Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3235
  • Last Modified:

Re: MYSQL's GRANT PROXY ON ''@'' TO 'root'@'localhost' impersonate or spoof? how/why?

I have been taught that:
GRANT ALL on *.* to 'ed'@'xyz.com' identified by 'mypasswd';

grants all privileges except with grant option  but since proxy on seems to be yet another privilege not included in the all or all privilege privilege what is the deal here???

however I see when I do a
mysql>show grants
another privilege I would like to better understand namely the one in the  subject here:

I read the manual but please tell me you can fully digest this text in a meaningful way

I mean impersonate as in act like a legal proxy?  are we talking permissions to
connect as someone else from my account if so how?  
Why and how do I use this privilege and can I bestow it on another user?
what are the security considerations with this privilege?
0
Robert Silver
Asked:
Robert Silver
  • 2
1 Solution
 
Dave HoweCommented:
GRANT is a general purpose command for setting things on a user account; GRANT ALL sets all the global database permissions, but doesn't set explicit permissions per-database (which is something else you can do with GRANT), proxy rights, SSL configuration settings... so ALL is in the context of "all global rights" not "all rights" or "all settings"

GRANT PROXY is an odd one. It is rarely seen, but is used when the user must log in with one set of credentials, but act on the system as another user.

For a usage scenario, lets assume that you have a module that allows a user to authenticate with AD, and that you want to allow that user to log in as "mysql-admin". Now, you *could* add a mysql-admin account to AD, but you want to retain the option to log in locally as "mysql-admin" with a local password, rather than being locked out if the link to AD is down, or the AD account is locked out, or whatever (ok, this scenario is a bit of a reach). Or maybe,  you want three users to log into the db as mysql-user, but use their own usernames and passwords. - lets call them fred, bob and nigel.

you would first add the three accounts (I will show one, but the other two would be identical other than in name)

CREATE USER 'fred'@'%' IDENTIFIED WITH auth_pludin_ad AS 'mysql-admin';
GRANT PROXY on 'mysql-admin'@'%' TO 'fred'@'%';

now, *provided* 'auth_plugin_ad' supports this syntax (and not all auth plugins do), when user "fred" logs in, with his AD password, he appears to the database as user "mysql-admin" - does that make sense?

In practice, I have never used this, nor do I know anyone who has - but the functionality is there in case you need it :)
0
 
Robert SilverAuthor Commented:
Thank you for that excellent explanation - You should consider authoring a book
0
 
Dave HoweCommented:
Nah, I don't know enough about mysql to compete with the hundreds of books out there :)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now