Your SlideShare is downloading. ×
CS 122B: Projects in Database Management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CS 122B: Projects in Database Management

662

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
662
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CS 122B: Projects in Database Management Winter 2010 Notes 07: DBA -- User Management in MySQL Professor Chen Li Department of Computer Science UC Irvine CS122B Notes 07: DBA-User Mgmt
  • 2. Database Administrator
    • “ DBA”:
      • Specialist for keeping data clean, available, and safe
      • Responsible - Planning, Testing, Installation, Tuning
    • Why do we need a DBA?
      • Proper planning is key to setting up a database application
      • Proper administration is key to running effective DB applications
      • Neither can be accomplished without a good DBA.
    CS122B Notes 07: DBA-User Mgmt
  • 3. DBA Basic Duties
    • Management - Administration procedures
      • Installation and Configuration
      • Security Administration
      • Backup and Recovery
    • Performance Tuning
      • Application Tuning
      • Database Tuning
      • Client Server Tuning
      • Parallel Query Tuning
      • Platform Specific Tuning
      • Long-running Job Tuning
    CS122B Notes 07: DBA-User Mgmt
  • 4. Security Administration
    • User Assignments
      • Create, Alter, and Drop Users
      • Monitor Users (Accounts, Roles, and Profiles)
    • Security Roles
      • Set of privileges and object grants
      • Create, alter, and drop Profiles
      • Create, Alter, and Drop Roles
    • Security Profiles
      • Be used to restrict user(s) to a specific set of resource quotas
    CS122B Notes 07: DBA-User Mgmt
  • 5. DBA: Backup and Recovery
    • Normal OS Backup
    • Exports and Imports
    • Archive Logging of Redo Logs
    • Recovery: allows a DBA to recovery to a specified day and time or transaction
    CS122B Notes 07: DBA-User Mgmt
  • 6. MySQL Database Users and Privileges
    • http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html
    CS122B Notes 07: DBA-User Mgmt
  • 7. Using create to add user account
    • General syntax:
    • Mysql> CREATE USER user [IDENTIFIED BY [PASSWORD] ' password ']
    • To use , you must have the global create user privilege or the insert privilege for the mysql database.
    • Example:
    • Mysql> CREATE USER 'user1'@'localhost' IDENTIFIED BY 'pass1';
    • (Creates user1 with no privileges)
    • Grant command needs to be used to assign privileges to this user
    CS122B Notes 07: DBA-User Mgmt
  • 8. Assigning passwords
    • shell> mysql --user=root –p mysql
    • mysql> SET PASSWORD FOR 'custom'@'localhost' = PASSWORD('biscuit');
    • (Only superusers like root have sufficient privileges to change passwords)
    • Using grant:
    • mysql> GRANT USAGE ON *.* TO 'custom'@'localhost' IDENTIFIED BY 'biscuit';
    • (This assigns the password without affecting the account’s current privileges)
    • Using insert:
    • We have seen how a password can be established when creating a new account
    • Using update:
    • Change password of existing users, use the update command:
    • mysql> UPDATE user SET Password = PASSWORD('bagel') WHERE Host = ‘localhost' AND User = ‘custom';
    • Mysql> flush privileges;
    CS122B Notes 07: DBA-User Mgmt
  • 9. Drop users
    • General syntax:
    • mysql> DROP USER user;
    • Removes privilege rows from all grant tables for user
    • you must have the global CREATE USER privilege or the DELETE privilege for the mysql database.
    CS122B Notes 07: DBA-User Mgmt
  • 10. CS122B Notes 07: DBA-User Mgmt Privileges in MySQL
    • Privileges in MySQL: What operations are you allowed to perform?
    • Privileges are associated with identities: Your Username and hostname are part of your identity. Ex: joe connecting from example.office.com has a separate identity from joe who connects from home.example.com and they both have separate privileges
    • Privilege information is stored in the system grant tables (e.g., user, host, db, etc) of the mysql database
    • These tables are read once in memory every time you start SQL server
    • Access control works in 2 steps:
      • When you connect, are you allowed to connect?
      • After you connect, do you have sufficient privilege for every statement you issue?
  • 11. Privileges (grant tables)
    • Scope columns : Determines the context in which the row applies. EX: when you connect as
    • shell >mysql –u bob –p from the machine thomas.loc.gov
    • the user table row with Host= ‘thomas.loc.gov’ and user=‘bob’ will be used to authenticate you. If you connect as:
    • shell >mysql –u bob –p –d reports from the machine thomas.loc.gov
    • the Db table row with Host= ‘thomas.loc.gov ’ and user=‘bob’ and DB=‘reports’ will be used to authenticate you.
    • Privilege Columns: Each privilege in a separate column and is declared as ENUM(‘Y’, ‘N’) DEFAULT ‘N’ (i.e. default is to disable the privilege)
    • To check the privileges for host=localhost and user=testuser use the show grants command (assuming you have sufficient privilege to do this) mysql >SHOW GRANTS FOR ‘testuser'@localhost;
    CS122B Notes 07: DBA-User Mgmt
  • 12. Creating user accounts on all databases
    • Two ways to create users:
    • By using statements intended for creating accounts, such as CREATE USER or GRANT (Recommended way)
    • By manipulating the MySQL grant tables directly with statements such as INSERT , UPDATE , or DELETE
    CS122B Notes 07: DBA-User Mgmt
  • 13. Using “ Grant ” commands
    • shell> mysql --user=root –p mysql (connect as root to the mysql database)
    • a. > GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost' IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
    • (superuser account with full privileges to do anything, can connect only from localhost)
    • b. > GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost';
    • (allow the admin user to execute the mysqladmin reload, mysqladmin refresh, and mysqladmin flush- xxx commands, as well as mysqladmin processlist No privileges are granted for accessing any databases)
    • c. > GRANT USAGE ON *.* TO 'dummy'@'localhost';
    • (No privileges are granted. Same effect as setting all the global privileges to 'N' )
    CS122B Notes 07: DBA-User Mgmt
  • 14. Using “ Insert ” commands
    • shell> mysql --user=root –p mysql
    • Mysql> INSERT INTO user VALUES('localhost','monty',PASSWORD('some_pass'), 'Y','Y','Y',….. ','Y','Y'); (Number of Ys will depend on the version of MySQL.The password() function is necessary for encryption . When using grant , encryption is done automatically)
    • Mysql> INSERT INTO user SET Host='localhost',User='admin', Reload_priv='Y', Process_priv='Y’, ssl_cipher='', x509_issuer='', x509_subject='' ; (last 3 required if strict SQL mode is enabled)
    • Mysql> INSERT INTO user SET host='localhost', user='dummy' , password= ' ' , ssl_cipher='', x509_issuer='', x509_subject = '' ;
    • Mysql> flush privileges; (This tells the server to re-read the grant tables. Otherwise, the changes go unnoticed until you restart the server. Not required when you use GRANT ).
    CS122B Notes 07: DBA-User Mgmt
  • 15. Create db-specific accounts using a “ Grant ” command
    • shell> mysql --user=root –p mysql
    • mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON bankaccount.* TO 'custom'@'localhost' IDENTIFIED BY 'obscure';
    • mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON expenses.* TO 'custom'@'whitehouse.gov' IDENTIFIED BY 'obscure';
    • mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON customer.* TO 'custom'@'server.domain' IDENTIFIED BY 'obscure';
    • All 3 accounts have username = ‘custom’ and password = ‘obscure’
    • The first account can access the bankaccount database, but only from the local host.
    • The second account can access the expenses database, but only from the host whitehouse.gov .
    • The third account can access the customer database, but only from the host server.domain.
    CS122B Notes 07: DBA-User Mgmt
  • 16. Create db-specific accounts using a “ Insert ” command
    • shell> mysql --user=root –p mysql
    • mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('localhost','custom',PASSWORD('obscure'), '', '', '' );
    • mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('whitehouse.gov','custom',PASSWORD('obscure'), '', '', '' );
    • mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('server.domain','custom',PASSWORD('obscure'), '', '', '' );
    • (No privilege assigned yet, all privileges are set to ‘N’ by default)
    • In addition to the user table, we also insert into the Db table for each account
    • mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('localhost','bankaccount','custom', 'Y','Y','Y','Y','Y','Y');
    • mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('whitehouse.gov','expenses','custom', 'Y','Y','Y','Y','Y', 'Y');
    • mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('server.domain','customer','custom', 'Y','Y','Y','Y','Y','Y');
    • mysql> FLUSH PRIVILEGES;
    CS122B Notes 07: DBA-User Mgmt
  • 17. Revoke Privileges
    • mysql> revoke priv_type on [ object_type ] from user
    • object_type= * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name
    • Examples:
    • mysql> revoke select on *.* from 'monty'@'localhost';
    • (you must have the GRANT OPTION privilege, and you must have the privileges that you are revoking )
    • To revoke all privileges:
    • mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'monty'@'localhost';
    • (drops all global, database-, table-, column-, and routine-level privileges for 'monty'@'localhost')
    • NOTE: REVOKE does not remove an account's user table record, even if you revoke all privileges for the account. (see example on next slide)
    CS122B Notes 07: DBA-User Mgmt

×