[MXS-37] bugzillaId-719: mandatory SELECT privilege on db level? Created: 2015-01-04 Updated: 2017-12-01 Resolved: 2016-02-16 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | Core |
| Affects Version/s: | 1.0.4 |
| Fix Version/s: | 1.4.0 |
| Type: | New Feature | Priority: | Minor |
| Reporter: | lisu87 | Assignee: | markus makela |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Environment: |
Linux |
||
| Sprint: | 2016-3 |
| Description |
|
This is imported from bugzilla item: http://bugs.mariadb.com/show_bug.cgi?id=719 Description lisu87 2015-02-04 09:30:00 UTC When trying to connect to mysql server via maxscale without specifying default db it works, but with default db specified we always get "Access denied for user". The solution that worked for us was to grant SELECT privilege for user on db level instead of doing so for specific tables in the database. Please let me know if this behaviour is intended? |
| Comments |
| Comment by Dipti Joshi (Inactive) [ 2015-03-10 ] | ||
|
This is comment history from bugzilla: Comment 1 Massimiliano 2015-02-04 09:43:19 UTC SHOW DATABASES and mysql.db additional grants are required, as described in the pdf docs. If these grants are not available the authentication with db name fails. Please give us an example of the user that doesn't work, including privilegs for table level: we can do additional checks. Comment 2 lisu87 2015-02-04 14:08:05 UTC Privileges: GRANT SHOW DATABASES ON . TO 'test-maxscale'@'172.16.100.24' IDENTIFIED BY PASSWORD 'passhash' Now I'm trying to access CS.Events with default db specified: $ mysql -h 172.16.77.14 -P 4007 -u test-maxscale -p CS Without default db specified I'm able to connect and use CS db: $ mysql -h 172.16.77.14 -P 4007 -u test-maxscale -p Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use CS; Database changed
--------------
-------------- But if grant test-maxscale@172.16.100.24 and test-maxscale@172.16.77.14 with SELECT privilege on db level everything works just fine, as shown below. Privileges: GRANT SHOW DATABASES ON . TO 'test-maxscale'@'172.16.100.24' IDENTIFIED BY PASSWORD 'passhash' $ mysql -h 172.16.77.14 -P 4007 -u test-maxscale -p CS Welcome to the MySQL monitor. Commands end with ; or \g. Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. Am I missing something? Comment 3 Massimiliano 2015-02-04 16:37:52 UTC Would you mind checking this and share us the maxscale configuration file as well? Comment 5 lisu87 2015-02-04 17:08:38 UTC GRANT SHOW DATABASES, REPLICATION SLAVE, REPLICATION CLIENT ON . TO 'maxscale'@'172.16.77.14' IDENTIFIED BY PASSWORD 'passhash' Configuration file attached here: http://bugs.mariadb.com/attachment.cgi?id=182 Comment 6 Massimiliano 2015-02-05 12:00:22 UTC GRANT SELECT ON `CS`.* TO 'test-maxscale'@'172.16.77.14', the SELECT privilege on db level It's not enough for db name authentication the table level grant: GRANT SELECT ON `CS`.`Events` TO 'test-maxscale'@'172.16.77.14' Comment 7 lisu87 2015-02-05 12:52:48 UTC Is it something you are going to change or it will stay as it is now? Comment 8 Massimiliano 2015-02-05 16:37:08 UTC The aim is to cover such a common case: GRANT SELECT ON `CS`.`Events` TO 'test-maxscale'@'172.16.77.14' where one or more table of db are involved | ||
| Comment by markus makela [ 2016-02-04 ] | ||
|
Changing this to an improvement since it is known and intended behavior. | ||
| Comment by markus makela [ 2016-02-16 ] | ||
|
User grants are now detected at table level. | ||
| Comment by markus makela [ 2016-02-22 ] | ||
|
Fixed in commit c4bcc4ce88d97b7dc3c668beea83b443381b8594 |