Comments on: MySQL Static and Dynamic Privileges (Part 1) https://www.percona.com/blog/mysql-static-and-dynamic-privileges-part-1/ Wed, 11 Aug 2021 11:46:09 +0000 hourly 1 https://wordpress.org/?v=6.5.2 By: Marco Tusa https://www.percona.com/blog/mysql-static-and-dynamic-privileges-part-1/#comment-10973223 Tue, 15 Jun 2021 17:15:23 +0000 https://www.percona.com/blog/?p=76691#comment-10973223 Morgan, I agree with all you just said. 😀
BTW I consider ONE of the scope of dynamic privileges to replace super with fine grained security (FINALLY).
Anyhow for me the main point is that we should STOP to assign privileges to the users and instead use ROLEs and assign them as many of the more mature RDBMS do.
The other problem can be the proliferation of dynamic privileges, that we all do not start to use ROLESs can be the next nightmare for DBAs. Who already have bad sleeping with the security as it is.
I am immagine the need to assign proper privileges by table/column to different users. Or different admin role by application owner …
just to start

]]> By: Morgan Tocker (@morgo) https://www.percona.com/blog/mysql-static-and-dynamic-privileges-part-1/#comment-10973222 Tue, 15 Jun 2021 16:52:10 +0000 https://www.percona.com/blog/?p=76691#comment-10973222 I implemented dynamic privileges in TiDB earlier this year. I was actually not that familiar with the feature prior since security is not something I’ve previously focused on. My opinion working on it has been that it is a incredibly well thought out spec that considers the upgrade case of users very carefully.

The purpose of dynamic privileges is not clear from your text, but it is to *replace* the SUPER user with fine grained privileges. SUPER itself is deprecated, but for backward compatibility is still granted by GRANT ALL. You’ve trimmed the output of your SQL statements, but you will actually get a warning when doing this:

mysql [localhost:8024] {root} ((none)) > revoke SUPER on *.* from secure_test@’localhost’;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql [localhost:8024] {root} ((none)) > show warnings;
+———+——+———————————————-+
| Level | Code | Message |
+———+——+———————————————-+
| Warning | 1287 | The SUPER privilege identifier is deprecated |
+———+——+———————————————-+
1 row in set (0.00 sec)

The problem is the semantic “ALL”:
a) Should it allocate only the “new privileges”?
b) Should it allocate only the “old privileges”?
c) Should it allocate both types of privileges?

I don’t think the answer is that straight forward. In the end the MySQL team chose (c) for 8.0, and actually for TiDB we chose (b), but there were other factors that led to our decision. I assume later down the road we will both switch to (a).

One of the subtleties I like about dynamic privileges is that the names of the privileges are already “role-oriented”. So typically you can allocate just one privilege to a user (such as CLONE_ADMIN) and not have to figure out from a long list what is required. This helps prevent over-allocating privileges, which is a real issue in the privilege design of MySQL. It’s not always clear from error messages what privileges will be required for a certain operation.

]]>