Document the utility user feature
This is to document the utility user feature from https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Approved
- Assignee:
- Hrvoje Matijakovic
- Definition:
- Approved
- Series goal:
- Accepted for 5.5
- Implementation:
-
Implemented
- Milestone target:
-
5.5.27-28.0
- Started by
- Hrvoje Matijakovic
- Completed by
- Hrvoje Matijakovic
Related branches
Related bugs
Sprints
Whiteboard
Commit comment:
In order to have the ability for a special type of MySQL user, which will
have a very limited and special amount of control over the system and can
not be see or modified by any other user including the root user, the
following three new options have been added:
- utility_
create and recognize as the utility user. The host in the utility user
http://
it allows wildcards and IP masks. Anonymous user names are not
permitted to be used for the utility user name.
This user must not be an exact match to any other user that exists in
the mysql.user table. If the server detects that the user specified
with this option exactly matches any user within the mysql.user table
on start up, the server will report an error and shut down gracefully. If
host name wildcards are used and a more specific user specification is
identified on start up, the server will report a warning and continue.
Ex: --utility_
mysql.user table.
If a client attempts to create a MySQL user that matches this user
user and the user being created has the same name and a more specific
host, the creation attempt will fail with an error.
Ex: --utility_
As a result of these requirements, it is strongly recommended that a
very unique user name and reasonably specific host be used and that any
script or tools test that they are running within the correct user by
executing 'SELECT CURRENT_USER()' and comparing the result against the
known utility user.
- utility_
utility user and MUST be specified or the server will shut down
gracefully with an error.
- utility_
name(s) of the schema(s) that the utility user will have access to read
write and modify. If a particular schema named here does not exist on
start up it will be ignored. If a schema by the name of any of those
listed in this option is created after the server is started, the
utility user will have full access to it.
This user has a mixed and special scope of abilities and protection:
- Utility user will not appear in the mysql.user table and can not be
modified by any other user, including root.
- Utility user will not appear in USER_STATISTICS, CLIENT_STATISTICS or
- Utility users queries may appear in the general and slow logs.
- Utility user must not have the ability create, modify, delete or see
any schemas or data not specified (except for information_
- Utility user may modify all visible, non-read only system variables
(see enhanced_
- Utility user may see, create, modify and delete other system users only
if given access to the mysql schema.
- Regular users may be granted proxy rights to the utility user but any
attempt to impersonate the utility user will fail. The utility user
may not be granted proxy rights on any regular user.
Ex: GRANT PROXY ON utility_user TO regular_user; will not fail, but any
actual attempt to impersonate as the utility user will fail.
GRANT PROXY ON regular_user TO utility_user; will fail when
utility user specified.
When the server starts, it will note in the log output that the utility
user exists and the schemas that it has access to.