I've written all of MySQL procedures as root#localhost:
CREATE DEFINER=`root`#`localhost` PROCEDURE `p_add_user`(...)
Trouble is, when deploying to another server, I have to replace root with current user and replace localhost with current IP, which is annoying.
Is there any way to write procedures so that someone who wants to use my database and procedures would not have to modify the definer of each procedure?
As stated in MySQL documentation here
CREATE
[DEFINER = { user | CURRENT_USER }]
PROCEDURE sp_name ([proc_parameter[,...]])
[characteristic ...] routine_body
So, the DEFINER part is not mandatory, just CREATE PROCEDURE should work.
[EDIT: updated ref page]
You can specify execution privileges by adding the following statement in the procedure body (after declaration):
SQL SECURITY INVOKER
Example:
CREATE DEFINER=`root`#`localhost` PROCEDURE `p_add_user`()
SQL SECURITY INVOKER
(...)
Doing so, the actual invoker privileges are applied and the DEFINER part is omitted (even when it is auto-added during schema import).
Full reference here:
https://dev.mysql.com/doc/refman/5.7/en/stored-objects-security.html
CREATE DEFINER=[your_web_user]#% PROCEDURE p_add_user(...)
Check it.. probably this will help you, if you want to define the user in your procedure...
Related
In MSSQL I'm used to using roles for security and permissions but in MySQL/MariaDB it seems that users are a staple that you can't really get around. One specific case I'm wondering about is a DEFINER on a view or stored procedure. I essentially can't script that object without knowing what user it should run as ahead of time, in my case. Is there a way to define it with a specific role instead of a user?
You can use
CREATE DEFINER=`your role` PROCEDURE / FUNCTION ()
SQL SECURITY DEFINER -- that's the default
begin
....
end
'Your role' must have execute permission for the procedure und all the privileges needed inside the procedure.
I have two MySQL users:
mysql_user_1
mysql_user_2 (EXECUTE permission only)
mysql_user_1 created a stored procedure getRecord(int uid_of_record) which run a SELECT * FROM TABLE WHERE uid=?. Can mysql_user_2 execute that stored procedure without having SELECT privilege?
This is explained in detail in the MySQL documentation Access Control for Stored Programs and Views.
A stored procedure can be defined with either:
SQL SECURITY DEFINER
or
SQL SECURITY INVOKER
If it's DEFINER, the procedure executes with the permissions of the user who defined the procedure; in your case, if mysql_user_1 has SELECT privilege, the procedure will work for mysql_user_2.
If it's INVOKER, the procedure executes with the permissions of the user running the procedure. The procedure won't work for mysql_user_2 in this case.
If you don't have this clause in the procedure, it defaults to DEFINER.
I have created some stored procedure on a specific schema.
In this stored procedure, I want to grant execute privilege.
So I wrote that :
GRANT EXECUTE ON PROCEDURE schema_name.proc_name TO 'user_name';
GRANT SELECT ON mysql.proc to 'user_name';
The problem is : My user can see every stored procedure.
I wish he could only see the procedure where he has the EXECUTE privilege.
Is there a way to achieve that ?
Thanks in advance.
Yes... this works as expected if you don't grant the user the SELECT privilege on the mysql.proc table, either directly or indirectly, such as with GRANT SELECT ON *.* TO ...
Without SELECT permission on this table, a user can only see the existence of stored procedures and stored functions where they have other permissions, like EXECUTE.
Under the hood, the lack of SELECT on mysql.proc also prevents the user from seeing the procedures they don't have access to via the information_schema.routines pseudo-table.
You shouldn't need to GRANT SELECT ON mysql.proc to enable the user to execute procedures or functions... and if you do, then that seems like the question.
Problem solved.
In fact, To be able to execute stored procedure within MySQLForExcel, we need to SET the DEFINER of each stored procedure that we want to be called by a MySQLForExcel user.
DELIMITER $$
DROP PROCEDURE IF EXISTS `procedure_name` $$
CREATE DEFINER=`user_mysqlforexcel` PROCEDURE `procedure_name`(param)
BEGIN
Do smth as usual
END $$
I found that here
Thank for the help.
example:
A non-super user has been granted execute on a procedure that inserts into table "a". That user will see the database that table "a" is in with a "show databases", but will not be able see table "a" with a "show tables". But that same user can see basic procedure info with a "show procedure status".
This is for auditing and I would like to have the audit process as obscured as possible. If a user is granted execute on a procedure must that user have the ability to see the procedure? And must they be able to see the database that the procedure touches?
If you are the owner of the procedure or if you have access to mysql.proc table you can see the definition of the procedure as stated here.
So you would create the procedure as super and set DEFINER CURRENT_USER (so the procedure executes as super). Then make sure super has access to the table but that no one else does. That should protect both the table and the source but leave it possible to call on the procedure.
And it don't have to be super, can be any user that has access to the table.
I have a stored procedure in MySQL. When I run SHOW PROCEDURE STATUS LIKE 'sp_name' I get some columns that explains the stored procedure.
The definer is set to Definer root#% and Security_type is set to DEFINER. Does this mean that only the root-user can call the stored procedure?
Does this mean that only the root-user can call the stored procedure?
No, it doesn't. Any user with EXECUTE privilege can call this procedure.
From the reference - The SQL SECURITY characteristic can be used to specify whether the routine should be executed using the permissions of the user who creates the routine or the user who invokes it.
CREATE PROCEDURE Syntax.