I have a shared web server setup among friends. Each website has its own database. I'd like to be able to delegate user management for each of those databases to the owner of the database. That way they can create accounts for their web applications to access their specific tables yet not wander around if the specific application is compromised.
To further clarify by way of example, I'd like something like this:
Database server at : db.hosting.coop
db root user : root#db.hosting.coop <full permissions as root>
website and database 1: foo.com
foo.com db user : foo#db.hosting.coop <full permissions on database foo, with ability to grant user access to database foo, granted by root#db.hosting.coop>
foo.coms rails app db user : foorails#localhost <select,insert,update,delete on foo.*, granted by foo#db.hosting.coop>
website and database 2: bar.com
bar.com db user : bar#% <full permissions on database foo, with grant, granted by root#db.hosting.coop>
bar.coms php app db user : bar_website#localhost <select,insert,update,delete on bar.*, granted by bar#db.hosting.coop>
As root:
GRANT CREATE USER ON *.* TO 'foo'#'%';
GRANT ALL PRIVILEGES ON `foo.com`.* TO 'foo'#'%' WITH GRANT OPTION;
As foo:
CREATE USER 'foorails'#'%' IDENTIFIED BY 'secret';
GRANT SELECT ON `foo.com`.* TO 'foorails'#'%'
likewise with others
Related
I need to import a sql. database to Wordpress through phpMyAdmin.
Anytime I want to create a new database this error happens (#1044 - Access denied for user 'xxx' to database 'zzz').
Thanks for your help.
You can check all privileges permission of database user and also check our sql file. May be mention there "CAEATE DATABASE '*******'" if you have that then you remove that. Most of this #1044 refer you to check your database user and permission of your database. I think this suggestion will help you.
As the others have mentioned, shared hosting environments generally don't allow you to create any arbitrary database name, sometimes you're limited to only one database and sometimes it has to be a subset of your username or something. If that's the case, you'll need to edit the .sql file to force it to use the database name you've been assigned.
If that's not the case, it's likely the user you are logged in as doesn't have the privileges to create a new database, so you'll need to log in as a user that does have privileges. Perhaps you're not logged in as the user you think you are. Note that the username and host value need to match, otherwise you could be logged in as the anonymous user instead of one that has permissions (for instance, if your user account is mia with host field 127.0.0.1 but you're logged in via the socket connection to 'localhost', it doesn't match.
Is there an easy way to create a user and grant all privileges to all databases except a specific one?
I've tried this
CREATE USER 'demo'#'%' IDENTIFIED BY 'QbSv9qUj2EJ8mxm2';
GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%';
REVOKE ALL ON id8694160_sqless.* FROM 'demo'#'%'; -- this is the DB I don't want the user to have access to
SHOW GRANTS FOR 'demo'#'%';
But I get the following error:
Error Code: 1141. There is no such grant defined for user 'demo' on host '%'
Is this even possible?
According to the documentation:
Global privileges are granted using *.* for priv_level. Global privileges include privileges to administer the database and manage user accounts, as well as privileges for all tables, functions, and procedures. Global privileges are stored in the mysql.user table.
Database privileges are granted using db_name.* for priv_level, or using just * to use default database. Database privileges include privileges to create tables and functions, as well as privileges for all tables, functions, and procedures in the database. Database privileges are stored in the mysql.db table.
It means that the privileges you grant with GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%'; is represented by one row in the mysql.user table. Revoking privileges for only one database from these global privileges means removing the global privileges from the mysql.user table and add one database privilege for each database except the id8694160_sqless database, in the mysql.db table.
I'm quite sure the REVOKE statement does not do this but you can manually give privileges to all databases except one with a request such as :
INSERT INTO mysql.db
SELECT '%',schema_name,'demo','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'
FROM information_schema.schemata
WHERE NOT schema_name = 'mysql'
AND NOT schema_name = 'information_schema'
AND NOT schema_name = 'performance_schema'
AND NOT schema_name = 'id8694160_sqless';
FLUSH PRIVILEGES;
I'm developing an ASP.NET MVC application. I need to support multiple authentication mechanisms (this app is used by multiple customers, each with their own preferred authn provider). One auth provider will be Active Directory. The AD integration for authentication is straightforward and I have no problems with that.
For authorization, roles will be stored in a local database (NOTE: we cannot use Active Directory groups for doing authorization - roles need to be local application roles because we support multiple authn providers and AD admins won't want to create custom groups in AD just for our app). My expectation is that we will need to create "stub" user accounts in our local database in order to do the User-is-assigned-which-Roles mapping. These stub user accounts will also be used to indicate which users are authorized to access the application (not everyone in the AD database should have access).
The anticipated flow of control will be:
User accesses login page > enters credentials > posts credentials to app server.
The app validates the credentials against AD. At this point, we know if the user is authenticated.
The app checks the user's SID to see if a "stub" user account with that SID exists in the local database. If not, the app displays an "not authorized" error message to the user.
The app will look up roles for the user in the local database user-is-assigned-which-roles table.
User identity info including roles will be stored as claims and the app will use typical claims based authorization (i.e. ClaimsAuthorizationManager).
My question is what is the best way to create "stub" user accounts into my local database? My guess is that we should use some sort of AD export script to export AD accounts for those users that should be granted access to the ASP.NET app and then import those users into the local database (NOTE: I expect that the stub account will contain minimal info - perhaps just the user's SID from AD and maybe the username).
A batch export/import is probably OK as an initial deployment process. After the app is up-and-running and new users join the organization, I expect a more user-friendly mechanism will be desired for granting a new user access to our app (other than exporting/importing the new user's account from AD to our local database). My guess is that we'll need some sort of user browser screen so that an admin in our app can browse the AD directory, select a user, click a button and then have that user's "stub" account created automatically in our app.
Has anyone implemented an application with similar requirements? If so, how did you bootstrap the creation of "stub" accounts in your local database? Is there a better way to address these requirements?
Please feel free if this can Help You Custom Annotation Authorization
It's only a workaround, or just an idea, not a solution...
To use it you only need to use Annotation in the controller
e.g.
[ARQAuthorize]
public class BlaBlaController : Controller .....
I am currently implementing a similar solution. Here is how the application works. I'm using ASP.NET MVC 5, ASP.NET Identity 2.2.1.
I am using the Identity framework to manage users and roles within the application. The user goes to a login page, enters their credentials. The application checks against the application DB to see if the user exists. If not it throws an error that the user doesn't exist in the database. If the user exists, it authenticates against AD. If authentication fails they get an error message, if it doesn't fail I create a ClaimIdentity from the user out of the database (not the user in AD) and pass that to my SignIn method.
My user in the application DB has the same username as the AD username and I use that as my stub. I also include the domain of the user in the DB as well in the case that I might have multiple domains I need to support. With Identity, don't forget to also populate the SecurityStamp field with a guid.
The plan is to bulk import the users and permissions from a spreadsheet and I have some standard CRUD actions created to allow creation of individual users and assigning of roles after that.
I am transitioning an application from Dev to QA. I have created an sql file to populate the database in the QA environment. In the QA environment I am using windows authentication on the db. My user has minimal permissions. I am comin up with the error
EXECUTE permission denied on object 'aspnet_CheckSchemaVersion', database 'QADB', schema 'dbo'.
when I try an log in. I noticed my db creation script has:
"CREATE ROLE [aspnet_Membership_BasicAccess] AUTHORIZATION [dbo]"
When I change the permissions of my user to dbo, the problem goes away.
I do not wish for my user to be dbo. Does anybody know what I can do to remedy this?
Grant the user the execute permission on the stored procedure, or better still, make sure the user is a member of the role and grant execute permissions to the role.
GRANT EXECUTE ON aspnet_checkscemaversion TO aspnet_membership_basicaccess
How to give an admin access to the users who have logged in using ldap username and password after authentication. And should we store this $_POST values in drupal database.
If you are using the ldap_integration module after an LDAP user logs in for the first time a full local Drupal user is created for them. Install http://drupal.org/project/adminrole which lets you assign your users, even LDAP users, into an "Admin Role". This module gives all available permissions to users in this role.