Solved

Re:  MYSQL's  GRANT PROXY ON ''@'' TO 'root'@'localhost' impersonate or spoof? how/why?

Posted on 2014-02-26
3
2,805 Views
Last Modified: 2014-02-27
I have been taught that:
GRANT ALL on *.* to 'ed'@'xyz.com' identified by 'mypasswd';

grants all privileges except with grant option  but since proxy on seems to be yet another privilege not included in the all or all privilege privilege what is the deal here???

however I see when I do a
mysql>show grants
another privilege I would like to better understand namely the one in the  subject here:

I read the manual but please tell me you can fully digest this text in a meaningful way

I mean impersonate as in act like a legal proxy?  are we talking permissions to
connect as someone else from my account if so how?  
Why and how do I use this privilege and can I bestow it on another user?
what are the security considerations with this privilege?
0
Comment
Question by:Robert Silver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39891343
GRANT is a general purpose command for setting things on a user account; GRANT ALL sets all the global database permissions, but doesn't set explicit permissions per-database (which is something else you can do with GRANT), proxy rights, SSL configuration settings... so ALL is in the context of "all global rights" not "all rights" or "all settings"

GRANT PROXY is an odd one. It is rarely seen, but is used when the user must log in with one set of credentials, but act on the system as another user.

For a usage scenario, lets assume that you have a module that allows a user to authenticate with AD, and that you want to allow that user to log in as "mysql-admin". Now, you *could* add a mysql-admin account to AD, but you want to retain the option to log in locally as "mysql-admin" with a local password, rather than being locked out if the link to AD is down, or the AD account is locked out, or whatever (ok, this scenario is a bit of a reach). Or maybe,  you want three users to log into the db as mysql-user, but use their own usernames and passwords. - lets call them fred, bob and nigel.

you would first add the three accounts (I will show one, but the other two would be identical other than in name)

CREATE USER 'fred'@'%' IDENTIFIED WITH auth_pludin_ad AS 'mysql-admin';
GRANT PROXY on 'mysql-admin'@'%' TO 'fred'@'%';

now, *provided* 'auth_plugin_ad' supports this syntax (and not all auth plugins do), when user "fred" logs in, with his AD password, he appears to the database as user "mysql-admin" - does that make sense?

In practice, I have never used this, nor do I know anyone who has - but the functionality is there in case you need it :)
0
 
LVL 2

Author Closing Comment

by:Robert Silver
ID: 39892407
Thank you for that excellent explanation - You should consider authoring a book
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39892414
Nah, I don't know enough about mysql to compete with the hundreds of books out there :)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question