in as asusi_admin and run the command again
GRANT select on `asusi_database`.* 'asusi_user'#'localhost'
this time it gives me no error and user asusi_user can read database asusi_database. Apparently MySQL wants me to explicitly grant access to the user asusi_admin for the every created database via root account. But I don't want to use the root account. I thought that after executing this command
GRANT ALL PRIVILEGES ON `asusi\_%`.* TO 'asusi_admin'#'localhost WITH GRANT OPTION;
user asusi_admin will be able to grant access to other users to the ecery database that stats with 'asusi_' prefix. May be I missed something or this behavior is designed to be that way?
It seems this is a confirmed bug, that was not fixed yet https://bugs.mysql.com/bug.php?id=75097, so nothing you can do right now with it.
I followed this post Grant on multiple databases. MySQL to be able to grant permissions over multiple databases to a mysql user. But I also want to make sure that these permissions persist when a new databases is added to the mysql server. Is there a way to do this?
If you grant all database and all table access to any MySQL user while creating then user can access all database/table created after creation of user account.
GRANT ALL PRIVILEGES ON *.* TO 'user'#'host' WITH GRANT OPTION;
You can use
GRANT ALL PRIVILEGES ON *.* TO 'user'#'hostname';
. represents database.table. * indicates all databases and all their tables.
I have a user in MySQL with the following privileges:
GRANT USAGE ON *.* TO 'certain_db'#'192.168.1.1' IDENTIFIED BY PASSWORD '****'
GRANT ALL PRIVILEGES ON `certain_db`.* TO 'certain_db'#'192.168.1.1'
If I drop this database, do I maintain the right to create it afterwards?
Yes. All information related to user access, privileges, etc is stored in a database named 'mysql'. Information related to database privileges is stored in table 'db'. When you drop a database your privileges over it are not deleted.
So, if you want to create a database with the SAME name later you will be able to.
I've created database, for example 'mydb'.
CREATE DATABASE mydb CHARACTER SET utf8 COLLATE utf8_bin;
CREATE USER 'myuser'#'%' IDENTIFIED BY PASSWORD '*HASH';
GRANT ALL ON mydb.* TO 'myuser'#'%';
GRANT ALL ON mydb TO 'myuser'#'%';
GRANT CREATE ON mydb TO 'myuser'#'%';
FLUSH PRIVILEGES;
Now i can login to database from everywhere, but can't create tables.
How to grant all privileges on that database and (in the future) tables. I can't create tables in 'mydb' database. I always get:
CREATE TABLE t (c CHAR(20) CHARACTER SET utf8 COLLATE utf8_bin);
ERROR 1142 (42000): CREATE command denied to user 'myuser'#'...' for table 't'
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'%' WITH GRANT OPTION;
This is how I create my "Super User" privileges (although I would normally specify a host).
IMPORTANT NOTE
While this answer can solve the problem of access, WITH GRANT OPTION creates a MySQL user that can edit the permissions of other users.
The GRANT OPTION privilege enables you to give to other users or remove from other users those privileges that you yourself possess.
For security reasons, you should not use this type of user account for any process that the public will have access to (i.e. a website). It is recommended that you create a user with only database privileges for that kind of use.
This is old question but I don't think the accepted answer is safe. It's good for creating a super user but not good if you want to grant privileges on a single database.
grant all privileges on mydb.* to myuser#'%' identified by 'mypasswd';
grant all privileges on mydb.* to myuser#localhost identified by 'mypasswd';
% seems to not cover socket communications, that the localhost is for. WITH GRANT OPTION is only good for the super user, otherwise it is usually a security risk.
Update for MySQL 5.7+ seems like this warns about:
Using GRANT statement to modify existing user's properties other than
privileges is deprecated and will be removed in future release. Use
ALTER USER statement for this operation.
So setting password should be with separate commands. Thanks to comment from #scary-wombat.
ALTER USER 'myuser'#'%' IDENTIFIED BY 'mypassword';
ALTER USER 'myuser'#'localhost' IDENTIFIED BY 'mypassword';
This will be helpful for some people:
From MySQL command line:
CREATE USER 'newuser'#'localhost' IDENTIFIED BY 'password';
Sadly, at this point newuser has no permissions to do anything with the databases. In fact, if newuser even tries to login (with the password, password), they will not be able to reach the MySQL shell.
Therefore, the first thing to do is to provide the user with access to the information they will need.
GRANT ALL PRIVILEGES ON * . * TO 'newuser'#'localhost';
The asterisks in this command refer to the database and table (respectively) that they can access—this specific command allows to the user to read, edit, execute and perform all tasks across all the databases and tables.
Once you have finalized the permissions that you want to set up for your new users, always be sure to reload all the privileges.
FLUSH PRIVILEGES;
Your changes will now be in effect.
For more information: http://dev.mysql.com/doc/refman/5.6/en/grant.html
If you are not comfortable with the command line then you can use a client like MySQL workbench, Navicat or SQLyog
1. Create the database
CREATE DATABASE db_name;
2. Create the username for the database db_name
GRANT ALL PRIVILEGES ON db_name.* TO 'username'#'localhost' IDENTIFIED BY 'password';
3. Use the database
USE db_name;
4. Finally you are in database db_name and then execute the commands like create , select and insert operations.
This SQL grants on all databases but just basic privileges. They're enough for Drupal or Wordpress and as a nicety, allows one developer account for local projects.
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
INDEX, ALTER, CREATE TEMPORARY TABLES
ON *.* TO 'username'#'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON mydb.* TO myuser#localhost IDENTIFIED BY 'mypasswd';
Works for privileges on schema :)
Optional: after mypasswd you can add WITH GRANT OPTION
I could able to make it work only by adding GRANT OPTION, without that always receive permission denied error
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'localhost' WITH GRANT OPTION;
Hello I used this code to have the super user in mysql
GRANT EXECUTE, PROCESS, SELECT, SHOW DATABASES, SHOW VIEW, ALTER, ALTER ROUTINE,
CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE VIEW, DELETE, DROP,
EVENT, INDEX, INSERT, REFERENCES, TRIGGER, UPDATE, CREATE USER, FILE,
LOCK TABLES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHUTDOWN,
SUPER
ON *.* TO mysql#'%'
WITH GRANT OPTION;
and then
FLUSH PRIVILEGES;
I had this challenge when working on MySQL Ver 8.0.21
I wanted to grant permissions of a database named my_app_db to the root user running on localhost host.
But when I run the command:
use my_app_db;
GRANT ALL PRIVILEGES ON my_app_db.* TO 'root'#'localhost';
I get the error:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'my_app_db.* TO 'root'#'localhost'' at line 1>
Here's how I fixed:
Login to your MySQL console. You can change root to the user you want to login with:
mysql -u root -p
Enter your mysql root password
Next, list out all the users and their host on the MySQL server. Unlike PostgreSQL this is often stored in the mysql database. So we need to select the mysql database first:
use mysql;
SELECT user, host FROM user;
Note: if you don't run the use mysql, you get the no database selected error.
This should give you an output of this sort:
+------------------+-----------+
| user | host |
+------------------+-----------+
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+------------------+-----------+
4 rows in set (0.00 sec)
Next, based on the information gotten from the list, grant privileges to the user that you want. We will need to first select the database before granting permission to it. For me, I am using the root user that runs on the localhost host:
use my_app_db;
GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost';
Note: The GRANT ALL PRIVILEGES ON database_name.* TO 'root'#'localhost'; command may not work for modern versions of MySQL. Most modern versions of MyQL replace the database_name with * in the grant privileges command after you select the database that you want to use.
You can then exit the MySQL console:
exit
That's it.
I hope this helps
To access from remote server to mydb database only
GRANT ALL PRIVILEGES ON mydb.* TO 'root'#'192.168.2.21';
To access from remote server to all databases.
GRANT ALL PRIVILEGES ON * . * TO 'root'#'192.168.2.21';
To grant all priveleges on the database: mydb to the user: myuser, just execute:
GRANT ALL ON mydb.* TO 'myuser'#'localhost';
or:
GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'#'localhost';
The PRIVILEGES keyword is not necessary.
Also I do not know why the other answers suggest that the IDENTIFIED BY 'password' be put on the end of the command. I believe that it is not required.
I want to have multiple a MySQL users to be able to issue commands like
CREATE DATABASE dbTest;
But I also want each of these users to be able to see and access only their own databases.
All I could find was how to either create the databases by a DBA and grant the privileges on this database to the specific user:
GRANT ALL PRIVILEGES ON dbTest.* TO 'user';
or grant privileges on all databases to a user:
GRANT ALL PRIVILEGES ON *.* TO 'user';
But neither is what I want, because it needs to scale and be secure.
You can use
GRANT ALL PRIVILEGES ON `testuser\_%` . * TO 'testuser'#'%';
to grant the user testuser privileges on all databases with names beginning with testuser_.
This allows the testuser to create databases limited to names starting with testuser_
You can use
GRANT ALL PRIVILEGES ON `testuser_%` . * TO 'testuser'#'%';
to grant the user testuser privileges on all databases with names beginning with testuser_.
EDIT: I'm not sure if this user is now also allowed to create databases.
Yes, this allows the testuser to create databases limited to names starting with testuser_
Create a stored procedure that is defined by the admin user and invokes with the admin user privileges by using SQL SECURITY DEFINER. In the stored procedure,
Create the database.
Set the privileges on the database so only the current user has access.
Execute FLUSH PRIVILEGES to reload the privileges from the grant tables.
Use USER() to get the current user login details.
Find out more about SQL SECURITY DEFINER.
It is impossible to do this using permissions only .
The workaround as suggested in another answer:
GRANT ALL PRIVILEGES ONtestuser_%. * TO 'testuser'#'%';
has the problem that the users must then be very careful in naming their databases.
For example if user aaa creates database bbb_xyz, it can then be accessed exclusively by user bbb but not by user aaa.