administering multiple databases on one server

Posted on 2005-04-19
Medium Priority
Last Modified: 2008-03-06
I somehow got to be 'in charge' of a mysql database server that is to be used for many groups for different uses.

My intent is to create a database for each group and give one member of that group full permissions to that database only, but no power to mess up any other database.

So I run (for example):

> create database ktest4;
> grant all on ktest4.* to 'abc123'@'%' identified by 'abc123' with grant option;

This seems to work and user 'abc123' can login to the database ktest4.

However, now when the user 'abc123' wants to change their password, I tell them to type:

>mysql> SET PASSWORD FOR 'abc123'@'%' = PASSWORD('newpassword');

but they get:

>ERROR 1044: Access denied for user: 'abc123@%' to database 'mysql'

Strangely, if they type just 'abc123' instead of 'abc123'@'%' - that works, even tho my documentation says it's the same thing.

Also, when they want to create a new user for that database with limited privileges, I tell them to type:

mysql> grant SELECT, INSERT on ktest4.* to 'user_ktest4'@'%' identified by 'user_ktest4';

and again, they get:

ERROR 1044: Access denied for user: 'abc123@%' to database 'mysql'

Please explain this to me.  My primary documentation (MySQL by Paul DuBois) doesn't mention changes to the 'mysql' database...

Question by:red5
  • 4
  • 3
LVL 14

Expert Comment

ID: 13820760
You should try: SET PASSWORD = PASSWORD('some password')
To set the password for the current user.

You need to give the user abc123 grant options, so they can create other users with equal or lower permissions using WITH GRANT OPTION when you create the user:

Author Comment

ID: 13821267
The alternate syntax for SET PASSWORD works.

However, if you look at my original post, you can see that I *did* use 'with grant option', yet the grant command still fails.

Is it possible that 'abc123' cannot 'create' user 'user_ktest4', but only modify it?

I have given the exact commands; could you run them yourself and see if your 'abc123' account is allowed to create 'user_ktest4' ?
LVL 14

Expert Comment

ID: 13821372
Sorry, I must have missed that line.

On the same manual page, have you tried creating abc123 with 'CREATE USER' privileges. Or modifying the user to add them?
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.


Author Comment

ID: 13824716
'CREATE USER' is only in version 5+.  Unfortunately, I'm stuck with version 4.0.18.

I found that if I add 'INSERT' privilege to abc123 in the mysql database, then added a no-password account works:

mysql> grant INSERT on ktest4.* to 'u4'@'%';                    
Query OK, 0 rows affected (0.05 sec)

but *WITH* a password fails:

mysql> grant INSERT on ktest4.* to 'uu4'@'%' identified by 'uu4';
ERROR 1044: Access denied for user: 'abc123@%' to database 'mysql'

My theory at the moment is that the failing command does an insert followed by an update to add the password.  So this may require 'UPDATE' privileges, but this scares me because then they would be able to update *any* user - even one for a different database.
LVL 14

Expert Comment

ID: 13825008
I must admit I have never found a need to give anyone other than root permissions to create users. I find that it's best to keep track of who your db users are and why they're being created.

Have you tried the same queries using abc123@localhost?

I just tested creating a user with usage only, but with grant option and had the same problem. I'd say that you need more privileges than is safe to give a normal user in order to let them create other users.

It might be best to make your users request new users through you instead of being able to create them themselves.

Author Comment

ID: 13825199
I was hoping to minimize my involvement once I got their db setup - my job is *not* database management and I don't want to get stuck spending too much time on it.   But it looks like it might not be possible to do exactly what I want.

I think I'm going to setup my script to create an additional user account for each new databse with only SELECT privileges to that database.  From there, the owner can grant INSERT or whatever privileges.
LVL 14

Accepted Solution

cracky earned 2000 total points
ID: 13825335
I agree. There is no reason for your users to be able to create new users. Just give them one user with all privs on their particular db and another user with SELECT, INSERT, UPDATE, DELETE. Then one more with SELECT only.

This will cover their needs and they will not need to mess around with users.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating and Managing Databases with phpMyAdmin in cPanel.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month17 days, 5 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question