Is there any way to grant permission to a MySQL Server based on the host and not the username/password. So whitelisted hosts can connect to the MySQL server without using a username or password.
Would doing so improve performance at all?
(the servers are on a LAN that's not connected to the internet at all, security is of no concern for this setup, only performance)
Yes - that'd be possible to configure. Check out the documentation for the GRANT command.
I'm not sure you'd get any notable performance gain from that. I think that the most potentially time consuming element of authentication is the reverse mapping of IP addresses.
All of the doc is here: http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html
It's not going to help performance, but you can try playing around with allowing any user from your given host or IP range:
e.g.
mysql> GRANT SELECT ON test.* TO '%'#'some_host_or_ip' IDENTIFIED BY '';
Related
I am very frustrated that I am trying this from over 5 days.
I need to create database on my PC that has to be visible for all other PCs in the same LAN.
I tried with XAMPP - Apache + MySQL - no result even after reading all articles from first 2 pages of Google and watching many youtube clips.
Now I am trying with MySQL Server 8.0 on my PC. I tried again all of Google first pages stuff without result. How can I do that?
I know that this has been asked many times here but there is no complex solution at all.
Does anybody of you have tutorial that is tested nowadays and it is working?
you should provide more details like the error message you get when connecting to the remote mysql server, anyway, to allow remote access, here is a checklist you need to go through:
grant permission, mysql by default only allow access from localhost(127.0.0.1), to allow other ip access:
// replace root for the username, '123456' for the password
grant all privileges on . to 'root'#'%' identified by '123456';
flush privileges;
check your server firewall settings to allow your mysql through port 3306(default)
others:
for linux server I think you also need to comment out "bind address" in your mysql config file;
some other issues for example your mysql client autodetect the wrong timezone, you may need to manually set it;
check your inbound rule on your client pc;
etc.
my suggestion for you, don't just google around blindly, think about it logically first, sometimes there is no direct answer
The problem was in connection String.
static final String USERNAME="[username]";
static final String PASSWORD="[password]";
static final String CONN_STRING="jdbc:mysql://[ip-address]:[port]/[database-name]";
So as LIU YUE suggested I just granted access for this username. The problem was that my other computer has a different name.
I just exported my tables from one web host to another (AWS).
Thinking everything would go smoothly (yeah right), well, everything that can go wrong has gone wrong.
I get this error when trying to query my database (which I didn't get before):
SQLSTATE[HY000] [1130] Host '<my ip address>' is not allowed to connect to this MySQL server
This is the same error from this post:
Host 'xxx.xx.xxx.xxx' is not allowed to connect to this MySQL server
The solution in that post seems to revolve around having an administrative user. I am developing a chat application so every user needs to access the server (so I'm sure it's a bad idea to give them all administrative privileges).
The answer by Pascal in that link says, If you are using mysql for a client/server application, prefer a subnet address. but I honestly don't understand what he means by that. And because of the amount of solutions, I'm not exactly sure which one I should follow based on my case.
How do I resolve this?
MySQL has security tables that determine who is allowed to connect and from what host IP address.
Here's a good article on how to do it:
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
If you have a lot of connections, consider setting up a server to accept the connections and talk to the sql server. The easiest approach to this is to set up a REST interface and use a web server. Web servers are usually also highly optimized and relatively bug free.
In a similar architecture on AWS, I use nginx happily.
Make sure you have bind-address=YOUR-SERVER-IP in my.cnf and make sure you have a user hd1#172.31.39.86 or hd1#%, the latter being a MySQL wildcard on the MySQL server. More information here. You may also need to grant access to port 3306 (the default MySQL port) on the security groups section of the AWS console.
// IN YOUR MYSQL WORKBENCH You Have to Execute below query
CREATE USER 'root'#'1.2.1.5(Your Application Server IP)' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON *.* TO 'root'#'10.200.1.54' WITH GRANT OPTION;
AFTER CREATING YOU CAN VIEW USING BELOW QUERY
SELECT * FROM mysql.user WHERE User = 'root';
How is the host for a MySQL user evaluated by the database? My server tries to connect to the database from myhostname but fails even though I've set the hostname for that server in /etc/hostname It does work when I use an IP though.
The user was created like so:
GRANT ALL ON db.* TO 'dude'#'myhostname';
The MySQL error will tell you the hostname the server machine thinks your user is connecting from. Depending on DNS settings, this may or may not be the hostname your client thinks is assigned to itself. The name as seen from the server is the one you need to set in your GRANT statement.
(Which is logical. Suppose I know that the server gives privileges to host Alice. I have host Bob. Since it's my host, I can change its name to Alice. If just doing this granted me Alice's privileges, the whole GRANT scheme would be completely insecure! What happens is that my host thinks it's Alice, but the server sees my IP, asks the DNS "Who is this?" and receives "He's Bob". I still can steal Alice's privileges, but I need to compromise the DNS records somehow)
In a pinch, add the client IP and hostname to the server /etc/hosts file. This is a hack, however, and proper DNS setting is the way to go: a forgotten hosts hack might cost you a long time of head scratching a few months down the road.
As explained in DNS Lookup Optimization and the Host Cache from the MySQL manual:
The server performs host name resolution using the thread-safe gethostbyaddr_r() and gethostbyname_r() calls if the operating system supports them. Otherwise, the thread performing the lookup locks a mutex and calls gethostbyaddr() and gethostbyname() instead.
Therefore the resolution of the connecting IP to myhostname is a matter for the operating-system, rather than MySQL. You should first determine that your OS is correctly resolving the client IP and, if not, debug your OS or nameservice configuration (questions on this subject might be better directed to Super User or Sever Fault, rather than StackOverflow).
I would like to know how can you connect to postgresql in these conditions:
allow you to access them from any location (do IP filtering)
safe connection (no risk on having your password captured)
easy to setup, preferably having to configure only the server for that.
I know that the recommended approach is to used SSH port forwarding, but this requires you to start the port forwarding before trying to connect to these databases.
What is the easiest method to acquire a good enough security without having to do complex setup on the client.
Is there a way to auto enable the port forwarding stuff on demand?
For PostgreSQL you would start by making sure you are using an SSL-enabled build. (I think that is the default for most installers.)
Then you would need to allow the server to accept remote connections by setting listen_addresses (which specifies which IP addresses the server will listen on): http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html
The pg_hba.conf file allows you to specify which users can connect to which databases from which IP addresses using which authentication methods. There are a lot of authentication methods from which to choose: http://www.postgresql.org/docs/9.1/interactive/client-authentication.html
Regarding what needs to be done on the client side, the details will depend on what connector you are using from which environment; as an example, the PostgreSQL JDBC driver uses an SSL connection by default if available. To tell the JDBC driver not to accept a connection unless it can use SSL, you set a JDBC connection property: ssl=true. http://jdbc.postgresql.org/documentation/head/ssl-client.html
Sorry, but I don't know how MySQL manages any of this.
I am myself trying to find the answer for Postgre, but here is what you can do for MySQL.
First, you need to enable remote access to your database. You can create a user with remote access ability as follows.
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password';
flush privileges;
More details here.
To add security to this, you can add a 'REQUIRE SSL' to the GRANT command as follows
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password' REQUIRE SSL;
All this needs to be done on the server side. On the client, you just need to provide the required certificates that it will need to connect.
For details on creating certificates, the MySQL site has a step by step guide here
I have a database to work with. There is phpMyAdmin and it works good but I want to use an external database manager. I use the same login account what PhP script uses, still query browser doesnt see a database.
Anyone can know why?
I would guess that with phpMyAdmin, you are accessing MySQL from the WebServer that has IP address 1.0.0.1.
Then, from the external DB manager, you are accessing from IP address 1.0.0.2.
MySQL handles authentication and authorization using IP address (among other things) to authorize. So it's probably the case that you don't have all permissions for 1.0.0.2 in your MySQL database.
Your account is probably limited to 'localhost' only, try adding 'user'#'remote-ip' aswell.
For example:
GRANT ALL ON db.* TO 'jsmith'#'office.example.com' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;