Mysql – What are the minimal permissions required for the “Users and Privileges” tab in MySQL Workbench to function in MySQL 5.6

MySQLmysql-5.6permissions

My ultimate goal is to allow administration for the purposes of password resets with minimal possible permissions given. It seems to me that with the UserAdmin role, or even UserAdmin with SecurityAdmin, the "Users and Privileges part of MySQL Workbench should work; but it doesn't. Does anyone know what custom role privileges and/or GRANT permissions are required to allow the use of Users and Privileges?

UPDATE:
It seems the minimum I need to get it to "work" is CREATE USER AND SELECT; but that doesn't help me do what I want to do, which is be able to assign some privileges (SELECT/EXECUTE) on different schemas. This does not seem to work as intended because even when I have the GRANT OPTION, RELOAD, or even SUPER and/or SHOW DATABASES in addition to SELECT and EXECUTE, I still get an error when trying to add or delete SELECT privileges on a specific schema that says: `(u'Error revoking privileges for @ in schema , 'You must have the GRANT OPTION privilege, and you must have the privileges that you are reovking').

Consider I have followed what the error implies (unless I am missing something), it should work, but it doesn't.

So to clarify my question: I would like to know the least amount of administration privileges required for an administrative user to be able to:
1. create a user and/or modify passwords
2. assign SELECT and EXECUTE privileges to that user on specific schemas (without Workbench throwing errors that aren't necessarily true — as even with the error, it creates the privileges, but it won't remove them [i.e. I can't delete it after I make it under that user]).

UPDATE2:
As far as I can tell, after much trial and error and process of elimination: the titles under "Administrative Roles" with associated descriptions, such as UserAdmin and SecurityAdmin, do not work as their descriptions describe. The only thing that accomplishes the above is to grant DBManager, which is what I was trying to avoid.

Best Answer

A partial answer: for just resetting Passwords, I was able to get it to function with CREATE USER, RELOAD, SELECT, and UPDATE. For actually granting schema privileges to the user, it continues to give an error up to DBA. For example, it successfully grants the privilege, but then throws the error about revoking (as mentioned above), then if you close the "Users and Privileges" window and reopen it, you can see the schema grant actually applied and saved, but you can't delete it (same revoke error and it doesn't stick like when adding). I still don't understand what privilege is driving the error; much trial and error and process of elimination was done.

Related Solutions

Mysql – “Set Password” with a limited user

The problem I see with what you propose is that a user who has the ability to grant privileges to other users... is, almost by definition, not a "limited" user.

You can't grant privileges at all without the GRANT privilege, and even with that, you can't grant a specific privilege that you don't possess ... unless you have permission to manipulate the grant tables directly, in which case, you're not exactly a limited user either.

But, aha, here's your workaround.

Stored procedures run with the credentials of the user who defined them or as the explicitly-specified definer. (You have to have SUPER to specify somebody else as DEFINER.) Any user with the EXECUTE privilege on a stored procedure can execute the procedure, and the procedure essentially escalates their privilege level while it is running.

If you wrap your administrative operations in (well-written) procedures, then you don't have to actually give the limited user permission to do anything, other than run the procedures.

DELIMITER $$

DROP PROCEDURE IF EXISTS `mysql`.`change_password` $$
-- root@localhost is an example; use an appropriate local user that has the
-- permissions that need to be available for the operation to succeed
CREATE DEFINER='root'@'localhost' PROCEDURE `mysql`.`change_password` (
  IN dirty_user VARCHAR(16), 
  IN dirty_host VARCHAR(40), 
  IN dirty_password VARCHAR(41))
BEGIN

  DECLARE encrypted_password TINYTEXT DEFAULT PASSWORD(dirty_password);
  DECLARE clean_user TINYTEXT DEFAULT NULL;
  DECLARE clean_host TINYTEXT DEFAULT NULL;

  SELECT user, host
    FROM mysql.user
   WHERE user = dirty_user
     AND host = dirty_host
    INTO clean_user, clean_host;

  IF clean_user IS NULL OR clean_host IS NULL THEN
    SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'user/host provided does not exist';
  END IF;

  SET @_sql = CONCAT_WS('\'','SET PASSWORD FOR ',clean_user,'@',clean_host,' = ',encrypted_password,'');

  PREPARE stmt FROM @_sql;
  EXECUTE stmt;
  DEALLOCATE PREPARE stmt;
  SET @_sql = NULL;

END $$

DELIMITER ;

GRANT EXECUTE ON PROCEDURE mysql.change_password TO 'limited'@'%';

The 'limited'@'%' user can now change passwords for other users even though they don't have permission to do it themselves, by using CALL mysql.change_password('user','host','password');.

This user does not have permissions themselves, but does have execute on the proc; they can't do it directly:

mysql> set password for 'wombat'@'localhost' = PASSWORD('secret');
ERROR 1044 (42000): Access denied for user 'limited'@'%' to database 'mysql'

... but they can do it this way. Note that "0 rows affected" is not a meaningful value.

mysql> call mysql.change_password('wombat','localhost','secret');

Query OK, 0 rows affected (0.00 sec)

Notes:

String-concatenated queries with input parameters are unacceptable, but the SET PASSWORD statement does not accept ? positional-parameters, so there's no choice here. To sanitize the inputs, I take care of the password by encrypting it in advance, outside the prepared statement, and concatenated the encrypted password there; I've sanitized the user and host by actually selecting them from the mysql.user table and using the values I've selected, also outside the prepared statement. If they aren't found, we can't set their password, so we throw an exception using SIGNAL. If they are found, we concatenate the fetched values into the prepared statement, sanitizing them by this mechanism. It's still theoretically possible that bad data in the mysql.user table could render the quoting of the prepared statement invalid, but if you have bad data in the mysql.user table, then you have 2 problems (1 problem in addition to this one).
Any explicit GRANT EXECUTE you've given at the procedure level disappears from the mysql.procs_priv table if you drop and redefine the procedure, so if you make changes to the procedure, you have to re-grant the privileges to the limited user.
You need MySQL 5.5+ for the SIGNAL statement to be valid. Below 5.5 you can replace it with a hack, something like CALL mysql.`change_password(): the user/host provided`; (note the backticks) which will throw a not quite as pretty, but still serviceable message complaining that the bogus procedure name quoted in the backticks... does not exist. Heh... ERROR 1305 (42000): PROCEDURE mysql.change_password(): the user/host provided does not exist

What are the user privileges required to for an ssrs report owner to ‘send email’

Is the new user allowed to send mail on the SMTP server?

You can do this:

Review this and make sure your setup is valid with the correct user (MSDN Link).
Also check the settings in RSreportserver.config (MSDNlink).

Best Answer

Related Solutions

Mysql – “Set Password” with a limited user

What are the user privileges required to for an ssrs report owner to ‘send email’

Related Question