Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to curb the appetite of your BI team and other useful tricks.

Published byChad Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "How to curb the appetite of your BI team and other useful tricks."— Presentation transcript:

1 How to curb the appetite of your BI team and other useful tricks

2 By Bryan O’Neal GoDaddy MySQL DBA http://www.onealeng.com

3  Syntax ◦ GRANT {permissions} ON database.table TO ‘user’@’host’ ◦ REVOKE {permissions} ON database.table FROM ‘user’@’host’  User@Host ◦ GRANT USAGE ON foobar.* TO ‘foo'@‘bar.com' IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘foo.com' IDENTIFIED BY ‘Pass2‘  Implicit User Creation ◦ GRANT USAGE ON foobar.* TO ‘foo'@‘bar.com' IDENTIFIED BY ‘Pass1‘ ◦ IDENTIFIED BY ‘PASSWORD_IN_PLAIN_TEXT’ ◦ IDENTIFIED BY PASSWORD ‘PASSWORD_HASH’  Multi user grants ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘foo.com‘, ‘bar'@‘foo.com‘ IDENTIFIED BY ‘change_me’

4  Wild cards are object based * or text based %  All Tables in a database ◦ GRANT SELECT ON ‘shard_A01’.* TO 'projectuser'@'%' IDENTIFIED BY ‘app_passwd';  All databases that match a pattern ◦ GRANT SELECT ON `shard\_%`.* TO 'projectuser'@'%' IDENTIFIED BY ‘app_passwd';  Wild cards in user names are not allowed  ◦ But you can issue grants to more then one user at a time

5  Multiple Matches ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘8.8.8.%' IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘%bar.com' IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘%foo.com' IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘%.com' IDENTIFIED BY ‘Pass1‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘%' IDENTIFIED BY ‘Pass2‘ ◦ GRANT SELECT ON foobar.* TO ‘foo'@‘' IDENTIFIED BY ‘Pass2‘  SELECT USER()  SELECT CURRENT_USER()  Hard CIDR ◦ What if I want to give access to the range of IPs like 8.8.8.128/27? ◦ GRANT USAGE ON foobar.* TO ‘foo'@‘8.8.8.128/255.255.255.224'

6  @localhost is special ◦ TCP Stack vs Socket (Or named pipe)  Name Resolution ◦ Every time you use a name like foo.com you delay connections ◦ Mutex lock on gethostbyaddr() & gethostbyname() in older systems ◦ This even happens on IP based grants like ‘foo'@‘8.8.8.%‘ ◦ Set skip-name-resolve ◦ DNS attacks like CVE-2015-7547

7  Database ◦ GRANT ALL PRIVILEGES ON database.* TO 'user'@‘10.10.10.10';  Table/View ◦ GRANT ALL PRIVILEGES ON database.table TO 'user'@‘10.10.10.10'; ◦ WITH GRANT OPTION  Column ◦ GRANT SELECT (column) ON database.table TO 'user'@‘10.10.10.10';  Routine ◦ GRANT EXECUTE ON database.* TO 'user'@‘10.10.10.10'; ◦ GRANT EXECUTE ON PROCEDURE database.procname TO 'user'@‘10.10.10.10';

8  Proxy users let you have multiple user@host combos use a single set of permissions. -- grant PROXY privilege for proxy user to proxied user GRANT PROXY ON 'employee'@'localhost' TO 'employee_ext'@'localhost'; -- create proxy user CREATE USER 'employee_ext'@'129.168.%' IDENTIFIED WITH my_auth_plugin AS 'my_auth_string'; -- create proxied user CREATE USER 'employee'@'localhost' IDENTIFIED BY 'employee_pass';

9  System settings to curb usage for all users ◦ max_connect_errors ◦ max_connections ◦ max_user_connections ◦ max_execution_time (Only in 5.7) ◦ net_write_timeout ◦ net_read_timeout ◦ wait_timeout ◦ interactive_timeout  The clever user can override the session variables post connection using SET.  FLUSH HOSTS will reset connect errors

10  Per user limits: ◦ GRANT ALL ON database.* TO ‘baduser’@’10.10.1.2’ WITH MAX_QUERIES_PER_HOUR 20 ◦ GRANT ALL ON database.* TO ‘baduser’@’10.10.1.2’ WITH MAX_QUERIES_PER_HOUR 20 MAX_UPDATES_PER_HOUR 5  That’s cool! What else can it do? ◦ MAX_QUERIES_PER_HOUR ◦ MAX_UPDATES_PER_HOUR ◦ MAX_CONNECTIONS_PER_HOUR ◦ MAX_USER_CONNECTIONS  Do Over! ◦ A ‘FLUSH USER RESOURCES’ will reset all limits for all users

11  How Password Expiration is Set ◦ Global default: default_password_lifetime=1036 ◦ ALTER USER 'jeffreyK'@'localhost' PASSWORD EXPIRE DEFAULT; ◦ ALTER USER ‘visa'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY; ◦ ALTER USER ‘myDBA'@'localhost' PASSWORD EXPIRE NEVER; ◦ ALTER USER ‘compermiseduser'@'localhost' PASSWORD EXPIRE;  Sandbox ◦ SET PASSWORD FOR 'bob'@'%.marley.org' = PASSWORD('auth_string'); ◦ SET PASSWORD = PASSWORD('auth_string'); mysql> SELECT 1; ERROR 1820 (HY000): You must SET PASSWORD before executing this statement

12  Benefits to being super ◦ Reserved connections!  Default is a single reserved connection  Patch for 10  mysqld.cc : thd->scheduler->max_connections + 10 ◦ License to Kill!  You can kill your own threads but super lets you kill everyone's ◦ Writes with read_only  Patches exist for super_read_only ◦ Purge binlogs, change master, set dynamic global variables, etc.

13  CREATE TABLESPACE  FILE  PROCESS  RELOAD  REPLICATION CLIENT  REPLICATION SLAVE  SHOW DATABASES  SHUTDOWN  SUPER

14  DB Governor ◦ Cloud Linux – Usually used for hosting like CPanel ◦ Difficult to maintain with other custom patches ◦ Heavy handed solution  Write Your Own with Percona’s User Stats! ◦ CPU_TIME ◦ BUSY_TIME ◦ BYTES_RECEIVED ◦ BYTES_SENT +------------------------+ | Field | +------------------------+ | USER | | TOTAL_CONNECTIONS | | CONCURRENT_CONNECTIONS | | CONNECTED_TIME | | BUSY_TIME | | CPU_TIME | | BYTES_RECEIVED | | BYTES_SENT | | BINLOG_BYTES_WRITTEN | | ROWS_FETCHED | | ROWS_UPDATED | | TABLE_ROWS_READ | | SELECT_COMMANDS | | UPDATE_COMMANDS | | OTHER_COMMANDS | | COMMIT_TRANSACTIONS | | ROLLBACK_TRANSACTIONS | | DENIED_CONNECTIONS | | LOST_CONNECTIONS | | ACCESS_DENIED | | EMPTY_QUERIES | | TOTAL_SSL_CONNECTIONS | +------------------------+

15  The mysql database holds 5 user tables controlling permissions: ◦ The user table contains a record for each account known to the server. The user record for an account lists its global privileges, resource limits it is subject to, and SSL info. ◦ The db table lists database-specific privileges for accounts. ◦ The tables_priv table lists table-specific privileges for accounts. ◦ The columns_priv table lists column-specific privileges for accounts. ◦ The procs_priv table lists privileges that accounts have for stored procedures and functions.

16  If you use Tapestry/Struts  & you use stored procedures ◦ Execute is not enough to use stored procedures or functions  Unless you add SELECT ON mysql.proc

17 GRANT priv_type [(column_list)] [, priv_type [(column_list)]]... ON [object_type] object TO user_specification [, user_specification]... [REQUIRE {NONE | tsl_option [[AND] tsl_option]...}] [WITH {GRANT OPTION | resource_option}...] GRANT PROXY ON user_specification TO user_specification [, user_specification]... [WITH GRANT OPTION]

18 object_type: { TABLE | FUNCTION | PROCEDURE } priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } user_specification: user [ auth_option ] } auth_option: { # As of MySQL 5.7.6 IDENTIFIED BY 'auth_string' | IDENTIFIED BY PASSWORD 'hash_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' | IDENTIFIED WITH auth_plugin AS 'hash_string' } tsl_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { | MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } GRANT priv_type [(column_list)] [, priv_type [(column_list)]]... ON [object_type] priv_level TO user_specification [, user_specification]... [REQUIRE {NONE | tsl_option [[AND] tsl_option]...}] [WITH {GRANT OPTION | resource_option}...]

Download ppt "How to curb the appetite of your BI team and other useful tricks."

Similar presentations

MySQL Access Privilege System

MySQL Access Privilege System
Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.

Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.
Chapter 9: Advanced SQL and PL/SQL Topics Guide to Oracle 10g.

Chapter 9: Advanced SQL and PL/SQL Topics Guide to Oracle 10g.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Administering User Security

Administering User Security
Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Replication with MySQL 5.1 Ligaya Turmelle Senior Technical Support Engineer - MySQL

Replication with MySQL 5.1 Ligaya Turmelle Senior Technical Support Engineer - MySQL
Oracle Database Security …from the application perspective Martin Nystrom September 2003.

Oracle Database Security …from the application perspective Martin Nystrom September 2003.
MySQL Dr. Hsiang-Fu Yu National Taipei University of Education

MySQL Dr. Hsiang-Fu Yu National Taipei University of Education
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Mass user creation On our servers is used the convention, that each of user has only one database, which has the same name, as the user itself. This method.

Mass user creation On our servers is used the convention, that each of user has only one database, which has the same name, as the user itself. This method.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.

CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.

Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.

9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Introduction to databases and SQL. What is a database?  A database is an organized way of holding together pieces of information  A database refers.

Introduction to databases and SQL. What is a database?  A database is an organized way of holding together pieces of information  A database refers.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.

IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.

Similar presentations

Ads by Google