How to curb the appetite of your BI team and other useful tricks

By Bryan O’Neal GoDaddy MySQL DBA

 Syntax ◦ GRANT {permissions} ON database.table TO ◦ REVOKE {permissions} ON database.table FROM  ◦ GRANT USAGE ON foobar.* TO IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass2‘  Implicit User Creation ◦ GRANT USAGE ON foobar.* TO IDENTIFIED BY ‘Pass1‘ ◦ IDENTIFIED BY ‘PASSWORD_IN_PLAIN_TEXT’ ◦ IDENTIFIED BY PASSWORD ‘PASSWORD_HASH’  Multi user grants ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘change_me’

 Wild cards are object based * or text based %  All Tables in a database ◦ GRANT SELECT ON ‘shard_A01’.* TO IDENTIFIED BY ‘app_passwd';  All databases that match a pattern ◦ GRANT SELECT ON `shard\_%`.* TO IDENTIFIED BY ‘app_passwd';  Wild cards in user names are not allowed  ◦ But you can issue grants to more then one user at a time

 Multiple Matches ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO IDENTIFIED BY ‘Pass2‘  SELECT USER()  SELECT CURRENT_USER()  Hard CIDR ◦ What if I want to give access to the range of IPs like /27? ◦ GRANT USAGE ON foobar.* TO

is special ◦ TCP Stack vs Socket (Or named pipe)  Name Resolution ◦ Every time you use a name like foo.com you delay connections ◦ Mutex lock on gethostbyaddr() & gethostbyname() in older systems ◦ This even happens on IP based grants like ◦ Set skip-name-resolve ◦ DNS attacks like CVE

 Database ◦ GRANT ALL PRIVILEGES ON database.* TO  Table/View ◦ GRANT ALL PRIVILEGES ON database.table TO ◦ WITH GRANT OPTION  Column ◦ GRANT SELECT (column) ON database.table TO  Routine ◦ GRANT EXECUTE ON database.* TO ◦ GRANT EXECUTE ON PROCEDURE database.procname TO

 Proxy users let you have multiple combos use a single set of permissions. -- grant PROXY privilege for proxy user to proxied user GRANT PROXY ON TO -- create proxy user CREATE USER IDENTIFIED WITH my_auth_plugin AS 'my_auth_string'; -- create proxied user CREATE USER IDENTIFIED BY 'employee_pass';

 System settings to curb usage for all users ◦ max_connect_errors ◦ max_connections ◦ max_user_connections ◦ max_execution_time (Only in 5.7) ◦ net_write_timeout ◦ net_read_timeout ◦ wait_timeout ◦ interactive_timeout  The clever user can override the session variables post connection using SET.  FLUSH HOSTS will reset connect errors

 Per user limits: ◦ GRANT ALL ON database.* TO WITH MAX_QUERIES_PER_HOUR 20 ◦ GRANT ALL ON database.* TO WITH MAX_QUERIES_PER_HOUR 20 MAX_UPDATES_PER_HOUR 5  That’s cool! What else can it do? ◦ MAX_QUERIES_PER_HOUR ◦ MAX_UPDATES_PER_HOUR ◦ MAX_CONNECTIONS_PER_HOUR ◦ MAX_USER_CONNECTIONS  Do Over! ◦ A ‘FLUSH USER RESOURCES’ will reset all limits for all users

 How Password Expiration is Set ◦ Global default: default_password_lifetime=1036 ◦ ALTER USER PASSWORD EXPIRE DEFAULT; ◦ ALTER USER PASSWORD EXPIRE INTERVAL 90 DAY; ◦ ALTER USER PASSWORD EXPIRE NEVER; ◦ ALTER USER PASSWORD EXPIRE;  Sandbox ◦ SET PASSWORD FOR = PASSWORD('auth_string'); ◦ SET PASSWORD = PASSWORD('auth_string'); mysql> SELECT 1; ERROR 1820 (HY000): You must SET PASSWORD before executing this statement

 Benefits to being super ◦ Reserved connections!  Default is a single reserved connection  Patch for 10  mysqld.cc : thd->scheduler->max_connections + 10 ◦ License to Kill!  You can kill your own threads but super lets you kill everyone's ◦ Writes with read_only  Patches exist for super_read_only ◦ Purge binlogs, change master, set dynamic global variables, etc.

 CREATE TABLESPACE  FILE  PROCESS  RELOAD  REPLICATION CLIENT  REPLICATION SLAVE  SHOW DATABASES  SHUTDOWN  SUPER

 DB Governor ◦ Cloud Linux – Usually used for hosting like CPanel ◦ Difficult to maintain with other custom patches ◦ Heavy handed solution  Write Your Own with Percona’s User Stats! ◦ CPU_TIME ◦ BUSY_TIME ◦ BYTES_RECEIVED ◦ BYTES_SENT | Field | | USER | | TOTAL_CONNECTIONS | | CONCURRENT_CONNECTIONS | | CONNECTED_TIME | | BUSY_TIME | | CPU_TIME | | BYTES_RECEIVED | | BYTES_SENT | | BINLOG_BYTES_WRITTEN | | ROWS_FETCHED | | ROWS_UPDATED | | TABLE_ROWS_READ | | SELECT_COMMANDS | | UPDATE_COMMANDS | | OTHER_COMMANDS | | COMMIT_TRANSACTIONS | | ROLLBACK_TRANSACTIONS | | DENIED_CONNECTIONS | | LOST_CONNECTIONS | | ACCESS_DENIED | | EMPTY_QUERIES | | TOTAL_SSL_CONNECTIONS |

 The mysql database holds 5 user tables controlling permissions: ◦ The user table contains a record for each account known to the server. The user record for an account lists its global privileges, resource limits it is subject to, and SSL info. ◦ The db table lists database-specific privileges for accounts. ◦ The tables_priv table lists table-specific privileges for accounts. ◦ The columns_priv table lists column-specific privileges for accounts. ◦ The procs_priv table lists privileges that accounts have for stored procedures and functions.

 If you use Tapestry/Struts  & you use stored procedures ◦ Execute is not enough to use stored procedures or functions  Unless you add SELECT ON mysql.proc

GRANT priv_type [(column_list)] [, priv_type [(column_list)]]... ON [object_type] object TO user_specification [, user_specification]... [REQUIRE {NONE | tsl_option [[AND] tsl_option]...}] [WITH {GRANT OPTION | resource_option}...] GRANT PROXY ON user_specification TO user_specification [, user_specification]... [WITH GRANT OPTION]

object_type: { TABLE | FUNCTION | PROCEDURE } priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } user_specification: user [ auth_option ] } auth_option: { # As of MySQL IDENTIFIED BY 'auth_string' | IDENTIFIED BY PASSWORD 'hash_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' | IDENTIFIED WITH auth_plugin AS 'hash_string' } tsl_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { | MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } GRANT priv_type [(column_list)] [, priv_type [(column_list)]]... ON [object_type] priv_level TO user_specification [, user_specification]... [REQUIRE {NONE | tsl_option [[AND] tsl_option]...}] [WITH {GRANT OPTION | resource_option}...]