In the world of database management, controlling user access is crucial for maintaining data integrity and security. This blog post will walk you through a real-world scenario of setting up MySQL user permissions, including the process, potential pitfalls, and debugging steps.
Imagine you're a database administrator for a company that has several databases:
Your task is to set up permissions for a user named 'analyst' with the following requirements:
Let's dive into how we can achieve this using MySQL's GRANT and REVOKE statements.
First, we need to connect to the MySQL server with an administrative account:
mysql -h hostname -P port -u admin -p
Replace 'hostname', 'port', and 'admin' with your actual server details and admin username.
If the user doesn't already exist, we need to create it:
CREATE USER 'analyst'@'%' IDENTIFIED BY 'password';
Replace 'password' with a strong, secure password.
Now, let's grant the required permissions:
-- Grant SELECT on original databases GRANT SELECT ON products.* TO 'analyst'@'%'; GRANT SELECT ON customers.* TO 'analyst'@'%'; GRANT SELECT ON orders.* TO 'analyst'@'%'; GRANT SELECT ON analytics.* TO 'analyst'@'%'; -- Grant all privileges on copy databases GRANT ALL PRIVILEGES ON products_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON customers_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON orders_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON analytics_copy.* TO 'analyst'@'%'; -- Grant global privileges GRANT PROCESS, SHOW DATABASES ON *.* TO 'analyst'@'%'; -- Apply the changes FLUSH PRIVILEGES;
After setting up the permissions, it's crucial to verify them:
SHOW GRANTS FOR 'analyst'@'%';
In our scenario, we initially encountered an issue where 'analyst' had too many privileges:
mysql> SHOW GRANTS FOR 'analyst'@'%'; --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Grants for analyst@% | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO "analyst"@"%" WITH GRANT OPTION | | GRANT REPLICATION_APPLIER,ROLE_ADMIN ON *.* TO "analyst"@"%" WITH GRANT OPTION | ... ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To fix this, we revoked all privileges and then granted only the necessary ones:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'analyst'@'%'; GRANT PROCESS, SHOW DATABASES ON *.* TO 'analyst'@'%'; -- Then re-grant the specific permissions as shown in Step 3
After fixing the excessive privileges, we noticed that the permissions for the copy databases were missing:
mysql> SHOW GRANTS FOR 'analyst'@'%'; ----------------------------------------------------- | Grants for analyst@% | ----------------------------------------------------- | GRANT PROCESS, SHOW DATABASES ON *.* TO "analyst"@"%"| | GRANT SELECT ON "products".* TO "analyst"@"%" | | GRANT SELECT ON "customers".* TO "analyst"@"%" | | GRANT SELECT ON "orders".* TO "analyst"@"%" | | GRANT SELECT ON "analytics".* TO "analyst"@"%" | -----------------------------------------------------
We added the missing grants for the copy databases:
GRANT ALL PRIVILEGES ON products_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON customers_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON orders_copy.* TO 'analyst'@'%'; GRANT ALL PRIVILEGES ON analytics_copy.* TO 'analyst'@'%'; FLUSH PRIVILEGES;
After applying all these changes and fixes, the final grants should look like this:
mysql> SHOW GRANTS FOR 'analyst'@'%'; ----------------------------------------------------- | Grants for analyst@% | ----------------------------------------------------- | GRANT PROCESS, SHOW DATABASES ON *.* TO "analyst"@"%"| | GRANT SELECT ON "products".* TO "analyst"@"%" | | GRANT SELECT ON "customers".* TO "analyst"@"%" | | GRANT SELECT ON "orders".* TO "analyst"@"%" | | GRANT SELECT ON "analytics".* TO "analyst"@"%" | | GRANT ALL PRIVILEGES ON "products_copy".* TO "analyst"@"%"| | GRANT ALL PRIVILEGES ON "customers_copy".* TO "analyst"@"%"| | GRANT ALL PRIVILEGES ON "orders_copy".* TO "analyst"@"%"| | GRANT ALL PRIVILEGES ON "analytics_copy".* TO "analyst"@"%"| -----------------------------------------------------
Setting up proper MySQL user permissions can be tricky, but it's a crucial aspect of database management. By carefully using GRANT and REVOKE statements, and always verifying the results, you can create a secure and functional environment for your users.
Remember these key points:
By following these guidelines and the steps outlined in this post, you'll be well-equipped to manage MySQL user permissions effectively.
Disclaimer: All resources provided are partly from the Internet. If there is any infringement of your copyright or other rights and interests, please explain the detailed reasons and provide proof of copyright or rights and interests and then send it to the email: [email protected] We will handle it for you as soon as possible.
Copyright© 2022 湘ICP备2022001581号-3