maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #05318
Re: Missing rights on 'CREATE ALGORITHM=UNDEFINED DEFINER...'
-
To:
<thomas@plant.systems>, <maria-discuss@xxxxxxxxxxxxxxxxxxx>
-
From:
<Rhys.Campbell@xxxxxxxxxxxx>
-
Date:
Thu, 13 Dec 2018 10:32:22 +0000
-
Accept-language:
en-GB, de-CH, en-US
-
In-reply-to:
<d3878c6c-4ddd-cce2-f660-ec71defd4d52@plant.systems>
-
Msip_labels:
MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Enabled=True; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_SiteId=364e5b87-c1c7-420d-9bee-c35d19b557a1; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Owner=Rhys.Campbell@xxxxxxxxxxxx; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_SetDate=2018-12-13T10:32:21.7361581Z; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Name=C2 Internal; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Application=Microsoft Azure Information Protection; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Extended_MSFT_Method=Automatic; Sensitivity=C2 Internal
-
Thread-index:
AQHUkswOyNUqXby5x02A+z1kfx+KgaV8dpwA
-
Thread-topic:
[Maria-discuss] Missing rights on 'CREATE ALGORITHM=UNDEFINED DEFINER...'
All doesn't include mean all.
https://dba.stackexchange.com/questions/4118/does-mysql-super-privilege-include-all
The SUPER priv can be granted with GRANT SUPER ON *.* TO user1@localhost (The error implies this has changed in 10.1 and I'm not too up to date with it)
But probably better not to do that if you can avoid it because it allows a lot of other stuff too. The error is being caused by the DEFINER / SQL SECURITY clauses...
"If you do not have the SUPER privilege, the only legal user value is your own account, either specified literally or by using CURRENT_USER. You cannot set the definer to some other account."
https://mariadb.com/kb/en/library/create-view/
The user can probably just remove this stuff if the defaults will work for them.
Rhys
From: Maria-discuss [mailto:maria-discuss-bounces+rhys.campbell=swisscom.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Thomas Plant
Sent: 13 December 2018 11:10
To: maria-discuss@xxxxxxxxxxxxxxxxxxx
Subject: [Maria-discuss] Missing rights on 'CREATE ALGORITHM=UNDEFINED DEFINER...'
Hello all,
I have a request from a user who can not create a view in his database.
He has the following rights granted:
+----------------------------------------------------------------------------------------------------------------+
| Grants for user@% |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user'@'%' IDENTIFIED BY PASSWORD '***************' |
| GRANT ALL PRIVILEGES ON `dbname`.* TO 'user'@'%' |
+----------------------------------------------------------------------------------------------------------------+
The view he tries to create looks like these:
CREATE ALGORITHM=UNDEFINED DEFINER=`xxxxxxxxxxx`@`xx.xxx.xxx.x/xxx.xxx.xxx.x` SQL SECURITY DEFINER
VIEW `jos_docman_file_counts` AS select `jos_docman_documents`.`storage_path` AS `storage_path`,count(0) AS `count`
from `jos_docman_documents` where (`jos_docman_documents`.`storage_type` = 'file')
group by `jos_docman_documents`.`storage_path`;
And gets as error:
#1227 - Access denied; you need (at least one of) the SUPER privilege(s) for this operation
What SUPER privilege is needed for this view?
The Database is MariaDB 10.1 on Centos 7.
Thanks for any hint about his.
Greetings,
Thomas
Follow ups
References
