Migrating from SQL Server?
Explains the differences in user authorization between SQL Server and MariaDB, noting that MariaDB uses accounts ('user'@'host') rather than users and logins, and detailing privilege levels.
MariaDB authorizes access and check permissions on accounts, rather than users. Even if MariaDB supports standard SQL commands like CREATE USER and DROP USER, it is important to remember that it actually works with accounts.
An account is specified in the format 'user'@'host'. The quotes are optional and allow one to include special characters, like dots. The host part can actually be a pattern, which follows the same syntax used in LIKE comparisons. Patterns are often convenient because they can match several hostnames.
Here are some examples.
Omitting the host part indicates an account that can access from any host. So the following statements are equivalent:
However, such accounts may be unable to connect from localhost if an anonymous user ''@'%' is present. See for the details.
Accounts are not bound to a specific database. They are global. Once an account is created, it is possible to assign it permissions on any existing or non existing database.
The system variable has a flag. In recent MariaDB versions it is enabled by default. If it is not enabled, a statement specifying privileges for a non-existent account will automatically create that account.
For more information: .
Accounts with the same username can have different passwords.
By default, an account has no password. A password can be set, or changed, in the following way:
By specifying it in .
By the user, with .
By root, with SET PASSWORD or .
With all these statements (CREATE USER, ALTER USER, SET PASSWORD) it is possible to specify the password in plain or as a hash:
The function uses the same algorithm used internally by MariaDB to generate hashes. Therefore it can be used to get a hash from a plain password. Note that this function should not be used by applications, as its output may depend on MariaDB version and configuration.
SET PASSWORD applies to the current account, by default. Superusers can change other accounts passwords in this way:
Passwords can have an expiry date, set by . To set a different date for a particular user:
To set no expiry date for a particular user:
For more details, see .
It is also possible to lock an account with immediate effect:
See for more details.
MariaDB supports . These plugins implement user's login and authorization before they can use MariaDB.
Each user has one or more authentication plugins assigned. The default one is . It is the traditional login using the username and password set in MariaDB, as described above.
On UNIX systems, root is also assigned the plugin, which allows a user logged in the operating system to be recognized by MariaDB.
Windows users may be interested in the and plugins. GSSAPI also requires the use of a plugin on the .
A plugin can be assigned to a user with CREATE USER, ALTER USER or GRANT, using the IDENTIFIED VIA syntax. For example:
A particular user can be required to use TLS connections. Additional requirements can be set:
Having a valid X509 certificate.
The certificate may be required to be issued by a particular authority.
A particular certificate subject can be required.
A particular certificate cipher suite can be required.
These requirements can be set with CREATE USER, ALTER USER or GRANT. For the syntax, see .
MariaDB can be bundled with several cryptography libraries, depending on its version. For more information about the libraries, see .
For more information about secure connections, see .
Permissions can be granted to accounts. As mentioned before, the specified accounts can actually be patterns, and multiple accounts may match a pattern. For example, in this example we are creating three accounts, and we are assigning permissions to all of them:
The following permission levels exist in MariaDB:
;
;
;
;
Note that database and schema are synonymous in MariaDB.
Permissions can be granted for non-existent objects that could exist in the future.
The list of supported privileges can be found in the page. Some highlights can be useful for SQL Server users:
USAGE privilege has no effect. The GRANT command fails if we don't grant at least one privilege; but sometimes we want to run it for other purposes, for example to require a user to use TLS connections. In such cases, it is useful to grant USAGE.
Normally we can obtain a list of all databases for which we have at least one permission. The SHOW DATABASES permission allows getting a list of all databases.
There is no
MariaDB does not support negative permissions (the DENY command).
Some differences concerning the SQL commands:
In MariaDB GRANT and REVOKE statements can only assign/revoke permissions to one user at a time.
While we can assign/revoke privileges at column level, we have to run a GRANT or REVOKE statement for each column. The table (column_list) syntax is not recognized by MariaDB.
MariaDB supports . Permissions can be assigned to roles, and roles can be assigned to accounts.
An account may have zero or one default roles. A default role is a role that is automatically active for a user when they connect. To assign an account or remove a default role, these SQL statements can be used:
Normally a role is not a default role. If we assign a role in this way:
...the user will not have that role automatically enabled. They will have to enable it explicitly:
MariaDB does not have predefined roles, like public.
For an introduction to roles, see .
This page is licensed: CC BY-SA / Gnu FDL
SHOWPLANSELECT privilege for each accessed table and the SHOW VIEW privilege for each accessed view.The same permissions are needed to see a table structure (SELECT) or a view definition (SHOW VIEW).
REFERENCES has no effect.
CREATE USER viviana;
CREATE USER viviana@'%';-- specifying plain passwords:
CREATE USER tom@'%.example.com' IDENTIFIED BY 'plain secret';
ALTER USER tom@'%.example.com' IDENTIFIED BY 'plain secret';
SET PASSWORD = 'plain secret';
-- specifying hashes:
CREATE USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash';
ALTER USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash';
SET PASSWORD = PASSWORD('secret hash');SET PASSWORD FOR tom@'%.example.com' = PASSWORD 'secret hash';CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE INTERVAL 365 DAY;CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE NEVER;CREATE USER 'tom'@'%.example.com' ACCOUNT LOCK;CREATE USER username@hostname IDENTIFIED VIA gssapi;
GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA named_pipe;CREATE USER 'tom'@'example.com';
CREATE USER 'tom'@'123.123.123.123;
CREATE USER 'tom'@'tomlaptop';
GRANT USAGE ON *.* TO tom@'%';SET DEFAULT ROLE some_role FOR username@hostname;
SET DEFAULT ROLE NONE FOR username@hostname;GRANT some_role TO username@hostname;SET ROLE some_role;Migrating from SQL Server?