CODEWITHSUNDEEP
mysqlsqlsql-updateaccess-deniedsql-grant
Alan Krueger
Alan Krueger

Reputation: 4786

MySQL grant ineffective?

Okay, I'm perplexed. I'm getting an "Access denied" error trying to do an update. There's a grant to allow that user to perform an update on that table, but it's being denied anyway. Yes, I've tried "flush properties".

$ mysql -h DBHOST -u DBUSER -p DBNAME
Enter password: ******
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7340
Server version: 5.0.77 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> update user set lastlogin = now() where userid = 1;
ERROR 1227 (42000): Access denied; you need the SUPER privilege for this operation
mysql> show grants for DBUSER;
+--------------------------------------------------------------------------------------+
| Grants for DBUSER@%                                                                  |
+--------------------------------------------------------------------------------------+
...
| GRANT SELECT, INSERT ON `DBNAME`.`useroldpassword` TO 'DBUSER'@'%'                     |
...
| GRANT SELECT, INSERT, UPDATE ON `DBNAME`.`user` TO 'DBUSER'@'%'                      |
...
+--------------------------------------------------------------------------------------+
68 rows in set (0.01 sec)

mysql>

There is a trigger on the table:

CREATE TRIGGER DEFINER=`DEFINER`@`localhost` UserPasswordUpdate BEFORE UPDATE ON User
FOR EACH ROW
BEGIN
    DECLARE count int;
    IF(NOT NEW.Password<=>OLD.Password) THEN
        SELECT count(*) into count FROM UserOldPassword WHERE UserID=NEW.UserID AND Password=NEW.Password;
        IF(count != 0) THEN
             INSERT INTO Unknown VALUES(1);
        END IF;
        INSERT INTO UserOldPassword(UserID,PasswordDate,Password) VALUES(NEW.UserID, NOW(), NEW.Password);
        SET NEW.LastPasswordChangeDate=NOW();
    END IF;
END

Both the executing user (see above) and the stated definer should have permissions to insert into the UserOldPassword table:

mysql> show grants for DEFINER;
+---------------------------------------------------------------------------------+
| Grants for DEFINER@%                                                            |
+---------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'DEFINER'@'%' IDENTIFIED BY PASSWORD '...'                |
| GRANT ALL PRIVILEGES ON `DBNAME`.* TO 'DEFINER'@'%'                             |
+---------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> show grants for DEFINER@localhost;
+-----------------------------------------------------------------------------------------+
| Grants for DEFINER@localhost                                                            |
+-----------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'DEFINER'@'localhost' IDENTIFIED BY PASSWORD '...'                |
| GRANT ALL PRIVILEGES ON `DBNAME`.* TO 'DEFINER'@'localhost'                             |
+-----------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Upvotes: 1

Views: 712

Answers (3)

Alan Krueger
Alan Krueger

Reputation: 4786

I upgraded from MySQL 5.0.77 to 5.5.15 and now it works fine.

Upvotes: 1

Cfreak
Cfreak

Reputation: 19309

Try:

GRANT SUPER ON `DBNAME`.`user` TO 'DBUSER'@'%'

You probably have a trigger on the table which is why it's not working.

Upvotes: 2

wowest
wowest

Reputation: 1994

Run this:

mysql> flush privileges;

Upvotes: 0

Related Questions