Your SlideShare is downloading. ×
0
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
CS 122B: Projects in Database Management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CS 122B: Projects in Database Management

672

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
672
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CS 122B: Projects in Database Management Winter 2010 Notes 07: DBA -- User Management in MySQL Professor Chen Li Department of Computer Science UC Irvine CS122B Notes 07: DBA-User Mgmt
  • 2. Database Administrator <ul><li>“ DBA”: </li></ul><ul><ul><li>Specialist for keeping data clean, available, and safe </li></ul></ul><ul><ul><li>Responsible - Planning, Testing, Installation, Tuning </li></ul></ul><ul><li>Why do we need a DBA? </li></ul><ul><ul><li>Proper planning is key to setting up a database application </li></ul></ul><ul><ul><li>Proper administration is key to running effective DB applications </li></ul></ul><ul><ul><li>Neither can be accomplished without a good DBA. </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  • 3. DBA Basic Duties <ul><li>Management - Administration procedures </li></ul><ul><ul><li>Installation and Configuration </li></ul></ul><ul><ul><li>Security Administration </li></ul></ul><ul><ul><li>Backup and Recovery </li></ul></ul><ul><li>Performance Tuning </li></ul><ul><ul><li>Application Tuning </li></ul></ul><ul><ul><li>Database Tuning </li></ul></ul><ul><ul><li>Client Server Tuning </li></ul></ul><ul><ul><li>Parallel Query Tuning </li></ul></ul><ul><ul><li>Platform Specific Tuning </li></ul></ul><ul><ul><li>Long-running Job Tuning </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  • 4. Security Administration <ul><li>User Assignments </li></ul><ul><ul><li>Create, Alter, and Drop Users </li></ul></ul><ul><ul><li>Monitor Users (Accounts, Roles, and Profiles) </li></ul></ul><ul><li>Security Roles </li></ul><ul><ul><li>Set of privileges and object grants </li></ul></ul><ul><ul><li>Create, alter, and drop Profiles </li></ul></ul><ul><ul><li>Create, Alter, and Drop Roles </li></ul></ul><ul><li>Security Profiles </li></ul><ul><ul><li>Be used to restrict user(s) to a specific set of resource quotas </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  • 5. DBA: Backup and Recovery <ul><li>Normal OS Backup </li></ul><ul><li>Exports and Imports </li></ul><ul><li>Archive Logging of Redo Logs </li></ul><ul><li>Recovery: allows a DBA to recovery to a specified day and time or transaction </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 6. MySQL Database Users and Privileges <ul><li>http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 7. Using create to add user account <ul><li>General syntax: </li></ul><ul><li>Mysql&gt; CREATE USER user [IDENTIFIED BY [PASSWORD] &apos; password &apos;] </li></ul><ul><li>To use , you must have the global create user privilege or the insert privilege for the mysql database. </li></ul><ul><li>Example: </li></ul><ul><li>Mysql&gt; CREATE USER &apos;user1&apos;@&apos;localhost&apos; IDENTIFIED BY &apos;pass1&apos;; </li></ul><ul><li>(Creates user1 with no privileges) </li></ul><ul><li>Grant command needs to be used to assign privileges to this user </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 8. Assigning passwords <ul><li>shell&gt; mysql --user=root –p mysql </li></ul><ul><li>mysql&gt; SET PASSWORD FOR &apos;custom&apos;@&apos;localhost&apos; = PASSWORD(&apos;biscuit&apos;); </li></ul><ul><li>(Only superusers like root have sufficient privileges to change passwords) </li></ul><ul><li>Using grant: </li></ul><ul><li>mysql&gt; GRANT USAGE ON *.* TO &apos;custom&apos;@&apos;localhost&apos; IDENTIFIED BY &apos;biscuit&apos;; </li></ul><ul><li>(This assigns the password without affecting the account’s current privileges) </li></ul><ul><li>Using insert: </li></ul><ul><li>We have seen how a password can be established when creating a new account </li></ul><ul><li>Using update: </li></ul><ul><li>Change password of existing users, use the update command: </li></ul><ul><li>mysql&gt; UPDATE user SET Password = PASSWORD(&apos;bagel&apos;) WHERE Host = ‘localhost&apos; AND User = ‘custom&apos;; </li></ul><ul><li>Mysql&gt; flush privileges; </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 9. Drop users <ul><li>General syntax: </li></ul><ul><li>mysql&gt; DROP USER user; </li></ul><ul><li>Removes privilege rows from all grant tables for user </li></ul><ul><li>you must have the global CREATE USER privilege or the DELETE privilege for the mysql database. </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 10. CS122B Notes 07: DBA-User Mgmt Privileges in MySQL <ul><li>Privileges in MySQL: What operations are you allowed to perform? </li></ul><ul><li>Privileges are associated with identities: Your Username and hostname are part of your identity. Ex: joe connecting from example.office.com has a separate identity from joe who connects from home.example.com and they both have separate privileges </li></ul><ul><li>Privilege information is stored in the system grant tables (e.g., user, host, db, etc) of the mysql database </li></ul><ul><li>These tables are read once in memory every time you start SQL server </li></ul><ul><li>Access control works in 2 steps: </li></ul><ul><ul><li>When you connect, are you allowed to connect? </li></ul></ul><ul><ul><li>After you connect, do you have sufficient privilege for every statement you issue? </li></ul></ul>
  • 11. Privileges (grant tables) <ul><li>Scope columns : Determines the context in which the row applies. EX: when you connect as </li></ul><ul><li>shell &gt;mysql –u bob –p from the machine thomas.loc.gov </li></ul><ul><li>the user table row with Host= ‘thomas.loc.gov’ and user=‘bob’ will be used to authenticate you. If you connect as: </li></ul><ul><li>shell &gt;mysql –u bob –p –d reports from the machine thomas.loc.gov </li></ul><ul><li>the Db table row with Host= ‘thomas.loc.gov ’ and user=‘bob’ and DB=‘reports’ will be used to authenticate you. </li></ul><ul><li>Privilege Columns: Each privilege in a separate column and is declared as ENUM(‘Y’, ‘N’) DEFAULT ‘N’ (i.e. default is to disable the privilege) </li></ul><ul><li>To check the privileges for host=localhost and user=testuser use the show grants command (assuming you have sufficient privilege to do this) mysql &gt;SHOW GRANTS FOR ‘testuser&apos;@localhost; </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 12. Creating user accounts on all databases <ul><li>Two ways to create users: </li></ul><ul><li>By using statements intended for creating accounts, such as CREATE USER or GRANT (Recommended way) </li></ul><ul><li>By manipulating the MySQL grant tables directly with statements such as INSERT , UPDATE , or DELETE </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 13. Using “ Grant ” commands <ul><li>shell&gt; mysql --user=root –p mysql (connect as root to the mysql database) </li></ul><ul><li>a. &gt; GRANT ALL PRIVILEGES ON *.* TO &apos;monty&apos;@&apos;localhost&apos; IDENTIFIED BY &apos;some_pass&apos; WITH GRANT OPTION; </li></ul><ul><li>(superuser account with full privileges to do anything, can connect only from localhost) </li></ul><ul><li>b. &gt; GRANT RELOAD,PROCESS ON *.* TO &apos;admin&apos;@&apos;localhost&apos;; </li></ul><ul><li>(allow the admin user to execute the mysqladmin reload, mysqladmin refresh, and mysqladmin flush- xxx commands, as well as mysqladmin processlist No privileges are granted for accessing any databases) </li></ul><ul><li>c. &gt; GRANT USAGE ON *.* TO &apos;dummy&apos;@&apos;localhost&apos;; </li></ul><ul><li>(No privileges are granted. Same effect as setting all the global privileges to &apos;N&apos; ) </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 14. Using “ Insert ” commands <ul><li>shell&gt; mysql --user=root –p mysql </li></ul><ul><li>Mysql&gt; INSERT INTO user VALUES(&apos;localhost&apos;,&apos;monty&apos;,PASSWORD(&apos;some_pass&apos;), &apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,….. &apos;,&apos;Y&apos;,&apos;Y&apos;); (Number of Ys will depend on the version of MySQL.The password() function is necessary for encryption . When using grant , encryption is done automatically) </li></ul><ul><li>Mysql&gt; INSERT INTO user SET Host=&apos;localhost&apos;,User=&apos;admin&apos;, Reload_priv=&apos;Y&apos;, Process_priv=&apos;Y’, ssl_cipher=&apos;&apos;, x509_issuer=&apos;&apos;, x509_subject=&apos;&apos; ; (last 3 required if strict SQL mode is enabled) </li></ul><ul><li>Mysql&gt; INSERT INTO user SET host=&apos;localhost&apos;, user=&apos;dummy&apos; , password= &apos; &apos; , ssl_cipher=&apos;&apos;, x509_issuer=&apos;&apos;, x509_subject = &apos;&apos; ; </li></ul><ul><li>Mysql&gt; flush privileges; (This tells the server to re-read the grant tables. Otherwise, the changes go unnoticed until you restart the server. Not required when you use GRANT ). </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 15. Create db-specific accounts using a “ Grant ” command <ul><li>shell&gt; mysql --user=root –p mysql </li></ul><ul><li>mysql&gt; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON bankaccount.* TO &apos;custom&apos;@&apos;localhost&apos; IDENTIFIED BY &apos;obscure&apos;; </li></ul><ul><li>mysql&gt; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON expenses.* TO &apos;custom&apos;@&apos;whitehouse.gov&apos; IDENTIFIED BY &apos;obscure&apos;; </li></ul><ul><li>mysql&gt; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON customer.* TO &apos;custom&apos;@&apos;server.domain&apos; IDENTIFIED BY &apos;obscure&apos;; </li></ul><ul><li>All 3 accounts have username = ‘custom’ and password = ‘obscure’ </li></ul><ul><li>The first account can access the bankaccount database, but only from the local host. </li></ul><ul><li>The second account can access the expenses database, but only from the host whitehouse.gov . </li></ul><ul><li>The third account can access the customer database, but only from the host server.domain. </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 16. Create db-specific accounts using a “ Insert ” command <ul><li>shell&gt; mysql --user=root –p mysql </li></ul><ul><li>mysql&gt; INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES(&apos;localhost&apos;,&apos;custom&apos;,PASSWORD(&apos;obscure&apos;), &apos;&apos;, &apos;&apos;, &apos;&apos; ); </li></ul><ul><li>mysql&gt; INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES(&apos;whitehouse.gov&apos;,&apos;custom&apos;,PASSWORD(&apos;obscure&apos;), &apos;&apos;, &apos;&apos;, &apos;&apos; ); </li></ul><ul><li>mysql&gt; INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES(&apos;server.domain&apos;,&apos;custom&apos;,PASSWORD(&apos;obscure&apos;), &apos;&apos;, &apos;&apos;, &apos;&apos; ); </li></ul><ul><li>(No privilege assigned yet, all privileges are set to ‘N’ by default) </li></ul><ul><li>In addition to the user table, we also insert into the Db table for each account </li></ul><ul><li>mysql&gt; INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES(&apos;localhost&apos;,&apos;bankaccount&apos;,&apos;custom&apos;, &apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;); </li></ul><ul><li>mysql&gt; INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES(&apos;whitehouse.gov&apos;,&apos;expenses&apos;,&apos;custom&apos;, &apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;, &apos;Y&apos;); </li></ul><ul><li>mysql&gt; INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES(&apos;server.domain&apos;,&apos;customer&apos;,&apos;custom&apos;, &apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;,&apos;Y&apos;); </li></ul><ul><li>mysql&gt; FLUSH PRIVILEGES; </li></ul>CS122B Notes 07: DBA-User Mgmt
  • 17. Revoke Privileges <ul><li>mysql&gt; revoke priv_type on [ object_type ] from user </li></ul><ul><li>object_type= * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name </li></ul><ul><li>Examples: </li></ul><ul><li>mysql&gt; revoke select on *.* from &apos;monty&apos;@&apos;localhost&apos;; </li></ul><ul><li>(you must have the GRANT OPTION privilege, and you must have the privileges that you are revoking ) </li></ul><ul><li>To revoke all privileges: </li></ul><ul><li>mysql&gt; REVOKE ALL PRIVILEGES, GRANT OPTION FROM &apos;monty&apos;@&apos;localhost&apos;; </li></ul><ul><li>(drops all global, database-, table-, column-, and routine-level privileges for &apos;monty&apos;@&apos;localhost&apos;) </li></ul><ul><li>NOTE: REVOKE does not remove an account&apos;s user table record, even if you revoke all privileges for the account. (see example on next slide) </li></ul>CS122B Notes 07: DBA-User Mgmt

×