Best unofficial Apache Server developers community
Username
Forgot password?
Sign in with Twitter account
Sign in with Facebook account

MySQL privileges and replication
This is a response on MySQL security: inconsistencies and Less known facts about MySQL user grants.

As far as I know the privilege to grant PROXY privileges is also not very well understood. I blogged about that some time ago.

In addion to the already highlighted issues with GRANT replication and grants can very well create an unwanted situation:

master> SHOW GRANTS FOR 'user'@'host'\G
*************************** 1. row ***************************
Grants for user@host: GRANT USAGE ON *.* TO 'user'@'host' IDENTIFIED BY PASSWORD '*4994A78AFED55B0F529C11C436F85458C1F8D4C2'
*************************** 2. row ***************************
Grants for user@host: GRANT SELECT, INSERT, UPDATE, DELETE ON `somedb`.* TO 'user'@'host'
2 rows in set (0.00 sec)

master> GRANT SELECT,INSERT,UPDATE,DELETE ON anotherdb.* TO 'user'@'host';
Query OK, 0 rows affected (0.00 sec)

master> SHOW GRANTS FOR 'user'@'host'\G
*************************** 1. row ***************************
Grants for user@host: GRANT USAGE ON *.* TO 'user'@'host' IDENTIFIED BY PASSWORD '*4994A78AFED55B0F529C11C436F85458C1F8D4C2'
*************************** 2. row ***************************
Grants for user@host: GRANT SELECT, INSERT, UPDATE, DELETE ON `somedb`.* TO 'user'@'host'
*************************** 3. row ***************************
Grants for user@host: GRANT SELECT, INSERT, UPDATE, DELETE ON `anotherdb`.* TO 'user'@'host'
3 rows in set (0.00 sec)

And on the slave:
slave> SHOW GRANTS FOR 'user'@'host'\G
*************************** 1. row ***************************
Grants for user@host: GRANT USAGE ON *.* TO 'user'@'host'
*************************** 2. row ***************************
Grants for user@host: GRANT SELECT, INSERT, UPDATE, DELETE ON `anotherdb`.* TO 'user'@'host'
2 rows in set (0.00 sec)

This could have happened if the user was dropped on the slave to prevent it from inserting on a ro-slave. The cure for this issue is setting sql_mode to NO_AUTO_CREATE_USER.

Another issue is mysql-proxy. MySQL proxy can be used for simple read/write splitting, failover and a lot more. But it could also make your database less secure:
  • root is limited to localhost to prevent remote logins
  • mysql proxy is installed on the database machine
  • if you connect from a remote machine to mysql-proxy this will be proxied to mysql and the host will be localhost.
And the questions for the readers are:
  • Do you allow access on your read-only slaves?
  • Do you replicate mysql.* or not?

PlanetMySQL Voting: Vote UP / Vote DOWN
Source Article
Comments
0
Be the first to comment

Join with account you already have

Sign in with Twitter account
Sign in with Facebook account
Sign in with Google Friend Connect
avatar
Add new comment
Tags: unwanted situation, addion, host query, inconsistencies, replication, grants, privilege, privileges
Ibatis and MySQL replication
Sep 7, 2010
We might need to add some database servers (master+N*slave) in a couple of weeks. We are using Ibatis (2.3.4.726) as our DB layer right now. The MySQL java connector class has a ReplicationDriver [1] already in place. All you have to tell the…

Mysql Replication to Monog
Jun 20, 2011
Hi Friends, I want to know is that possible to replicate the MySql Transaction log(Mysql Replication) to Mongo with the Customized columns. ClearView: I have a 3 different tables in MySql and in Mongo i am using all in one Collection and i want…

Re: Use MySQL replication with stored configs
Dec 23, 2010
Am Wed, 22 Dec 2010 22:02:27 +0200 schrieb Ohad Levy: > Hi, > > Search the threads, there were a few discussions about this point... at > the moment afaik, its not doable. it maybe could be done outside of puppet with mysql-proxy.…

Help with setting facts for MySQL replication
Jul 27, 2010
Hi all, I'm trying to work on a solution to setting up mysql in a semi-automated fashion using facts to populate a puppet template. I'm using Cobbler as my build system and I was hoping to pass the values needed for replicate_do_db and server_id…

Use MySQL replication with stored configs
Dec 22, 2010
Hello, I'm configuring an environment using multiple puppet masters geographically distributed in different locations. We have a "central" puppet master in our main office with the CA signing authority and we also keep the MySQL database with the…

Is it possible to configure multi-master/circular replication for MySQL?
Feb 1, 2011
Is it possible for puppet to configure a set of MySQL masters and manage circular replication, so that if additional master nodes are required (or need to be stopped & moved) puppet can add them to the set and bring them "up to date"? How would…

Puppet configuration for MySQL master-slave replication
Feb 14, 2011
I 'm a beginner to puppet . I know only basic stuffs about puppet. I would like to create a puppet configuration in which the master's configuration can be tweaked so as to perform replication and new mysql slave nodes will be automatically…

Problems with connections pool in Tomcat 6.0.18 6.0.20 + MySQL 5.1 + mysql-connector 5.1.x
Jan 27, 2011
Hi all, I have a problem with: Tomcat 6.0.x + MySQL 5.1 + mysql-connector.5.1.x And I test with Ubuntu 10.04, Windows 2003 and Mac OSX 10.6.6 I configured the connection in tomcat like this: <Resource driverClassName="com.mysql.jdbc.Driver" …

MySql overload: auth mysql + cache?
Mar 24, 2011
Hello all, I'm facing a major issue on one of my DB after an application upgrade that switch to AuthMysql for a subversion server authentication My DB server is overloaded by tons of: > SELECT user.unix_pw, length(user.unix_pw) FROM user,…

Populating mySql DataStore from Mysql table
Apr 8, 2011
I am trying to populate a datastore that uses Mysql persistence with a Mysql table. For that I have done the following: 1. Changed server.properties 2. Created a data store and named its persistence as mysql 3. included a mysql connector in…