[Wylug-help] MySQL GRANT Command

Smylers Smylers at stripey.com
Tue Apr 24 15:03:15 BST 2007 

I have a user which has some permissions in a MySQL database, and I wish
to grant further permissions to that user without upsetting existing
ones.  Is it possible to do this with the GRANT command?

I know I can get the behaviour I desire by INSERT-ing into the relevant
tables directly then FLUSH PRIVILEGES.  But that feels a bit like going
behind MySQL's back and is frowned upon by some.  Also it's a little
unwieldy to type all the permissions out in an INSERT statement -- so
I'm trying to find out if there'sa GRANT way of doing this.

The current set-up is that the user, compo, has an entry in the
mysql.user table for each host from which he is permitted to connect,
specifying the password to use, but no privileges are granted in the
user table.

The db, tables_priv, and columns_priv tables have various entries with
user = 'compo'.  They all have host = '%', so that which hosts compo can
connect from is determined entirely by the user table; if we move
servers around or add a new host it is only the user table that needs to
be changed accordingly.

Suppose I wish to grant compo SELECT privileges on a new database, nora.
compo should be able to connect to nora from any host from which compo
can currently connect to the MySQL server, and any future updates in
which hosts compo connects from should apply to the nora DB as well.

First I tried:

  GRANT SELECT ON nora.* TO compo;

Don't do that -- it's really bad!  In the above I didn't say anything
about the hostname or password (cos I don't want those to change), so
MySQL interpreted it as meaning that I want compo to be able to connect
to the DB server from anywhere in the world, and be allowed on without a
password!  So far as I can tell this wide-open access has been granted
not just to nora, but to anything else to which compo previously had
access (but which used to require a password, and be from limited
hosts).

So next I look at all the places compo can currently connect from, and
try specifying those, in separate commands (which is irritating enough,
since I'm just typing back into MySQL information it's just provided me
with):

  GRANT SELECT ON nora.* TO compo at localhost;
  GRANT SELECT ON nora.* TO compo at pub;
  GRANT SELECT ON nora.* TO compo at field;

And that seems to work; the user table isn't touched at all, and no
security whole is opened up.  But the problem is that in the db table
rather than one entry which says user = 'compo', host = '%' (deferring
the host authorization to the user table), there are three entries, one
for each of the above hostnames (but otherwise identical).

Which means that in future when we change or add a host, we have to
update the db table as well as the user table.  (And we've got the bloat
of the DB permissions being repeated in near-identical records, which
gets really tedious when you have many hosts and lots of table- or
column-specific permissions.)

Am I missing something?

Is it that unusual to want the 'how can I connect' stuff to be in a
separate table from the 'what I can do once I've connected' stuff?

Thanks.

Smylers

More information about the Wylug-help mailing list