MariaDB Authorization and Permissions for SQL Server Users
Understanding Accounts and Users
MariaDB authorizes access and check permissions on accounts, rather than users. Even if MariaDB supports standard SQL commands like
CREATE USER and
DROP USER, it is important to remember that it actually works with accounts.
An account is specified in the format
'user'@'host'. The quotes are optional and allow to include special characters, like dots. The host part can actually be a pattern, which follows the same syntax used in
LIKE comparisons. Patterns are often convenient because they can match several hostnames.
Here are some examples.
Omitting the host part indicates an account that can access from any host. So the following statements are equivalent:
CREATE USER viviana; CREATE USER viviana@'%';
Accounts are not bound to a specific database. They are global. Once an account is created, it is possible to assign it permissions on any existing or non existing database.
The sql_mode system variable has a
NO_AUTO_CREATE_USER flag. In recent MariaDB versions it is enabled by default. If it is not enabled, the
GRANT statement creates the specified account if it doesn't exist.
For more information: Account Management SQL Commands.
Setting or Changing Passwords
Accounts with the same username can have different passwords.
By default, an account has no password. A password can be set, or changed, in the following way:
- By specifying it in
- By the user, with
- By root, with
With all these statements (
SET PASSWORD) it is possible to specify the password in plain or as a hash:
-- specifying plain passwords: CREATE USER tom@'%.example.com' IDENTIFIED BY 'plain secret'; ALTER USER tom@'%.example.com' IDENTIFIED BY 'plain secret'; SET PASSWORD = 'plain secret'; -- specifying hashes: CREATE USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash'; ALTER USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash'; SET PASSWORD = PASSWORD('secret hash');
PASSWORD() function uses the same algorithm used internally by MariaDB to generate hashes. Therefore it can be used to get a hash from a plain password. Note that this function should not be used by applications, as its output may depend on MariaDB version and configuration.
SET PASSWORD applies to the current account, by default. Superusers can change other accounts passwords in this way:
SET PASSWORD FOR tom@'%.example.com' = PASSWORD 'secret hash';
MariaDB starting with 10.4.3
Passwords can have an expiry date, set by default_password_lifetime. To set a different date for a particular user:
CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE INTERVAL 365 DAY;
To set no expiry date for a particular user:
CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE NEVER;
For more details, see User Password Expiry.
MariaDB starting with 10.4.2
It is also possible to lock an account with immediate effect:
CREATE USER 'tom'@'%.example.com' ACCOUNT LOCK;
See Account Locking for more details.
MariaDB supports authentication plugins. These plugins implement users login and authorization before they can use MariaDB.
Each user has one or more authentication plugins assigned. The default one is mysql_native_password. It is the traditional login using the username and password set in MariaDB, as described above.
MariaDB starting with 10.4
On UNIX systems, root is also assigned the unix_socket plugin, which allows a user logged in the operating system to be recognized by MariaDB.
A plugin can be assigned to a user with
ALTER USER or
GRANT, using the
IDENTIFIED VIA syntax. For example:
CREATE USER username@hostname IDENTIFIED VIA gssapi; GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA named_pipe;
A particular user can be required to use TSL connections. Additional requirements can be set:
- Having a valid X509 certificate.
- The certificate may be required to be issued by a particular authority.
- A particular certificate subject can be required.
- A particular certificate cipher suite can be required.
These requirements can be set with
ALTER USER or
GRANT. For the syntax, see CREATE USER.
MariaDB can be bundled with several cryptography libraries, depending on its version. For more information about the libraries, see TLS and Cryptography Libraries Used by MariaDB.
For more information about secure connections, see Secure Connections Overview.
Permissions can be granted to accounts. As mentioned before, the specified accounts can actually be patterns, and multiple accounts may match a pattern. For example, in this example we are creating three accounts, and we are assigning permissions to all of them:
CREATE USER 'tom'@'example.com'; CREATE USER 'tom'@'126.96.36.199; CREATE USER 'tom'@'tomlaptop'; GRANT USAGE ON *.* TO tom@'%';
The following permission levels exist in MariaDB:
- Global privileges;
- Database privileges;
- Table privileges;
- Column privileges;
- Function and procedure privileges.
Note that database and schema are synonymous in MariaDB.
Permissions can be granted for non-existing objects, that could exist in the future.
The list of supported privileges can be found in the GRANT page. Some highlights can be useful for SQL Server users:
USAGEprivilege has no effect. The
GRANTcommand fails if we don't grant at least one privilege; but sometimes we want to run it for other purposes, for example to require a user to use TSL connections. In such cases, it is useful to grant
- Normally we can obtain a list of all databases for which we have at least one permission. The
SHOW DATABASESpermission allows getting a list of all databases.
- There is no
SHOWPLANprivilege in MariaDB. Instead,
SELECTprivilege for each accessed table and the
SHOW VIEWprivilege for each accessed view.
- The same permissions are needed to see a table structure (
SELECT) or a view definition (
REFERENCEShas no effect.
MariaDB does not support negative permissions (the
MariaDB starting with 10.0.5
MariaDB supports roles starting with version 10.0.5.
In older versions, the lack of roles support can be mitigated by using a third party stored procedures library called SecuRich.
Permissions can be assigned to roles, and roles can be assigned to accounts.
An account may have zero or one default roles. A default role is a role that is automatically active for a user when he connects. To assign an account or remove a default role, these SQL statements can be used:
SET DEFAULT ROLE some_role FOR username@hostname; SET DEFAULT ROLE NONE FOR username@hostname;
Normally a role is not a default role. If we assign a role in this way:
GRANT some_role TO username@hostname;
...the user will not have that role automatically enabled. He will have to enable it explicitly:
SET ROLE some_role;
MariaDB does not have predefined roles, like public.
For an introduction about roles, see Roles Overview.