MariaDB – Database Access Using Roles

mariadbMySQL

I run MariaDB 10.0.23, and I use roles to grant privileges to users. I have a user john:

+-------------------------------------------------------------------+
| Grants for john@%                                                 |
+-------------------------------------------------------------------+
| GRANT client TO 'john'@'%'                                        |
| GRANT USAGE ON *.* TO 'john'@'%' IDENTIFIED BY PASSWORD '*C...DF' |
+-------------------------------------------------------------------+

The client role is defined like this:

+--------------------------------------------------------+
| Grants for client                                      |
+--------------------------------------------------------+
| GRANT USAGE ON *.* TO 'client'                         |
| GRANT INSERT ON `database_name`.`table1` TO 'client'   |
| GRANT SELECT ON `database_name`.`table2` TO 'client'   |
| GRANT SELECT ON `database_name`.`table3` TO 'client'   |
| GRANT INSERT ON `database_name`.`table4` TO 'client'   |
+--------------------------------------------------------+

When I connect using mysql -u john -p database_name, I get

ERROR 1044 (42000): Access denied for user 'john'@'%' to database 'database_name'

which kind of makes sense because when users log in, they don't have a role assigned by default.
However, I get the same error when I do mysql -u john -p and then

SET ROLE client;

SHOW GRANTS;
+-------------------------------------------------------------------+
| Grants for john@%                                                 |
+-------------------------------------------------------------------+
| GRANT client TO 'john'@'%'                                        |
| GRANT USAGE ON *.* TO 'john'@'%' IDENTIFIED BY PASSWORD '*C...DF' |
| GRANT USAGE ON *.* TO 'client'                                    |
| GRANT INSERT ON `database_name`.`table1` TO 'client'              |
| GRANT SELECT ON `database_name`.`table2` TO 'client'              |
| GRANT SELECT ON `database_name`.`table3` TO 'client'              |
| GRANT INSERT ON `database_name`.`table4` TO 'client'              |
+-------------------------------------------------------------------+

SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
+--------------------+

USE database_name;
ERROR 1044 (42000): Access denied for user 'john'@'%' to database 'database_name'

The workaround that I use is to add one of the role's permissions to each user directly. This way users get access to the database, but it doesn't seem quite logical to me that using roles users still have to have permissions granted to them explicitly. MariaDB documentation doesn't say anything about this issue.

Any thoughts on why it happens and how to fix this behavior?

Best Answer

I can't reproduce the problem.

$ mysql -u root -p
Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 54
Server version: 10.0.23-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> DROP DATABASE IF EXISTS `database_name`;
Query OK, 4 rows affected (0.01 sec)

MariaDB [(none)]> DROP ROLE `client`;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> DROP USER 'john'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE USER 'john'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE ROLE `client`;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT `client` TO 'john'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE `database_name`;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE TABLE `database_name`.`table1`(`col0` INT);
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE TABLE `database_name`.`table2`(`col0` INT);
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE TABLE `database_name`.`table3`(`col0` INT);
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE TABLE `database_name`.`table4`(`col0` INT);
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT INSERT ON `database_name`.`table1` TO 'client';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT SELECT ON `database_name`.`table2` TO 'client';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT SELECT ON `database_name`.`table3` TO 'client';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT INSERT ON `database_name`.`table4` TO 'client';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'john'@'%';
+----------------------------------+
| Grants for john@%                |
+----------------------------------+
| GRANT client TO 'john'@'%'       |
| GRANT USAGE ON *.* TO 'john'@'%' |
+----------------------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR `client`;
+------------------------------------------------------+
| Grants for client                                    |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 'client'                       |
| GRANT SELECT ON `database_name`.`table3` TO 'client' |
| GRANT SELECT ON `database_name`.`table2` TO 'client' |
| GRANT INSERT ON `database_name`.`table1` TO 'client' |
| GRANT INSERT ON `database_name`.`table4` TO 'client' |
+------------------------------------------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> exit
Bye

$ mysql -u john -p
Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.0.23-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SET ROLE `client`;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| database_name      |
| information_schema |
+--------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> SELECT `col0` FROM `database_name`.`table1`;
ERROR 1142 (42000): SELECT command denied to user 'john'@'localhost' for table 'table1'

MariaDB [(none)]> SELECT `col0` FROM `database_name`.`table2`;
Empty set (0.00 sec)

UPDATE

With a username longer than 6 characters, I can reproduce the problem, however, you can access the tables.

$ mysql -u root -p
Enter password:

MariaDB [(none)]> CREATE USER 'usertestjohn'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT `client` TO 'usertestjohn'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

$ mysql -u usertestjohn -p
Enter password:

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SET ROLE `client`;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SELECT `col0` FROM `database_name`.`table2`;
Empty set (0.00 sec)

Bug reported to MariaDB: Roles and Users longer than 6 characters.

Related Solutions

Mysql – “Set Password” with a limited user

The problem I see with what you propose is that a user who has the ability to grant privileges to other users... is, almost by definition, not a "limited" user.

You can't grant privileges at all without the GRANT privilege, and even with that, you can't grant a specific privilege that you don't possess ... unless you have permission to manipulate the grant tables directly, in which case, you're not exactly a limited user either.

But, aha, here's your workaround.

Stored procedures run with the credentials of the user who defined them or as the explicitly-specified definer. (You have to have SUPER to specify somebody else as DEFINER.) Any user with the EXECUTE privilege on a stored procedure can execute the procedure, and the procedure essentially escalates their privilege level while it is running.

If you wrap your administrative operations in (well-written) procedures, then you don't have to actually give the limited user permission to do anything, other than run the procedures.

DELIMITER $$

DROP PROCEDURE IF EXISTS `mysql`.`change_password` $$
-- root@localhost is an example; use an appropriate local user that has the
-- permissions that need to be available for the operation to succeed
CREATE DEFINER='root'@'localhost' PROCEDURE `mysql`.`change_password` (
  IN dirty_user VARCHAR(16), 
  IN dirty_host VARCHAR(40), 
  IN dirty_password VARCHAR(41))
BEGIN

  DECLARE encrypted_password TINYTEXT DEFAULT PASSWORD(dirty_password);
  DECLARE clean_user TINYTEXT DEFAULT NULL;
  DECLARE clean_host TINYTEXT DEFAULT NULL;

  SELECT user, host
    FROM mysql.user
   WHERE user = dirty_user
     AND host = dirty_host
    INTO clean_user, clean_host;

  IF clean_user IS NULL OR clean_host IS NULL THEN
    SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'user/host provided does not exist';
  END IF;

  SET @_sql = CONCAT_WS('\'','SET PASSWORD FOR ',clean_user,'@',clean_host,' = ',encrypted_password,'');

  PREPARE stmt FROM @_sql;
  EXECUTE stmt;
  DEALLOCATE PREPARE stmt;
  SET @_sql = NULL;

END $$

DELIMITER ;

GRANT EXECUTE ON PROCEDURE mysql.change_password TO 'limited'@'%';

The 'limited'@'%' user can now change passwords for other users even though they don't have permission to do it themselves, by using CALL mysql.change_password('user','host','password');.

This user does not have permissions themselves, but does have execute on the proc; they can't do it directly:

mysql> set password for 'wombat'@'localhost' = PASSWORD('secret');
ERROR 1044 (42000): Access denied for user 'limited'@'%' to database 'mysql'

... but they can do it this way. Note that "0 rows affected" is not a meaningful value.

mysql> call mysql.change_password('wombat','localhost','secret');

Query OK, 0 rows affected (0.00 sec)

Notes:

String-concatenated queries with input parameters are unacceptable, but the SET PASSWORD statement does not accept ? positional-parameters, so there's no choice here. To sanitize the inputs, I take care of the password by encrypting it in advance, outside the prepared statement, and concatenated the encrypted password there; I've sanitized the user and host by actually selecting them from the mysql.user table and using the values I've selected, also outside the prepared statement. If they aren't found, we can't set their password, so we throw an exception using SIGNAL. If they are found, we concatenate the fetched values into the prepared statement, sanitizing them by this mechanism. It's still theoretically possible that bad data in the mysql.user table could render the quoting of the prepared statement invalid, but if you have bad data in the mysql.user table, then you have 2 problems (1 problem in addition to this one).
Any explicit GRANT EXECUTE you've given at the procedure level disappears from the mysql.procs_priv table if you drop and redefine the procedure, so if you make changes to the procedure, you have to re-grant the privileges to the limited user.
You need MySQL 5.5+ for the SIGNAL statement to be valid. Below 5.5 you can replace it with a hack, something like CALL mysql.`change_password(): the user/host provided`; (note the backticks) which will throw a not quite as pretty, but still serviceable message complaining that the bogus procedure name quoted in the backticks... does not exist. Heh... ERROR 1305 (42000): PROCEDURE mysql.change_password(): the user/host provided does not exist

MySQL Permissions – How to Grant Additional Permissions

The fundamental problem you have is this:

You cannot grant another user a privilege which you yourself do not have; the GRANT OPTION privilege enables you to assign only those privileges which you yourself possess.

^{— http://dev.mysql.com/doc/refman/5.6/en/grant.html}

This makes sense, since if it were otherwise, then you could just grant privileges to yourself.

There is one way around this, depending on how much flexibility you have with the calling code -- stored procedures can run with the credentials of the defining user (as opposed to the invoking user). If the calling system could call a procedure instead of using GRANT ..., then you can create a procedure that is executable by the restricted user, granting other privileges as appropriate.

Best Answer

Related Solutions

Mysql – “Set Password” with a limited user

MySQL Permissions – How to Grant Additional Permissions

Related Question