2020/10/27: Difference between revisions

From Woozle Writes Code
Jump to navigation Jump to search
No edit summary
No edit summary
Line 14: Line 14:
<tr><td>
<tr><td>
<source lang=mysql>
<source lang=mysql>
GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION
GRANT ALL PRIVILEGES ON *.*
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
  TO `root`@`localhost`
  IDENTIFIED VIA mysql_native_password
  USING 'invalid' OR unix_socket
  WITH GRANT OPTION
GRANT PROXY ON ''@'%'
  TO 'root'@'localhost'
  WITH GRANT OPTION
</source>
</source>
</td></tr>
</td></tr>
Line 72: Line 78:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION' at line 1
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION' at line 1
</blockquote>
</blockquote>
Sooo... let's take a closer look at what the cloud1 setup does.
<table>
<tr><td><code>GRANT ALL PRIVILEGES ON *.*</code></td>          <td>this user is God</td></tr>
<tr><td><code>  TO `root`@`localhost`</code></td>              <td>only if connected locally</td></tr>
<tr><td><code>  IDENTIFIED VIA mysql_native_password</code></td><td>[https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/ mysql_native_password plugin]</td></tr>
<tr><td><code>  USING 'invalid' OR unix_socket</code></td>      <td>"invalid" is maybe like saying FALSE -- it won't ever work? ...leaving unix_socket as the only viable option</td></tr>
<tr><td><code>  WITH GRANT OPTION</code></td>                  <td>allow user to create other users with same privileges</td></tr>
</table>

Revision as of 18:34, 27 October 2020

I've got a bit of a double-bind situation here...

  • Email retrieval on cloud5 (where it had been for some months) stopped working when I upgraded Ubuntu to 20.04. Dovecot gives errors on IMAP and POP3. Postfix (SMTP) is still working, and we are able to access email via Roundcube, but not desktop or mobile clients.
  • Meanwhile, Dovecot on the new cloud1 server is working -- but MySQL refuses to accept connections from MySQL Workbench, making it difficult to set up databases, which makes it difficult (though not impossible) to set up Roundcube there.

I'm focusing on fixing the MySQL issue, as that is a blocker on several issues.

One symptom: MySQL on cloud5 (which works properly) will only let me connect via CLI if I have a username and password. MySQL on cloud1 (not working for ssh tunnel connections) will let me connect from CLI with or without a username and with or without a password.

After looking extensively at configuration files, one relevant difference seems to be the GRANTS (SHOW GRANTS FOR 'root'@'localhost';):

cloud1 (kind of not working)

Grants for root@localhost 

GRANT ALL PRIVILEGES ON *.*
  TO `root`@`localhost`
  IDENTIFIED VIA mysql_native_password
  USING 'invalid' OR unix_socket
  WITH GRANT OPTION
GRANT PROXY ON ''@'%'
  TO 'root'@'localhost'
  WITH GRANT OPTION

2 rows in set (0.000 sec)

cloud5 (working properly)
Grants for root@localhost 
GRANT
  SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN,
  PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER,
  CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE,
  REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE,
  CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE
ON *.* TO `root`@`localhost` WITH GRANT OPTION                                                                                                                                               

GRANT  
  APPLICATION_PASSWORD_ADMIN, 
  AUDIT_ADMIN,BACKUP_ADMIN,
  BINLOG_ADMIN,
  BINLOG_ENCRYPTION_ADMIN,
  CLONE_ADMIN,
  CONNECTION_ADMIN,
  ENCRYPTION_KEY_ADMIN,
  GROUP_REPLICATION_ADMIN,
  INNODB_REDO_LOG_ARCHIVE,
  INNODB_REDO_LOG_ENABLE,
  PERSIST_RO_VARIABLES_ADMIN,
  REPLICATION_APPLIER,
  REPLICATION_SLAVE_ADMIN,
  RESOURCE_GROUP_ADMIN,
  RESOURCE_GROUP_USER,
  ROLE_ADMIN,
  SERVICE_CONNECTION_ADMIN,
  SESSION_VARIABLES_ADMIN,
  SET_USER_ID,
  SHOW_ROUTINE,
  SYSTEM_USER,
  SYSTEM_VARIABLES_ADMIN,
  TABLE_ENCRYPTION_ADMIN,
  XA_RECOVER_ADMIN
ON *.* TO `root`@`localhost` WITH GRANT OPTION

GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION

3 rows in set (0.00 sec)

Trying to apply the cloud5 settings to cloud1, I get this for the first GRANT query:

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION' at line 1

Sooo... let's take a closer look at what the cloud1 setup does.

GRANT ALL PRIVILEGES ON *.* this user is God
TO `root`@`localhost` only if connected locally
IDENTIFIED VIA mysql_native_passwordmysql_native_password plugin
USING 'invalid' OR unix_socket "invalid" is maybe like saying FALSE -- it won't ever work? ...leaving unix_socket as the only viable option
WITH GRANT OPTION allow user to create other users with same privileges
Retrieved from "https://wooz.dev/mw/index.php?title=2020/10/27&oldid=624"