Difference between revisions of "AppSuite:DB user privileges"

Line 52: Line 52:
  
 
7. The changes of the privileges are noticed by the server so that the grant tables are loaded into memory again immediately after the change. You do not have to restart mysql.
 
7. The changes of the privileges are noticed by the server so that the grant tables are loaded into memory again immediately after the change. You do not have to restart mysql.
 +
 +
The grants outlined by <code><pre>SHOW GRANTS FOR 'openexchange'@'%';</pre></code> should now look like (grants for configdb, schema, global db, guard db and guard shard available):
 +
 +
<code><pre>
 +
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 +
| Grants for openexchange@%                                                                                                                                                            |
 +
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 +
| GRANT USAGE ON *.* TO 'openexchange'@'%' IDENTIFIED BY PASSWORD '*14E65567ABDB5135D0CFD9A70B3032C179A49EE7'                                                                          |
 +
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `configdb`.* TO 'openexchange'@'%' WITH GRANT OPTION |
 +
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxdatabase_6`.* TO 'openexchange'@'%' WITH GRANT OPTION |
 +
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxdatabase_global`.* TO 'openexchange'@'%' WITH GRANT OPTION |
 +
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxguard1`.* TO 'openexchange'@'%' WITH GRANT OPTION |
 +
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxguard`.* TO 'openexchange'@'%' WITH GRANT OPTION  |
 +
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 +
 +
</pre></code>
  
 
8. Execute
 
8. Execute

Revision as of 07:32, 29 September 2015

This information is valid from 7.8.0 on.
How to reduce Open-Xchange database user privileges for existing installations

Summary: This article tells you how to reduce the database user privileges in existing Open-Xchange installations to those at least required ones. Changing the existing ALL PRIVILEDGES to the provided minimum set will have no implications for running the server.

The minimum required set of privileges is: CREATE, LOCK TABLES, REFERENCES, INDEX, DROP, DELETE, ALTER, SELECT, UPDATE, INSERT, CREATE TEMPORARY TABLES, SHOW VIEW, ALTER ROUTINE, CREATE ROUTINE, EXECUTE and SHOW DATABASES.

Starting with v7.8.0 the following privileges are required: CREATE, LOCK TABLES, REFERENCES, INDEX, DROP, DELETE, ALTER, SELECT, UPDATE, INSERT, CREATE TEMPORARY TABLES, SHOW VIEW and SHOW DATABASES.

Change of existing privileges

1. Login to master mysql database using root user.

2. Detect the existing Open-Xchange users:

SELECT USER,HOST FROM mysql.user;

The output will look like outlined in the following table:

+------------------+-----------+
| user             | host      |
+------------------+-----------+
| openexchange     | %         |
| root             | 127.0.0.1 |

In this case the user for all additional processings is 'openexchange'@'%' and will be used for the description below.

3. Detect all existing privileges for the Open-Xchange user above:

SHOW GRANTS FOR 'openexchange'@'%';

The output will look like outlined in the following table. If the output is extremly different the user already has got limited privileges.

+---------------------------------------------------------------------------------------------------+
| Grants for openexchange@%                                                                         |
+---------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'openexchange'@'%' IDENTIFIED BY PASSWORD
                                                        '*ef14c45205444fdd47b6c1d88b74e1345fd0c394' |
+---------------------------------------------------------------------------------------------------+
1 row in set (0,00 sec)

4. Revoke all existing privileges for the Open-Xchange user above. Be careful to use the database@host pattern provided by the output from #3 (in this case *.*):

REVOKE ALL PRIVILEGES ON *.* FROM 'openexchange'@'%';

Hint: This must be executed for each database@hostname combination displayed in #3 (normally just *.*). Without revoking privileges you will have duplicates.

5. Create new privileges:

GRANT CREATE, LOCK TABLES, REFERENCES, INDEX, DROP, DELETE, ALTER, SELECT, UPDATE, INSERT, CREATE TEMPORARY TABLES, SHOW VIEW, SHOW DATABASES ON *.* TO 'openexchange'@'%' IDENTIFIED BY '<YOUR_DB_PASS>' WITH GRANT OPTION;


6. Write the privileges:

FLUSH PRIVILEGES;

7. The changes of the privileges are noticed by the server so that the grant tables are loaded into memory again immediately after the change. You do not have to restart mysql.

The grants outlined by

SHOW GRANTS FOR 'openexchange'@'%';

should now look like (grants for configdb, schema, global db, guard db and guard shard available):

+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for openexchange@%                                                                                                                                                             |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'openexchange'@'%' IDENTIFIED BY PASSWORD '*14E65567ABDB5135D0CFD9A70B3032C179A49EE7'                                                                           |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `configdb`.* TO 'openexchange'@'%' WITH GRANT OPTION |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxdatabase_6`.* TO 'openexchange'@'%' WITH GRANT OPTION |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxdatabase_global`.* TO 'openexchange'@'%' WITH GRANT OPTION |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxguard1`.* TO 'openexchange'@'%' WITH GRANT OPTION |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, SHOW VIEW ON `oxguard`.* TO 'openexchange'@'%' WITH GRANT OPTION  |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

8. Execute