I want to use MySQL partial revokes in MariaDB, but there does not seem to be any reference of it in the docs, so is there are workaround?
I grant user foo privileges on *.*, and I want to partially revoke its permission to select column password on table users - how can I do this?
CREATE USER 'foo'#'%' IDENTIFIED BY 'password';
GRANT SELECT, INSERT, DELETE, UPDATE ON *.* TO 'foo'#'%';
REVOKE SELECT (password) ON production.users FROM 'foo'#'%';
Such thing results in:
ERROR 1147 (42000): There is no such grant defined for user 'foo' on host '%' on table 'user'
Version: 10.3.31-MariaDB-0+deb10u1-log
Perhaps I could do something like this easily with roles? If so, can you give examples to do so?
MDEV-14443 negative grants is actively being worked on so hopefully 10.9.
At the moment creating the grants excluding your password is one option.
The other is putting the password (by which I hope you mean a uniquely salted hash or KDF) in a different table.
Related
I need to import a sql. database to Wordpress through phpMyAdmin.
Anytime I want to create a new database this error happens (#1044 - Access denied for user 'xxx' to database 'zzz').
Thanks for your help.
You can check all privileges permission of database user and also check our sql file. May be mention there "CAEATE DATABASE '*******'" if you have that then you remove that. Most of this #1044 refer you to check your database user and permission of your database. I think this suggestion will help you.
As the others have mentioned, shared hosting environments generally don't allow you to create any arbitrary database name, sometimes you're limited to only one database and sometimes it has to be a subset of your username or something. If that's the case, you'll need to edit the .sql file to force it to use the database name you've been assigned.
If that's not the case, it's likely the user you are logged in as doesn't have the privileges to create a new database, so you'll need to log in as a user that does have privileges. Perhaps you're not logged in as the user you think you are. Note that the username and host value need to match, otherwise you could be logged in as the anonymous user instead of one that has permissions (for instance, if your user account is mia with host field 127.0.0.1 but you're logged in via the socket connection to 'localhost', it doesn't match.
Is there an easy way to create a user and grant all privileges to all databases except a specific one?
I've tried this
CREATE USER 'demo'#'%' IDENTIFIED BY 'QbSv9qUj2EJ8mxm2';
GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%';
REVOKE ALL ON id8694160_sqless.* FROM 'demo'#'%'; -- this is the DB I don't want the user to have access to
SHOW GRANTS FOR 'demo'#'%';
But I get the following error:
Error Code: 1141. There is no such grant defined for user 'demo' on host '%'
Is this even possible?
According to the documentation:
Global privileges are granted using *.* for priv_level. Global privileges include privileges to administer the database and manage user accounts, as well as privileges for all tables, functions, and procedures. Global privileges are stored in the mysql.user table.
Database privileges are granted using db_name.* for priv_level, or using just * to use default database. Database privileges include privileges to create tables and functions, as well as privileges for all tables, functions, and procedures in the database. Database privileges are stored in the mysql.db table.
It means that the privileges you grant with GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%'; is represented by one row in the mysql.user table. Revoking privileges for only one database from these global privileges means removing the global privileges from the mysql.user table and add one database privilege for each database except the id8694160_sqless database, in the mysql.db table.
I'm quite sure the REVOKE statement does not do this but you can manually give privileges to all databases except one with a request such as :
INSERT INTO mysql.db
SELECT '%',schema_name,'demo','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'
FROM information_schema.schemata
WHERE NOT schema_name = 'mysql'
AND NOT schema_name = 'information_schema'
AND NOT schema_name = 'performance_schema'
AND NOT schema_name = 'id8694160_sqless';
FLUSH PRIVILEGES;
I want to create an application about one user select other users and define there privileges, but this user don't be a Administrator or "dba". A sentence as:
GRANT GRANT TO BIG_USER;
The "Big User" have many privileges, another users the same or less.
Thanks
If you want to grant all grant that have been given to a user to some other users at first you should get that user grants then for each user write a script to give that grant. the following tables show the grant for each user
USER_SYS_PRIVS, USER_TAB_PRIVS, USER_ROLE_PRIVS tables
write a query to get privileges and then give them to other users
Oracle's permission system allows a bit of granularity regarding what you can allow this user to grant.
For objects (tables, etc) you have to either be a dba, the object owner, or have permissions granted with the grant option. So the following should work:
GRANT ALL PRIVILEGES ON mytable TO WITH GRANT OPTION;
You would have to repeat this on every table the user needs to be able to manage permissions on.
This answer is assuming you are looking at permissions on objects (tables etc) rather than system privileges.
I've set up phabricator and added several users. I noticed that I can change a user's real name or username, but I am unable to change their email address. Is there some reason why this is not exposed to admins? Is there a server setting that allows admins to change email addresses.
You need to update the mysql database. In the phabricator_user db alter your email address in the user_email table. Administrators may not be all-powerful, but DBAs are.
Administrators can not change email addresses because it would let them change a user's email address to their own, reset the user's password, and then log in as the user. Administrators are not all-powerful in Phabricator's permission model, and can not compromise accounts, act as other users, or violate policies.
If you need to change an address because you made a mistake when creating a new account, you can delete the account and recreate it.
As bridiver writes, you need to change the address directly in the database. For that, you can use a helper Phabricator script to connect to the database:
$ phabricator/bin/storage shell
[...]
mysql> use phabricator_user;
Database changed
mysql> update user_email set address='newaddress#example.com' where address='oldaddress#example.com';
Query OK, 1 row affected (0.05 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> quit
It might be new, but they have a way now. I'll just list it here in case anyone has the same question later.
Log in to the server, where you have your Phabricator install, and use ./bin/accountadmin. That will let you change or add accounts at will. If you just want to look at the user, you can look in the phabricator_user database and check the user table or the user_profile table.
I want to create a user/schema in oracle 11g and grant all privileges to the user. How can I do this with a simple script. I looked at the following links but I am not sure which one to use or if these statements are the best way.
http://ss64.com/ora/grant.html
Can you suggest how I may do this in the simplest possible way and securely ?
To create a new user you use the "create user" command. So a typical create user command would be :
create user test identified by test default tablespace mytbsp.
Of course you need to replace the values for the user, password and tablespace with different values. However I'd recommend that you have a look at Oracle's documentation http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_8003.htm.
The next step is to grant the user the corresponding rights. To give a user all the rights is a very bad approach as you would also give him dba privileges. What you instead is to give him connect privileges and the permissions to his default tablespace. Also it is better to use roles instead of granting the rights directly. So if you have to grant the rights again you only need to grant the role. First step is to create the role:
GRANT CREATE session, CREATE table, CREATE view,
CREATE procedure,CREATE synonym,
ALTER table, ALTER view, ALTER procedure,ALTER synonym,
DROP table, DROP view, DROP procedure,DROP synonym
TO MyRole;
This statement is not complete you might require additional rights (index maintenance for instance), but have a look at the online oracle documentation.
After that you grant the role to the newly created user.
GRANT myrole to test;
Create the user:
create user user_name identified by password ;
Grant the privileges:
grant all privilege to user_name;
If you want to view the number of privileges:
select * from system_privilege_map where neme like '%PRIV%';
If you want to view privileges assigned to the users:
select count (*) , grantee
from dba_sys_privs
where grantee in ('user1','user2')
group by grantee ;