Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CS 122B: Projects in Database Management Winter 2010 Notes 07: DBA -- User Management in MySQL Professor Chen Li Departmen...
Database Administrator <ul><li>“ DBA”: </li></ul><ul><ul><li>Specialist for keeping data clean, available, and safe </li><...
DBA Basic Duties <ul><li>Management - Administration procedures </li></ul><ul><ul><li>Installation and Configuration </li>...
Security Administration <ul><li>User Assignments </li></ul><ul><ul><li>Create, Alter, and Drop Users </li></ul></ul><ul><u...
DBA: Backup and Recovery <ul><li>Normal OS Backup </li></ul><ul><li>Exports and Imports </li></ul><ul><li>Archive Logging ...
MySQL Database Users and Privileges <ul><li>http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html </li></ul>...
Using  create  to add user account <ul><li>General syntax:  </li></ul><ul><li>Mysql> CREATE USER  user  [IDENTIFIED BY [PA...
Assigning passwords <ul><li>shell>  mysql --user=root –p mysql   </li></ul><ul><li>mysql>  SET PASSWORD FOR 'custom'@'loca...
Drop users <ul><li>General syntax: </li></ul><ul><li>mysql>  DROP USER  user; </li></ul><ul><li>Removes privilege rows fro...
CS122B Notes 07: DBA-User Mgmt Privileges in MySQL <ul><li>Privileges in MySQL: What operations are you allowed to perform...
Privileges (grant tables) <ul><li>Scope columns : Determines the context in which the row applies. EX:  when you connect a...
Creating user accounts on all databases <ul><li>Two ways to create users: </li></ul><ul><li>By using statements intended f...
Using “ Grant ” commands <ul><li>shell>  mysql --user=root –p  mysql  (connect as root to the  mysql  database) </li></ul>...
Using “ Insert ” commands <ul><li>shell>  mysql --user=root –p mysql </li></ul><ul><li>Mysql>   INSERT  INTO user VALUES('...
Create db-specific accounts using a “ Grant ” command <ul><li>shell>  mysql --user=root –p mysql   </li></ul><ul><li>mysql...
Create db-specific accounts using a “ Insert ” command <ul><li>shell>  mysql --user=root –p mysql   </li></ul><ul><li>mysq...
Revoke Privileges <ul><li>mysql>  revoke  priv_type  on [ object_type ] from  user </li></ul><ul><li>object_type= * | *.* ...
Upcoming SlideShare
Loading in …5
×

CS 122B: Projects in Database Management

975 views

Published on

  • Be the first to comment

CS 122B: Projects in Database Management

  1. 1. CS 122B: Projects in Database Management Winter 2010 Notes 07: DBA -- User Management in MySQL Professor Chen Li Department of Computer Science UC Irvine CS122B Notes 07: DBA-User Mgmt
  2. 2. Database Administrator <ul><li>“ DBA”: </li></ul><ul><ul><li>Specialist for keeping data clean, available, and safe </li></ul></ul><ul><ul><li>Responsible - Planning, Testing, Installation, Tuning </li></ul></ul><ul><li>Why do we need a DBA? </li></ul><ul><ul><li>Proper planning is key to setting up a database application </li></ul></ul><ul><ul><li>Proper administration is key to running effective DB applications </li></ul></ul><ul><ul><li>Neither can be accomplished without a good DBA. </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  3. 3. DBA Basic Duties <ul><li>Management - Administration procedures </li></ul><ul><ul><li>Installation and Configuration </li></ul></ul><ul><ul><li>Security Administration </li></ul></ul><ul><ul><li>Backup and Recovery </li></ul></ul><ul><li>Performance Tuning </li></ul><ul><ul><li>Application Tuning </li></ul></ul><ul><ul><li>Database Tuning </li></ul></ul><ul><ul><li>Client Server Tuning </li></ul></ul><ul><ul><li>Parallel Query Tuning </li></ul></ul><ul><ul><li>Platform Specific Tuning </li></ul></ul><ul><ul><li>Long-running Job Tuning </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  4. 4. Security Administration <ul><li>User Assignments </li></ul><ul><ul><li>Create, Alter, and Drop Users </li></ul></ul><ul><ul><li>Monitor Users (Accounts, Roles, and Profiles) </li></ul></ul><ul><li>Security Roles </li></ul><ul><ul><li>Set of privileges and object grants </li></ul></ul><ul><ul><li>Create, alter, and drop Profiles </li></ul></ul><ul><ul><li>Create, Alter, and Drop Roles </li></ul></ul><ul><li>Security Profiles </li></ul><ul><ul><li>Be used to restrict user(s) to a specific set of resource quotas </li></ul></ul>CS122B Notes 07: DBA-User Mgmt
  5. 5. DBA: Backup and Recovery <ul><li>Normal OS Backup </li></ul><ul><li>Exports and Imports </li></ul><ul><li>Archive Logging of Redo Logs </li></ul><ul><li>Recovery: allows a DBA to recovery to a specified day and time or transaction </li></ul>CS122B Notes 07: DBA-User Mgmt
  6. 6. MySQL Database Users and Privileges <ul><li>http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html </li></ul>CS122B Notes 07: DBA-User Mgmt
  7. 7. Using create to add user account <ul><li>General syntax: </li></ul><ul><li>Mysql> CREATE USER user [IDENTIFIED BY [PASSWORD] ' password '] </li></ul><ul><li>To use , you must have the global create user privilege or the insert privilege for the mysql database. </li></ul><ul><li>Example: </li></ul><ul><li>Mysql> CREATE USER 'user1'@'localhost' IDENTIFIED BY 'pass1'; </li></ul><ul><li>(Creates user1 with no privileges) </li></ul><ul><li>Grant command needs to be used to assign privileges to this user </li></ul>CS122B Notes 07: DBA-User Mgmt
  8. 8. Assigning passwords <ul><li>shell> mysql --user=root –p mysql </li></ul><ul><li>mysql> SET PASSWORD FOR 'custom'@'localhost' = PASSWORD('biscuit'); </li></ul><ul><li>(Only superusers like root have sufficient privileges to change passwords) </li></ul><ul><li>Using grant: </li></ul><ul><li>mysql> GRANT USAGE ON *.* TO 'custom'@'localhost' IDENTIFIED BY 'biscuit'; </li></ul><ul><li>(This assigns the password without affecting the account’s current privileges) </li></ul><ul><li>Using insert: </li></ul><ul><li>We have seen how a password can be established when creating a new account </li></ul><ul><li>Using update: </li></ul><ul><li>Change password of existing users, use the update command: </li></ul><ul><li>mysql> UPDATE user SET Password = PASSWORD('bagel') WHERE Host = ‘localhost' AND User = ‘custom'; </li></ul><ul><li>Mysql> flush privileges; </li></ul>CS122B Notes 07: DBA-User Mgmt
  9. 9. Drop users <ul><li>General syntax: </li></ul><ul><li>mysql> DROP USER user; </li></ul><ul><li>Removes privilege rows from all grant tables for user </li></ul><ul><li>you must have the global CREATE USER privilege or the DELETE privilege for the mysql database. </li></ul>CS122B Notes 07: DBA-User Mgmt
  10. 10. CS122B Notes 07: DBA-User Mgmt Privileges in MySQL <ul><li>Privileges in MySQL: What operations are you allowed to perform? </li></ul><ul><li>Privileges are associated with identities: Your Username and hostname are part of your identity. Ex: joe connecting from example.office.com has a separate identity from joe who connects from home.example.com and they both have separate privileges </li></ul><ul><li>Privilege information is stored in the system grant tables (e.g., user, host, db, etc) of the mysql database </li></ul><ul><li>These tables are read once in memory every time you start SQL server </li></ul><ul><li>Access control works in 2 steps: </li></ul><ul><ul><li>When you connect, are you allowed to connect? </li></ul></ul><ul><ul><li>After you connect, do you have sufficient privilege for every statement you issue? </li></ul></ul>
  11. 11. Privileges (grant tables) <ul><li>Scope columns : Determines the context in which the row applies. EX: when you connect as </li></ul><ul><li>shell >mysql –u bob –p from the machine thomas.loc.gov </li></ul><ul><li>the user table row with Host= ‘thomas.loc.gov’ and user=‘bob’ will be used to authenticate you. If you connect as: </li></ul><ul><li>shell >mysql –u bob –p –d reports from the machine thomas.loc.gov </li></ul><ul><li>the Db table row with Host= ‘thomas.loc.gov ’ and user=‘bob’ and DB=‘reports’ will be used to authenticate you. </li></ul><ul><li>Privilege Columns: Each privilege in a separate column and is declared as ENUM(‘Y’, ‘N’) DEFAULT ‘N’ (i.e. default is to disable the privilege) </li></ul><ul><li>To check the privileges for host=localhost and user=testuser use the show grants command (assuming you have sufficient privilege to do this) mysql >SHOW GRANTS FOR ‘testuser'@localhost; </li></ul>CS122B Notes 07: DBA-User Mgmt
  12. 12. Creating user accounts on all databases <ul><li>Two ways to create users: </li></ul><ul><li>By using statements intended for creating accounts, such as CREATE USER or GRANT (Recommended way) </li></ul><ul><li>By manipulating the MySQL grant tables directly with statements such as INSERT , UPDATE , or DELETE </li></ul>CS122B Notes 07: DBA-User Mgmt
  13. 13. Using “ Grant ” commands <ul><li>shell> mysql --user=root –p mysql (connect as root to the mysql database) </li></ul><ul><li>a. > GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost' IDENTIFIED BY 'some_pass' WITH GRANT OPTION; </li></ul><ul><li>(superuser account with full privileges to do anything, can connect only from localhost) </li></ul><ul><li>b. > GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost'; </li></ul><ul><li>(allow the admin user to execute the mysqladmin reload, mysqladmin refresh, and mysqladmin flush- xxx commands, as well as mysqladmin processlist No privileges are granted for accessing any databases) </li></ul><ul><li>c. > GRANT USAGE ON *.* TO 'dummy'@'localhost'; </li></ul><ul><li>(No privileges are granted. Same effect as setting all the global privileges to 'N' ) </li></ul>CS122B Notes 07: DBA-User Mgmt
  14. 14. Using “ Insert ” commands <ul><li>shell> mysql --user=root –p mysql </li></ul><ul><li>Mysql> INSERT INTO user VALUES('localhost','monty',PASSWORD('some_pass'), 'Y','Y','Y',….. ','Y','Y'); (Number of Ys will depend on the version of MySQL.The password() function is necessary for encryption . When using grant , encryption is done automatically) </li></ul><ul><li>Mysql> INSERT INTO user SET Host='localhost',User='admin', Reload_priv='Y', Process_priv='Y’, ssl_cipher='', x509_issuer='', x509_subject='' ; (last 3 required if strict SQL mode is enabled) </li></ul><ul><li>Mysql> INSERT INTO user SET host='localhost', user='dummy' , password= ' ' , ssl_cipher='', x509_issuer='', x509_subject = '' ; </li></ul><ul><li>Mysql> flush privileges; (This tells the server to re-read the grant tables. Otherwise, the changes go unnoticed until you restart the server. Not required when you use GRANT ). </li></ul>CS122B Notes 07: DBA-User Mgmt
  15. 15. Create db-specific accounts using a “ Grant ” command <ul><li>shell> mysql --user=root –p mysql </li></ul><ul><li>mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON bankaccount.* TO 'custom'@'localhost' IDENTIFIED BY 'obscure'; </li></ul><ul><li>mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON expenses.* TO 'custom'@'whitehouse.gov' IDENTIFIED BY 'obscure'; </li></ul><ul><li>mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON customer.* TO 'custom'@'server.domain' IDENTIFIED BY 'obscure'; </li></ul><ul><li>All 3 accounts have username = ‘custom’ and password = ‘obscure’ </li></ul><ul><li>The first account can access the bankaccount database, but only from the local host. </li></ul><ul><li>The second account can access the expenses database, but only from the host whitehouse.gov . </li></ul><ul><li>The third account can access the customer database, but only from the host server.domain. </li></ul>CS122B Notes 07: DBA-User Mgmt
  16. 16. Create db-specific accounts using a “ Insert ” command <ul><li>shell> mysql --user=root –p mysql </li></ul><ul><li>mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('localhost','custom',PASSWORD('obscure'), '', '', '' ); </li></ul><ul><li>mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('whitehouse.gov','custom',PASSWORD('obscure'), '', '', '' ); </li></ul><ul><li>mysql> INSERT INTO user (Host,User,Password, ssl_cipher, x509_issuer, x509_subject) VALUES('server.domain','custom',PASSWORD('obscure'), '', '', '' ); </li></ul><ul><li>(No privilege assigned yet, all privileges are set to ‘N’ by default) </li></ul><ul><li>In addition to the user table, we also insert into the Db table for each account </li></ul><ul><li>mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('localhost','bankaccount','custom', 'Y','Y','Y','Y','Y','Y'); </li></ul><ul><li>mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('whitehouse.gov','expenses','custom', 'Y','Y','Y','Y','Y', 'Y'); </li></ul><ul><li>mysql> INSERT INTO db (Host,Db,User,Select_priv,Insert_priv, Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES('server.domain','customer','custom', 'Y','Y','Y','Y','Y','Y'); </li></ul><ul><li>mysql> FLUSH PRIVILEGES; </li></ul>CS122B Notes 07: DBA-User Mgmt
  17. 17. Revoke Privileges <ul><li>mysql> revoke priv_type on [ object_type ] from user </li></ul><ul><li>object_type= * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name </li></ul><ul><li>Examples: </li></ul><ul><li>mysql> revoke select on *.* from 'monty'@'localhost'; </li></ul><ul><li>(you must have the GRANT OPTION privilege, and you must have the privileges that you are revoking ) </li></ul><ul><li>To revoke all privileges: </li></ul><ul><li>mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'monty'@'localhost'; </li></ul><ul><li>(drops all global, database-, table-, column-, and routine-level privileges for 'monty'@'localhost') </li></ul><ul><li>NOTE: REVOKE does not remove an account's user table record, even if you revoke all privileges for the account. (see example on next slide) </li></ul>CS122B Notes 07: DBA-User Mgmt

×