Re: MYSQL's GRANT PROXY ON ''@'' TO 'root'@'localhost' impersonate or spoof? how/why?

I have been taught that:
GRANT ALL on *.* to 'ed'@'xyz.com' identified by 'mypasswd';

grants all privileges except with grant option  but since proxy on seems to be yet another privilege not included in the all or all privilege privilege what is the deal here???

however I see when I do a
mysql>show grants
another privilege I would like to better understand namely the one in the  subject here:

I read the manual but please tell me you can fully digest this text in a meaningful way

I mean impersonate as in act like a legal proxy?  are we talking permissions to
connect as someone else from my account if so how?  
Why and how do I use this privilege and can I bestow it on another user?
what are the security considerations with this privilege?
LVL 2
Robert SilverSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
GRANT is a general purpose command for setting things on a user account; GRANT ALL sets all the global database permissions, but doesn't set explicit permissions per-database (which is something else you can do with GRANT), proxy rights, SSL configuration settings... so ALL is in the context of "all global rights" not "all rights" or "all settings"

GRANT PROXY is an odd one. It is rarely seen, but is used when the user must log in with one set of credentials, but act on the system as another user.

For a usage scenario, lets assume that you have a module that allows a user to authenticate with AD, and that you want to allow that user to log in as "mysql-admin". Now, you *could* add a mysql-admin account to AD, but you want to retain the option to log in locally as "mysql-admin" with a local password, rather than being locked out if the link to AD is down, or the AD account is locked out, or whatever (ok, this scenario is a bit of a reach). Or maybe,  you want three users to log into the db as mysql-user, but use their own usernames and passwords. - lets call them fred, bob and nigel.

you would first add the three accounts (I will show one, but the other two would be identical other than in name)

CREATE USER 'fred'@'%' IDENTIFIED WITH auth_pludin_ad AS 'mysql-admin';
GRANT PROXY on 'mysql-admin'@'%' TO 'fred'@'%';

now, *provided* 'auth_plugin_ad' supports this syntax (and not all auth plugins do), when user "fred" logs in, with his AD password, he appears to the database as user "mysql-admin" - does that make sense?

In practice, I have never used this, nor do I know anyone who has - but the functionality is there in case you need it :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert SilverSr. Software EngineerAuthor Commented:
Thank you for that excellent explanation - You should consider authoring a book
0
Dave HoweSoftware and Hardware EngineerCommented:
Nah, I don't know enough about mysql to compete with the hundreds of books out there :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MySQL Server

From novice to tech pro — start learning today.