User Management in MySQL

Amit Kumar, B.Tech., Test Consultant India

MySQL grant tables

user, db, host, tables_priv, and columns_priv Authentication and rights to an user. Types of Columns Scope and Privilege

User table

Primary table Controls information about users, privileges, hosts. User identified as: user@host Includes following columns: Scope(Host, User, and Password), Data-related privilege, Administrative privilege, Encryption-related privilege, and Connection-related privilege.

db table

To assign database-specific privileges. Columns included Scope(Host, Db, and User), Privilege (data-related) db table works in conjunction with host table.

Host table

Checked only when a user is listed in the db table but the host column is blank. Combination of db and host allows to apply privileges to a user who connects from multiple hosts. Columns included: Scope(Scope and Db) and Privilege Only grant table that doesnt include user column.

tables_priv table

Specific to table level privileges Columns included: Scope(Host, DB, User, and Table_name), Pivilege(Table_priv, and Column_priv) table_priv works in conjunction with columns_priv table.

columns_priv table

Privileges related to individual columns Columns included: Scope(Host, Db, User, and Column_name), Privilege(Column_priv)

MySQL privileges(user, db, and host)

Data-related select_priv, insert_priv, update_priv, delete_priv, create_priv, drop_priv, grant_priv, index_priv, alter_priv, create_tmp_table_priv, and lock_table_priv. Administrative reload_priv, shutdown_priv, process_priv, file_priv, show_db_priv, super_priv, repl_slave_priv, repl_client_priv Encryption-related ssl_type, ssl_cipher, x509_issuer, x509_subject Connection_related max_questions, max_updates, max_connections

MySQL access control

Authenticating connections
user table is involved. % wild card in the host column. user column is blank blank password

Host
% Domain1.com localhost % Root user1

User

MySQL access control contd

How MySQL accesses the user table;

Sorting of the rows are very important

Host Domain1.com localhost % % User1 Root User

When the MySQL server starts, data from the user table is copied to memory in sorted order. When a client attempts to log on to the server, the user account is checked against the sorted user data in memory. The server uses the first applicable entry to authenticate a user, based first on host value and then on the user value.

MySQL access control contd

Verifying privileges (authorization)

Privileges checked in an order for an user in the grant tables. This also related to user who logged in.

Verifying Privileges

Verifying Privileges

Adding users

User can be added in many ways;

Using create user statement Using insert into statement Using grant statement

Create user syntax;

CREATE USER username@hostname IDENTIFIED BY password;

Using the GRANT statement

GRANT <privilege> [(<column> [{, <column>}...])] [{, <privilege> [(<column> [{, <column>}...])]}...] ON {<table> | * | *.* | <database>.*} TO <user>@<host> [IDENTIFIED BY [PASSWORD] <new password>] [{, <user>@<host> [IDENTIFIED BY [PASSWORD] <new password>]}...] [REQUIRE {NONE | SSL | X509 | {<require definition>}] [WITH <with option> [<with option>...]]
<require definition>::= <require option> [[AND] <require option>] [[AND] <require option>] <require option>::= {CIPHER <string>} | {ISSUER <string>} | {SUBJECT <string>} <with option>::= {GRANT OPTION} | {MAX_QUERIES_PER_HOUR <count>} | {MAX_UPDATES_PER_HOUR <count>} | {MAX_CONNECTIONS_PER_HOUR <count>}

GRANT statement contd

GRANT clause ON clause

Global Database Table Column

TO clause
Host User Password

Example
GRANT ALL

ON *.* TO user1@domain1.com IDENTIFIED BY pw1;

GRANT SELECT, UPDATE ON test.* TO user1@domain1.com IDENTIFIED BY pw1; GRANT SELECT, UPDATE ON test.Books TO user1@domain1.com IDENTIFIED BY pw1;

Example contd..
GRANT SELECT, UPDATE (BookTitle, Copyright)

ON test.Books TO user1@domain1.com IDENTIFIED BY pw1;

WITH clause
[WITH <with option> [<with option>...]] <with option>::= {GRANT OPTION} | {MAX_QUERIES_PER_HOUR <count>} | {MAX_UPDATES_PER_HOUR <count>} | {MAX_CONNECTIONS_PER_HOUR <count>} Example:
GRANT SELECT, UPDATE ON test.* TO user1@domain1.com IDENTIFIED BY pw1 WITH GRANT OPTION MAX_QUERIES_PER_HOUR 50 MAX_UPDATES_PER_HOUR 50;

SHOW GRANTS

Syntax:
SHOW GRANTS FOR <user>@<host>

Example:
SHOW GRANTS FOR user1@domain1.com;

Setting password for the user

SET PASSWORD [FOR <user>@<host>] = PASSWORD(<new password>)

FLUSH PRIVILEGES

Examples:
SET PASSWORD = PASSWORD(pw2); SET PASSWORD FOR user1@domain1.com = PASSWORD(pw3);

Dropping users and revoking privileges

Removing an account often includes three steps:

1. Using the SHOW GRANTS statement to view the user accounts current privileges. 2. Using the REVOKE statement to revoke the privileges from the user account. 3. Using the DROP USER statement to remove the user from the system.

REVOKE statement
REVOKE ALL PRIVILEGES, GRANT OPTION FROM <user>@<host> [{, <user>@<host>}...]

Example:
GRANT SELECT, UPDATE ON test.* TO user1@domain1.com IDENTIFIED BY pw1 WITH GRANT OPTION MAX_QUERIES_PER_HOUR 50 MAX_UPDATES_PER_HOUR 50; REVOKE ALL PRIVILEGES, GRANT OPTION FROM user1@domain1.com;