Solved

Re:  MYSQL's  GRANT PROXY ON ''@'' TO 'root'@'localhost' impersonate or spoof? how/why?

Posted on 2014-02-26
3
2,359 Views
Last Modified: 2014-02-27
I have been taught that:
GRANT ALL on *.* to 'ed'@'xyz.com' identified by 'mypasswd';

grants all privileges except with grant option  but since proxy on seems to be yet another privilege not included in the all or all privilege privilege what is the deal here???

however I see when I do a
mysql>show grants
another privilege I would like to better understand namely the one in the  subject here:

I read the manual but please tell me you can fully digest this text in a meaningful way

I mean impersonate as in act like a legal proxy?  are we talking permissions to
connect as someone else from my account if so how?  
Why and how do I use this privilege and can I bestow it on another user?
what are the security considerations with this privilege?
0
Comment
Question by:Robert Silver
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39891343
GRANT is a general purpose command for setting things on a user account; GRANT ALL sets all the global database permissions, but doesn't set explicit permissions per-database (which is something else you can do with GRANT), proxy rights, SSL configuration settings... so ALL is in the context of "all global rights" not "all rights" or "all settings"

GRANT PROXY is an odd one. It is rarely seen, but is used when the user must log in with one set of credentials, but act on the system as another user.

For a usage scenario, lets assume that you have a module that allows a user to authenticate with AD, and that you want to allow that user to log in as "mysql-admin". Now, you *could* add a mysql-admin account to AD, but you want to retain the option to log in locally as "mysql-admin" with a local password, rather than being locked out if the link to AD is down, or the AD account is locked out, or whatever (ok, this scenario is a bit of a reach). Or maybe,  you want three users to log into the db as mysql-user, but use their own usernames and passwords. - lets call them fred, bob and nigel.

you would first add the three accounts (I will show one, but the other two would be identical other than in name)

CREATE USER 'fred'@'%' IDENTIFIED WITH auth_pludin_ad AS 'mysql-admin';
GRANT PROXY on 'mysql-admin'@'%' TO 'fred'@'%';

now, *provided* 'auth_plugin_ad' supports this syntax (and not all auth plugins do), when user "fred" logs in, with his AD password, he appears to the database as user "mysql-admin" - does that make sense?

In practice, I have never used this, nor do I know anyone who has - but the functionality is there in case you need it :)
0
 
LVL 2

Author Closing Comment

by:Robert Silver
ID: 39892407
Thank you for that excellent explanation - You should consider authoring a book
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39892414
Nah, I don't know enough about mysql to compete with the hundreds of books out there :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now