I'm trying to use MediaWiki and WP to connect to two MySQL databases.
The databases are working properly and so are the forms but
when I try to establish a connection to the database with MediaWiki or WP,
I just get a DB connection error: Permission denied
.
Some facts:
I'm able to…
- Connect to RDS by MySQL Workbrench to add/remove a users/table/Schema
- Connect to RDS by ec2 Command-line (
mysql -u MYUSER -p -h ENDPOINT
)
I'm NOT able to…
- Check my server logs in MySQL Workbrench or Command-line
Could not acquire management access for administration. Exception: Unsupported administration target type: ('windows', 'linux', 'wmi')
- Remove rdsadmin or Revert the asingeded roles and privileges
Error changing account rdsadmin@localhost: Access denied on rdsadmin@localhost
- Grant DBA/MaintenenaceAdmin/ProcessAdmin or ReplicationAdmin to WPuser
Error changing account WPuser@%: Access denied for user 'WPuser'@'%' (using password: YES)
What i have done so far:
-
I added the Elastic/Private and even Public IP address for the EC2 instance to the VPC security group. as follows: xx.xx.xxx.xxx/32 and xxx.xx.xx.xxx/32. I'm Not useing EC2-Classic Platform, so there is no RDS security group as i'm seeing.
-
GRANT ALL ON
%.* TO WPuser@
%`; and GRANT index, create, select, insert, update, delete, drop, alter, lock tables on WIKIdb.* to
'WIKIuser'@'ENDPOINT';
Again, my questions are:
What i missed and why would be the solution to establish those applications to databases?
Also do you have anything in mind, how can i solve the "I'm NOT able to…" section to "I'm able to…" ?
I'd be grateful for any help on these
Best Answer
Right, you can't do that with workbench and RDS because that requires shell access, which RDS does not allow. The logs are accessible through the console and API.
Right, you can't do that, because rdsadmin is the account that the RDS infrastructure uses to manage your instance. You don't control it.
The problem here is threefold.
The "roles" in workbench were a ridiculous idea on the part of Oracle because they do not correspond to real structures on MySQL... They're just fancy packaging for permission presets and you'd be better served to ignore that functionality and understand how the permissions actually work.
The DBA role doesn't work on RDS because that includes the
SUPER
privilege, which RDS does not provide, so that one wouldn't work anyway, even if you hadn't made the final error:You appear to be trying to give "WPUser" permissions... while you're logged in as "WPUser." You can't grant permissions to yourself. You also can't grant permissions you don't hold. If WPUser is the master user for your RDS instance, it already has all the permissions it can have... though you shouldn't use your master user for your application's access to the database.
That isn't likely the problem, here. If the security group isn't right, you'll fail to connect, after a lengthy timeout, and the error code will not be "access denied."
Also potentially incorrect, depending on what you are using as 'ENDPOINT':
If 'ENDPOINT' is the RDS endpoint, this is incorrect. You can never connect to RDS from the RDS endpoint, or even from 'localhost'.
The final argument there needs to be the IP address of the server where the wiki code is running, or a wildcard for the netblock, like '172.31.%'.