Is it possible in MySQL to do a GRANT to a user on a set of tables within a database, e.g. to allow CREATE AND DROP ing of some table names but not others?
Neither of these seem to work:
GRANT SELECT ON `testdb`.`%_testing` TO 'wildcardtest'#'localhost';
GRANT SELECT ON `testdb`.`testing%` TO 'wildcardtest'#'localhost';
and the MySQL manual doesn't seem to give an answer either way.
The only wildcard that works in the GRANT statement is *
GRANT SELECT ON `testdb`.* TO 'user'#'localhost';
GRANT SELECT ON *.* TO 'privilegeduser'#'localhost';
It's all or one; there's no facility for dynamic matching of table names to granted privileges.
Nope. You can separate table names with commas but can't use wildcards in a GRANT.
Create a new empty database .
Give it access to the original database ( use a user who allready have access to original database )
in this new database
CREATE VIEW test as SELECT * from originaldatabase.tablename
WHERE conditions...
Then give test user access to NewDatabase whith
GRANT select on NewDatabase.* to 'testuser'#'localhost'
Then only create views for the tables you want testuser to access.
Also remember you can do a USER() in the WHERE part of the view:
example:
create view test as
select * from original.customer where mysql_user = USER()
In the original.customer you must then have a column 'mysql_user'
and every row the test user is allowed to see must have testuser#localhost as a entry
The testuser will see all the created views as tables in the database 'test'
Related
Is it possible in MySQL to do a GRANT to a user on a set of tables within a database, e.g. to allow CREATE AND DROP ing of some table names but not others?
Neither of these seem to work:
GRANT SELECT ON `testdb`.`%_testing` TO 'wildcardtest'#'localhost';
GRANT SELECT ON `testdb`.`testing%` TO 'wildcardtest'#'localhost';
and the MySQL manual doesn't seem to give an answer either way.
The only wildcard that works in the GRANT statement is *
GRANT SELECT ON `testdb`.* TO 'user'#'localhost';
GRANT SELECT ON *.* TO 'privilegeduser'#'localhost';
It's all or one; there's no facility for dynamic matching of table names to granted privileges.
Nope. You can separate table names with commas but can't use wildcards in a GRANT.
Create a new empty database .
Give it access to the original database ( use a user who allready have access to original database )
in this new database
CREATE VIEW test as SELECT * from originaldatabase.tablename
WHERE conditions...
Then give test user access to NewDatabase whith
GRANT select on NewDatabase.* to 'testuser'#'localhost'
Then only create views for the tables you want testuser to access.
Also remember you can do a USER() in the WHERE part of the view:
example:
create view test as
select * from original.customer where mysql_user = USER()
In the original.customer you must then have a column 'mysql_user'
and every row the test user is allowed to see must have testuser#localhost as a entry
The testuser will see all the created views as tables in the database 'test'
Does MySQL treat an explicit hostname the same as a hostname with a wild card? For example, I have created a user via the following:
CREATE USER IF NOT EXISTS 'iga'#'ip-10-11-2-150.aws.example.hostname' IDENTIFIED BY 'SOMEPASSWORD';
Now, I want to grant the user permissions. Could I do it like the following, where the wildcard resolves any user from an ip-10-11-2-anything address?
GRANT INSERT, UPDATE, DELETE, SELECT ON iga.* TO 'iga'#'ip-10-11-2-%';
Or, do I have to explicitly put the same hostname as the user is created with, like the following:
GRANT INSERT, UPDATE, DELETE, SELECT ON iga.* TO 'iga'#'ip-10-11-2-150.aws.example.hostname';
Those are two distinct users. If we run this statement:
GRANT SELECT ON iga.* TO 'iga'#'ip-10-11-%'
Then MySQL will attempt to create a new user
'iga'#'ip-10-11-%'
This user is separate and distinct from the user created with the CREATE USER statement:
'iga'#'ip-10-11-2-150.aws.example.hostname'
which does not get the SELECT privilege. To give privileges to that user, We would need to give the full name that user in a GRANT statement:
GRANT SELECT ON iga.* TO 'iga'#'ip-10-11-2-150.aws.example.hostname'
When a session connects to MySQL, it matches one row in the mysql.user table; it will find an exact match if it exists, otherwise, it may find a wildcard match. But once it matches a user, that's the only user it matches. The session gets only the privileges associated with the one user, not privileges granted to other users that would also be wildcard matches.
List item Initially a TEMP table created by a Stored Procedure, which does some ACTIONS
There are these several TEMP tables thus created by this above said SP.
I want to give SELECT permission for some of my SQL Users for these TEMP tables which was dynamically created by the above SP's
For the above req, I tried the below query from a ROOT user to give permission for the table with the prefix temp
GRANT ALL PRIVILEGES ON dbname .`Temp%` TO 'TEST'#'%' WITH GRANT OPTION;
But, still the above privileges for the user 'TEST' can't able to SELECT these TEMP tables and gves the below err:
SELECT command denied to user 'TEST'#'localhost' for table
'temp_ccdata_20140904101131_2'
pls anyone suggest if there are any possibilities to grant SELECT access for the dynamic tables created by a Stored Procedure
THANKS IN ADVANCE
As stated by #wchiquito, the _ and % wilcards are permitted when specifying database names. A possible workaround for using wildcards in the table name of a GRANT query follows:
SELECT CONCAT('GRANT SELECT ON dbname.', TABLE_NAME, ' TO user;')
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA = 'dbname' AND TABLE_NAME LIKE 'prefix%';
Replacing dbname with exampledb, user with tony42 and prefix with foo_ should return queries like:
GRANT SELECT ON exampledb.foo_usertable TO tony42
You can then use these execute these queries to achieve the permission changes you seek. It may not be the most elegant but will get the job done. Also, you may want to wrap the names in back ticks to account for spaces and such.
How can I restrict a user_account in MySQL database to a particular tables. Ex:
UserName: RestrictedUser
DatabaseName: db_Payroll
TableName:
tb_Employees
tb_Users
tb_Payroll_YYMMDD
tb_Payroll_Processed
I want to restrict "RestrictedUser" to tb_Users and tb_Employees only and the rest of the tables of db_Payroll that will be created for future use is granted to have access.
Assuming the user has no current privileges, you can do the following
GRANT SELECT, INSERT, DELETE ON db_Payroll.tb_Users TO RestrictedUser#'%'
GRANT SELECT, INSERT, DELETE ON db_Payroll.tb_Employees TO RestrictedUser#'%'
Depending on exactly which privileges you wish to grant the user, you can change SELECT, INSERT, DELETE to something else, e.g. ALL PRIVILEGES.
Afterwards, remember to flush the privileges so they become effective by running
FLUSH PRIVILEGES;
You can grant access to individual tables by running:
GRANT ALL ON db_Payroll.tb_Users to RestrictedUser#RestrictedHostName;
And similarly for other tables. Use a list of operations instead of ALL if appropriate.
You cannot grant access to individual tables which do not exist yet without granting access to all tables.
Assuming the user has no current privileges, if you have a lot of tables and you only want to give the user access to a few of those tables, the simplest work-around I know of is using a technique I personally refer to as QueryCeption™ (Query Within a Query):
SELECT GROUP_CONCAT(CONCAT('grant select on `db_Payroll`.', table_name, ' to `RestrictedUser`#`%`') SEPARATOR ';
') from information_schema.tables where table_schema = 'db_Payroll' and
table_name not in ('TABLE-YOU-WANT-TO-RESTRICT-1', 'TABLE-YOU-WANT-TO-RESTRICT-2','TABLE-YOU-WANT-TO-RESTRICT-3');
This will output a text field that you can copy and paste into your editor. This particular example will grant SELECT privileges to all tables that are not within the restricted table array for that user.
How do I give a user access to specific tables within a MySQL database?
grant select on table to username
Find the below example, Modify it according to your needs.
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';