Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Re:  MYSQL's  GRANT PROXY ON ''@'' TO 'root'@'localhost' impersonate or spoof? how/why?

Posted on 2014-02-26
3
Medium Priority
?
3,111 Views
Last Modified: 2014-02-27
I have been taught that:
GRANT ALL on *.* to 'ed'@'xyz.com' identified by 'mypasswd';

grants all privileges except with grant option  but since proxy on seems to be yet another privilege not included in the all or all privilege privilege what is the deal here???

however I see when I do a
mysql>show grants
another privilege I would like to better understand namely the one in the  subject here:

I read the manual but please tell me you can fully digest this text in a meaningful way

I mean impersonate as in act like a legal proxy?  are we talking permissions to
connect as someone else from my account if so how?  
Why and how do I use this privilege and can I bestow it on another user?
what are the security considerations with this privilege?
0
Comment
Question by:Robert Silver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 39891343
GRANT is a general purpose command for setting things on a user account; GRANT ALL sets all the global database permissions, but doesn't set explicit permissions per-database (which is something else you can do with GRANT), proxy rights, SSL configuration settings... so ALL is in the context of "all global rights" not "all rights" or "all settings"

GRANT PROXY is an odd one. It is rarely seen, but is used when the user must log in with one set of credentials, but act on the system as another user.

For a usage scenario, lets assume that you have a module that allows a user to authenticate with AD, and that you want to allow that user to log in as "mysql-admin". Now, you *could* add a mysql-admin account to AD, but you want to retain the option to log in locally as "mysql-admin" with a local password, rather than being locked out if the link to AD is down, or the AD account is locked out, or whatever (ok, this scenario is a bit of a reach). Or maybe,  you want three users to log into the db as mysql-user, but use their own usernames and passwords. - lets call them fred, bob and nigel.

you would first add the three accounts (I will show one, but the other two would be identical other than in name)

CREATE USER 'fred'@'%' IDENTIFIED WITH auth_pludin_ad AS 'mysql-admin';
GRANT PROXY on 'mysql-admin'@'%' TO 'fred'@'%';

now, *provided* 'auth_plugin_ad' supports this syntax (and not all auth plugins do), when user "fred" logs in, with his AD password, he appears to the database as user "mysql-admin" - does that make sense?

In practice, I have never used this, nor do I know anyone who has - but the functionality is there in case you need it :)
0
 
LVL 2

Author Closing Comment

by:Robert Silver
ID: 39892407
Thank you for that excellent explanation - You should consider authoring a book
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39892414
Nah, I don't know enough about mysql to compete with the hundreds of books out there :)
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
What we learned in Webroot's webinar on multi-vector protection.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question