The Ultimate Guide to High Availability with MariaDB

Comments - Grants from host % vs localhost

 
3 years, 1 month ago Ian Gilfillan
Re: Grants from host % vs localhost [Answer]

Separate users are not needed. Note however that some setups create anonymous users, which can cause failures to log in as expected from localhost. See Troubleshooting Connection Issues#localhost and %

 
3 years, 1 month ago Daniel Black
Re: Grants from host % vs localhost

Yes, separate users are still needed.

To simplify grants you can use a role and grant the role to both users. Then all database grants can be placed on the role and equally apply to the foo@% and foo@localhost users.

MariaDB [(none)]> create user foo identified by 'foo';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> create user foo@localhost identified by 'foo';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> create role foo_role;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> grant foo_role to foo;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> grant foo_role to foo@localhost;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> create database fdatabase;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> grant all on fdatabase.* to foo_role;
Query OK, 0 rows affected (0.001 sec)
 
3 years, 1 month ago Anel Husakovic
Re: Grants from host % vs localhost

Hi,

It would be much easier if you could pass the links and provide an example what you would like to achieve, but let me see if I understood you correctly.
When you grant privileges to the user, you can specify to which user@host pair it should apply.
Let's look an example. Let's create 2 users and look the privs:

MariaDB [(none)]> create user foo@'%' identified by 'foo1';
Query OK, 0 rows affected (0.02 sec)

MariaDB [(none)]> create user foo@'localhost' identified by 'foo2';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select user,host from mysql.user;
+------+-----------+
| user | host      |
+------+-----------+
| foo  | %         |
| root | 127.0.0.1 |
| root | ::1       |
|      | anel      |
| root | anel      |
|      | localhost |
| foo  | localhost |
| root | localhost |
+------+-----------+
8 rows in set (0.00 sec)

MariaDB [(none)]> show grants for foo;
+----------------------------------------------------------------------------------------------------+
| Grants for foo@%                                                                                   |
+----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'%' IDENTIFIED BY PASSWORD '*6EAC5249D53050AE649BDB0CC4B85D1AE90CA16E' |
+----------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> show grants for foo@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for foo@localhost                                                                                   |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'localhost' IDENTIFIED BY PASSWORD '*3A4DD2A68933D2F38A899323EE91A540A7557C43' |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Now we can specify different privileges for them:

MariaDB [(none)]> grant select on mysql.* to foo@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant select,update on mysql.* to foo@'%';
Query OK, 0 rows affected (0.00 sec)

And let's verify they are different:

MariaDB [(none)]> show grants for foo;
+----------------------------------------------------------------------------------------------------+
| Grants for foo@%                                                                                   |
+----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'%' IDENTIFIED BY PASSWORD '*6EAC5249D53050AE649BDB0CC4B85D1AE90CA16E' |
| GRANT SELECT, UPDATE ON `mysql`.* TO 'foo'@'%'                                                     |
+----------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> show grants for foo@localhost;
+------------------------------------------------------------------------------------------------------------+
| Grants for foo@localhost                                                                                   |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'foo'@'localhost' IDENTIFIED BY PASSWORD '*3A4DD2A68933D2F38A899323EE91A540A7557C43' |
| GRANT SELECT ON `mysql`.* TO 'foo'@'localhost'                                                             |
+------------------------------------------------------------------------------------------------------------+

I guess this was what you are looking for?

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.