Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21486

Implement option for mysql_install_db that allows root@localhost to be replaced

Details

    Description

      Some users would like to use a different user than root@localhost as their default superuser. Ideally, users could just do this:

      -- Create new root user
      		 
      CREATE USER 'not_root'@'localhost' IDENTIFIED BY 'password';
      		 
      GRANT ALL PRIVILEGES ON *.* TO 'not_root'@'localhost';
      		 
      GRANT PROXY ON ''@'%' TO 'not_root'@'localhost' WITH GRANT OPTION;
      		 
       
      		 
      -- Drop old root user
      		 
      DROP USER 'root'@'localhost';

      However, in 10.4, there is another complication--root@localhost is the definer of the mysql.user view. This means that the following also needs to be done:

      USE mysql;
      		 
      DROP VIEW user;
      		 
      CREATE 
         ALGORITHM=UNDEFINED 
         DEFINER=`not_root`@`localhost` 
         SQL SECURITY DEFINER 
         VIEW `user` 
         AS 
         select `global_priv`.`Host` AS `Host`,`global_priv`.`User` AS `User`,if(json_value(`global_priv`.`Priv`,'$.plugin') in ('mysql_native_password','mysql_old_password'),ifnull(json_value(`global_priv`.`Priv`,'$.authentication_string'),''),'') AS `Password`,if(json_value(`global_priv`.`Priv`,'$.access') & 1,'Y','N') AS `Select_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 2,'Y','N') AS `Insert_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 4,'Y','N') AS `Update_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 8,'Y','N') AS `Delete_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 16,'Y','N') AS `Create_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 32,'Y','N') AS `Drop_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 64,'Y','N') AS `Reload_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 128,'Y','N') AS `Shutdown_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 256,'Y','N') AS `Process_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 512,'Y','N') AS `File_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 1024,'Y','N') AS `Grant_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 2048,'Y','N') AS `References_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 4096,'Y','N') AS `Index_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 8192,'Y','N') AS `Alter_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 16384,'Y','N') AS `Show_db_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 32768,'Y','N') AS `Super_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 65536,'Y','N') AS `Create_tmp_table_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 131072,'Y','N') AS `Lock_tables_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 262144,'Y','N') AS `Execute_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 524288,'Y','N') AS `Repl_slave_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 1048576,'Y','N') AS `Repl_client_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 2097152,'Y','N') AS `Create_view_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 4194304,'Y','N') AS `Show_view_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 8388608,'Y','N') AS `Create_routine_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 16777216,'Y','N') AS `Alter_routine_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 33554432,'Y','N') AS `Create_user_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 67108864,'Y','N') AS `Event_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 134217728,'Y','N') AS `Trigger_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 268435456,'Y','N') AS `Create_tablespace_priv`,if(json_value(`global_priv`.`Priv`,'$.access') & 536870912,'Y','N') AS `Delete_history_priv`,elt(ifnull(json_value(`global_priv`.`Priv`,'$.ssl_type'),0) + 1,'','ANY','X509','SPECIFIED') AS `ssl_type`,ifnull(json_value(`global_priv`.`Priv`,'$.ssl_cipher'),'') AS `ssl_cipher`,ifnull(json_value(`global_priv`.`Priv`,'$.x509_issuer'),'') AS `x509_issuer`,ifnull(json_value(`global_priv`.`Priv`,'$.x509_subject'),'') AS `x509_subject`,cast(ifnull(json_value(`global_priv`.`Priv`,'$.max_questions'),0) as unsigned) AS `max_questions`,cast(ifnull(json_value(`global_priv`.`Priv`,'$.max_updates'),0) as unsigned) AS `max_updates`,cast(ifnull(json_value(`global_priv`.`Priv`,'$.max_connections'),0) as unsigned) AS `max_connections`,cast(ifnull(json_value(`global_priv`.`Priv`,'$.max_user_connections'),0) as signed) AS `max_user_connections`,ifnull(json_value(`global_priv`.`Priv`,'$.plugin'),'') AS `plugin`,ifnull(json_value(`global_priv`.`Priv`,'$.authentication_string'),'') AS `authentication_string`,'N' AS `password_expired`,elt(ifnull(json_value(`global_priv`.`Priv`,'$.is_role'),0) + 1,'N','Y') AS `is_role`,ifnull(json_value(`global_priv`.`Priv`,'$.default_role'),'') AS `default_role`,cast(ifnull(json_value(`global_priv`.`Priv`,'$.max_statement_time'),0.0) as decimal(12,6)) AS `max_statement_time` from `global_priv`;

      Some users don't seem to want to do this. For those users, it might be better if mysql_install_db had an option that could replace root@localhost with another superuser account at install time. e.g.:

      $ sudo mysql_install_db --user=mysql --superuser=not_root --datadir=...

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21487 Implement option for mysql_upgrade that allows root@localhost to be replaced

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19650 Privilege bug on MariaDB 10.4

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Task - A task that needs to be done. MDEV-17658 change the structure of mysql.user table

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19650 Privilege bug on MariaDB 10.4

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            sanja Oleksandr Byelkin added a comment -

            Should be reference in all instructions printed by server and also help databases be also changed from root?

            I think owners of tables should be cahnegd.

            also we will need the same parameter for upgrade script, right?

            sanja Oleksandr Byelkin added a comment - Should be reference in all instructions printed by server and also help databases be also changed from root? I think owners of tables should be cahnegd. also we will need the same parameter for upgrade script, right?
            sanja Oleksandr Byelkin added a comment -

            There is problem of using SQL scripts with hardcoded root in them

            sanja Oleksandr Byelkin added a comment - There is problem of using SQL scripts with hardcoded root in them
            GeoffMontee Geoff Montee (Inactive) added a comment -

            sanja,

            also we will need the same parameter for upgrade script, right?

            I previously submitted MDEV-21487 about the relevant change for mysql_upgrade.

            I think owners of tables should be cahnegd.

            What do you mean? As far as I know, tables do not have "owners" in MariaDB.

            GeoffMontee Geoff Montee (Inactive) added a comment - sanja , also we will need the same parameter for upgrade script, right? I previously submitted MDEV-21487 about the relevant change for mysql_upgrade . I think owners of tables should be cahnegd. What do you mean? As far as I know, tables do not have "owners" in MariaDB.
            sanja Oleksandr Byelkin added a comment -

            So you thnk it is ok to make one without other? I do not think so (will mark MDEV-21487 duplicate).

            OK, I mistyped, should be object (view, procedure, function).

            ( GeoffMontee you can not answer it is more notes for me how to proceed)

            sanja Oleksandr Byelkin added a comment - So you thnk it is ok to make one without other? I do not think so (will mark MDEV-21487 duplicate). OK, I mistyped, should be object (view, procedure, function). ( GeoffMontee you can not answer it is more notes for me how to proceed)
            sanja Oleksandr Byelkin added a comment -

            fix will be in MDEV-19650 which allow to remove root user as it was before (and so allow run mysql_install_db / mysql_upgrade from user which just have enough rights for operation, probably user with which root was replaced)

            sanja Oleksandr Byelkin added a comment - fix will be in MDEV-19650 which allow to remove root user as it was before (and so allow run mysql_install_db / mysql_upgrade from user which just have enough rights for operation, probably user with which root was replaced)

            People

              sanja Oleksandr Byelkin
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.