Suppose a user has full read/write access to MySQL database. Is there any way (some parameter in connection string) to connect to database by the same username and password in read-only mode?
I want this without changing this user's permissions because the same user might require write permission too at some other time. This would be useful (if possible) to prevent accidental modification to database.
The answer to your question is
No, there's no way to specify read-only access in the connection string.
Alternatives are
1. Create sql user with read permission
MVC3 Read-Only MySql Connection String
2. create views or stored procedures with permissions checking logic in them
MS SQL Grant permission to only a view
MySQL Grant a user permission to only view a mysql view
3. Implement permissions layer in your business logic
Good Luck!
The best solution here is to create another account on the mysql server with readonly permissions, and connect using that.
Depending on your use case and what control you have you could have the code call "set transaction read only" immediately after connecting, or use the --init-command parameter on connect. This worked for a testing use case we have,
Here's the set transaction doc: https://dev.mysql.com/doc/refman/5.7/en/set-transaction.html, similarly you can also set it as a session variable if that makes a difference https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_transaction_read_only.
Related
I have one MySQL 5.6 running in production with a legacy root account that is used for years. As part of a hardening program, I wanted to remove this root account - make it available via another account not named root basically.
After creating another account named adminacc with full accesses on the DB, I deleted the account named root.
Right after this action, all (adminacc could still log in) my others accounts could not log in anymore receiving the below message
SQL State 28000 Error 1045: Access denied for user 'XXX'#'wathever' (using password: YES)
I granted the denied account full accesses on the DB - without success.
I finally recreated my root account (with the same previous password, not sure if relevant here) and my DB accounts went back.
How can it be there is a dependency between an account (would it be the initial root) and another in MySQL? Would it be because I created this other account while connected as root user? Or the other account is trying to query a view created by the root account? I believe not, just throwing thoughts trying to understand.
What I found the most weird in my senario is that the connection from the denied account was not completely denied. When testing the connection from a Windows odbcad32.exe utility, it succeedded! But whenever used in app context (running from the same windows host), it failed.
I did run a capture and here is the output (this is from the app context)
You can see the login actually happens well; few queries are executed properly (basically init statments at session opening like SET NAMES utf8 or SET SQL_AUTO_IS_NULL = 0).
Then the error is thrown when the user tries to execute a SELECT against one of the DB views.
Nota: I found no recommendation from MySQL docs to not delete the initial root account. Nothing describing such situation. Browsing a bit on the internet, I found this previous StackOverflow question but it remained unanswered.
As explained by Akina, this issue was tied to Stored Object Access Control in MySQL. Not only this applies to procedures, functions, triggers but views as well, read this
For stored routines (procedures and functions) and views, the object
definition can include an SQL SECURITY characteristic with a value of
DEFINER or INVOKER to specify whether the object executes in definer
or invoker context. If the definition omits the SQL SECURITY
characteristic, the default is definer context.
My errors actually appear whenever a view was called (and because all of the views were created via this root account and with the SQL SECURITY set to DEFINER - default behavior).
Making a lot of sense now. That being said, the MySQL error message could have been more descriptive on the actual issue!
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
Error in processing request: No routine with name 'daily_difference' found in database 'chamelis_wp'. You might be lacking the necessary privileges to edit this routine.
If you are using phpMyAdMin (pma) under cPanel, this error results from the fact that cPanel creates a temporary user for every session to log into pma, and therefore the database. If you are working in a hosted environment where you cannot be granted SUPER privileges, and you are creating routines, you are in trouble. Read on.
Stored routines (procedures and functions) in MySQL/Mariadb have a property called DEFINER. This stores the username of the the database user who "owns" that routine. If a db user opens phpMyAdmin (pma) and creates a new routine without explicitly declaring the DEFINER, DEFINER will be populated with the current username. Only a db user that has SUPER permissions can create a routine and declare another user as the DEFINER. Non-SUPER users can only declare themselves as the DEFINER, or leave it blank and the db does it for them. So the db user that you are logged in as gets to be the DEFINER for all routines you create during that session.
The problem you have encountered arises because
a. only the DEFINER of a routine, or a user with SUPER permissions, can edit or export a routine. If a (non-SUPER) user logs in to pma and tries to edit or export an existing routine, then unless they are the DEFINER of that routine they get the error you are seeing, and they cannot access the routine.
b. Even if you have created database user accounts in cPanel, cPanel will not use any of these to launch pma. Under cPanel you are automatically logged using a temp username that it generates. You do not get to see the pma login page - the login happens off-screen - and you are taken straight into the pma home page. You have no control over the username/password used.
d. When you start a new cPanel session (e.g. at the start of each day's work), cPanel changes the temp db user name that it uses to log you into pma. cPanel usernames all have this pattern: "cpses_db...#localhost", where the dots are filled alphanumerics like "hmxbj8s2". I have just logged in and the pma home page tells me that the current database user is "cpses_dbhmxbj8s2#localhost". If I close pma, log out of cPanel, log back into cPanel then reopen pma, the db user name will change. I just did that and the db user for this new session is "cpses_db0z35t107#localhost".
e. If I had created a new routine during my previous session, then the DEFINER for that routine would still be "cpses_dbhmxbj8s2#localhost". Now that I am logged in as "cpses_db0z35t107#localhost", I cannot edit or export that routine. Without a backup or copy of that routine, I have completely lost access to it (it is now, effectively, "orphaned"). The only way to get access is to recreate it using a script without a DEFINER statement in the current session so the the current db user becomes the DEFINER. That user can now edit the routine. This means that every day you would have to recreate all the procedures you want to work on. If you forget to export all the routines changed during the previous session, then you have LOST THOSE CHANGES.
f. Another problem is that if you are also connecting to the database externally using e.g. MySQL Workbench, logging in using a db user you have created, then you can do everything except edit any routines created under pma because these have "cpses_db..." user as the DEFINER.
THE SOLUTIONS:
Install your own copy of pma in your hosted enviroment if that option is available in cPanel. This will have to be installed in a folder in the public-html section of the site so you can access it directly from your browser e.g. https://example.com/pmamyadmin/index.php. Login using a user you have created for your database. This user becomes the DEFINER for all your routines and so long as you always use this username, you can always access your routines. (Never use cPanel's pma!)
Be aware that having a copy of pma in the public_html section of your site introduces security issues. Definitely require passwords in pma's config and if practical use .htaccess to limit access to just your IP, etc. But that's another topic.
Always access the database externally (assuming your host permits this) using a local copy of pma or another client like MySQL Workbench. Again, this allows you to control the username for every session.
FINALLY
If neither of these works for you and you must use cPanel's pma, then export all your routines at the end of every session and recreate them (with no DEFINER statement) at the start of the next session. Currently pma doesn't include the DROP in the routine export function (there a change request in for this) so you have to use a database export to get them included. Unless you want a full backup anyway, you just need to export the structure of one table to get this export to work. Make sure you click the "Include DROP..." and "Include Routines..." in the export definition. Edit the export to delete the table definition and globally replace the "DEFINER=cpses_db...#localhost" with "" before using it to recreate the routines next session.
Hope that helps.
I FIX THIS ISSUE IN CPANEL
This shows that there is lack of routines ( Function, Procedures ) privilege for the current user. This will cause even the edit button of routines to be disabled.
In CPanel there is default user that you can not manage their privileges, So, you can not add or remove their privileges.
<<<<< HOW I FIX IT >>>>>:
FIRST
Drop all routines(Function, Procedure) that you have no privilege from your database
SECOND ( import sql file again )
Find the sql file used to import database and remove DEFINER=root#localhost everywhere.
Then import Edited sql file after remove DEFINER=root#localhost .
I think this solution can help someone.
Thanks
It sounds like you don't have permission to edit it, or you're trying to edit it from the wrong DB (schema). Run the following to see which DB it is on:
show function status like '%daily%';
show procedure status like '%daily%';
Are you trying to edit it by executing a statement or by using the gui? If by executing a statement, can you provide your statement? If by statement, make sure you've run this first:
use db_name_here;
Then try to edit your routine again.
Did your user create the procedure, or another user created it? You may not have permission to modify an user's procedure. You can see who created it by running:
show create procedure daily_difference;
Then see if you have permission to edit procedures by running the below statement - you need "ALTER ROUTINE" privilege:
show grants for Your_username_here;
If a user with super privilege created it, you won't be able to edit it - you'll need them to, or you will need to get super privilege.
I'm replying partly as I have a work around and partly for the comedy, as GoDaddy sent me this page as a solution to this problem where, yes the problem is defined but no, there's no solution.
I had to rebuild my SPs in phpMyadmin but for the DEFINER where root#localhost was present, using an account I had created and could use - account#localhost. cPanel doesn't expose the root account AFAIK.
I didn't have all my SPs' definitions elsewhere. But I found that in cPanel \ files \ backup \ the files from there of the MySQL DBs had the SP definitions. That may not be in your hosting package. Backing up from phpMyAdmin didn't help as I still lacked the privileges to make the back up with the definitions.
Say you created a blog application, and it's data is stored in a MySQL database. In your application configuration you set the data source name to myBlog user root password whatever
Now, when users start using your blog to access, post to, and comment on threads, etc... I am assuming they connect as root through the application myblog ...
So... users connect to the application myBlog who in turn connects to MySQL as user root , using password whatever --- it's not really the users that are connecting to MySQL, it's the application. Correct?
Is there not a security issue with this approach? Should I create a new username in MySQL for the application myBlog with specific privileges and leave root only for administering the database?
yes, the application connects to the db. you should create a new mysql user for your application, do something like
CREATE DATABASE myblog_env;
CREATE USER 'myblogenv-user'#'%' IDENTIFIED BY 'your pw';
GRANT ALL PRIVILEGES ON myblog_env.* TO 'myblogenv-user'#'%' WITH GRANT OPTION;
something like the above should do it. The 'env' part of the above is for if you want to create a new db for difference environments, like dev, stage, prod, whatever....
this way your application user has complete access to its db, but no other dbs in the mysql instance.
First of all, you should NEVER use the root account of a mysql database for anything else then admin work.
Second of all, in theory yes the user of your blog would be the "root" in your mysql database, but hopefully there is a lot of sanatizing and cleaning up in your blogs code before any queries are executed...anything else would be know as an "sql inject"
You are exactly right. This is called the principle of least privilege. You should give the application the minimum access rights that it needs to complete the job. This would not be root.
The short answer is: Yes.
Long answer:
Security: You should have a different user for your application than you do for yourself as the administator. That application user should only have read (and write if necessary) privileges on the specific database it needs to access. Also, it should not have privilege-granting privileges, nor drop table privileges, nor database creation/dropping privileges, nor anything else that is reserved for you.
Convenience: If you ever need to change your password, you don't want to have to change your application, and vice versa.
Currently user using connections to both TEST and PROD instances using MS Access, and everything goes well. By using ABC user. Now user having problems with APPS user in TEST .
Also, user having the same problem with user XYZ in PROD instance. This user has the ‘SELECT ANY TABLE’ privilege, so it should be able to see the tables, but doesn’t work from MS Access.
Please suggest us.
If you're able to connect via a SQL connection (I'm assuming ODBC) then you'll be using a predefined set of credentials (i.e. you'll be passing a username and password to Access; probably through the connection string).
Chances are that if your user is unable to get into the database directly, their network (AD?) account is not configured with the same elevated privileges that the ODBC connection has.