Home / server / Questions / 186057
Accepted
DrStalker
Asked: 2010-09-30 18:13:39 +0800 CST

MySQL: creating a user that can connect from multiple hosts

  • 772

I'm using MySQL and I need to create an account that can connect from either the localhost or from another server, i.e. 10.1.1.1. So I am doing:

CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password123';
CREATE USER 'bob'@'10.1.1.1' IDENTIFIED BY 'password123';
GRANT SELECT, INSERT, UPDATE, DELETE on MyDatabse.* to 'bob'@'localhost', 'bob'@'10.1.1.1';

This works fine, but is there any more elegant way to create a user account that is linked to multiple IPs or does it need to be done this way?

My main worry is that in the future, permissions will be updated for one 'bob' account but not the other.

mysql networking permissions database database-administration

4 Answers

  1. Best Answer

    If you want to restrict to host and do not want to specify based on a subnet or wildcard using %, that's the only way to do it. More details are available in the MySQL documentation.

    I am still trying to find ways to eliminate overhead when managing authentication to large MySQL installations and have yet to find a perfect solution.

    • 35

  2. Let's start by making a new user called "chaminda" within the MySQL shell:

    CREATE USER 'chaminda'@'%' IDENTIFIED BY 'password';

    The first thing to do is to provide the user with necessary permission and here I have given all permission to the particular user. 

    GRANT ALL PRIVILEGES ON * . * TO 'chaminda'@'%';

    Reload all the privileges.

    FLUSH PRIVILEGES;

    If you want to allow range of IPs to a particular user use as follows 10.1.1.%

    GRANT ALL PRIVILEGES ON * . * TO 'chaminda'@'10.1.1.%';

    Note: Here host Name = % and that means you can access this database server from any host. Granting all privileges to the user is a big risk and that's not a best practice. Further you can replace user 'chaminda' to 'bob'.

    • 21

  3. Warner's answer can be refined by using CIDR ranges in your user specification (in 'network'/'netmask' notation), eg:

    CREATE USER 'bob'@'10.0.0.0/255.0.0.0' IDENTIFIED BY 'password123';

    CREATE USER 'bob'@'192.168.0.0/255.255.255.192' IDENTIFIED BY 'password123';

    This construct allows finer-grained access control. Warner's answer will allow user 'bob' to connect from any host, anywhere on your network (or from any host on the public internet, if your server is exposed to the public network), which is probably not going to suit all use cases.

    It is accepted practice to apply "Defence in Depth", which is furthered by limiting user access from desired and trusted host addresses only. Also remember to limit incoming connections at a host level by reflecting the desired and trusted host addresses in your host-based firewall (eg. iptables, firewalld, etc).

    • 2

  4. MySQL allows multiple wildcards in one row. A possible solution is to set Host for user Bob to be

    locahost/10.1.1.1

    Reference:

    http://dev.mysql.com/doc/refman/5.1/en/connection-access.html

    • -4