62

I want to have multiple a MySQL users to be able to issue commands like 

CREATE DATABASE dbTest;

But I also want each of these users to be able to see and access only their own databases.

All I could find was how to either create the databases by a DBA and grant the privileges on this database to the specific user:

GRANT ALL PRIVILEGES ON dbTest.* TO 'user';

or grant privileges on all databases to a user:

GRANT ALL PRIVILEGES ON *.* TO 'user';

But neither is what I want, because it needs to scale and be secure.

Improve this question

4 Answers 4

Reset to default
107

You can use

GRANT ALL PRIVILEGES ON `testuser\_%` .  * TO 'testuser'@'%';

to grant the user testuser privileges on all databases with names beginning with testuser_.

This allows the user testuser to create databases limited to names starting with testuser_.

Note that the query has an escape before the underscore, since the underscore is a glob that means "whatever single character", so, the escape.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

26

You can use

GRANT ALL PRIVILEGES ON `testuser_%` . * TO 'testuser'@'%';

to grant the user testuser privileges on all databases with names beginning with testuser_.

EDIT: I'm not sure if this user is now also allowed to create databases.

Yes, this allows the testuser to create databases limited to names starting with testuser_

Improve this answer

3 Comments

I had to wrap backticks around testuser_% but unfortunately in stack overflow that wont come through as backticks signify a code section.
This should be a comment on Lex's answer, not an answer itself.
I'm not sure if this user is now also allowed to create databases.... No, it isn't.
16

Create a stored procedure that is defined by the admin user and invokes with the admin user privileges by using SQL SECURITY DEFINER. In the stored procedure,

  • Create the database.
  • Set the privileges on the database so only the current user has access.
  • Execute FLUSH PRIVILEGES to reload the privileges from the grant tables.

Use USER() to get the current user login details.

Find out more about SQL SECURITY DEFINER.

Improve this answer

1 Comment

Where to create the stored procedure. Which database has this stored procedure?
1

It is impossible to do this using permissions only .

The workaround as suggested in another answer: GRANT ALL PRIVILEGES ONtestuser_%. * TO 'testuser'@'%'; has the problem that the users must then be very careful in naming their databases.

For example if user aaa creates database bbb_xyz, it can then be accessed exclusively by user bbb but not by user aaa.

Improve this answer

1 Comment

I don't catch your meaning... user aaa will not be able to create a database bbb_xyz, it will only be able to create a database called aaa_xyz

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.