| Bug #59690 | Too wide permissions in message: "Please GRANT SELECT...TO 'agent'@'%' " | ||
|---|---|---|---|
| Submitted: | 24 Jan 2011 8:14 | ||
| Reporter: | Andrii Nikitin | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Enterprise Monitor: Agent | Severity: | S3 (Non-critical) |
| Version: | 2.3.1 | OS: | Any |
| Assigned to: | Assigned Account | CPU Architecture: | Any |
[24 Jan 2011 8:23]
Simon Mudd
Additionally if the agent is able to login it should be able to identify the CURRENT_USER() and that is probably the user that should have the extra grants added.
Description: Agent log suggests too wide permissions when it gets error reading mysql.inventory. It is incorrect due to possible security vulnerability: 2011-01-19 21:00:30: (critical) agent_mysqld.c:723: successfully connected to database at 127.0.0.1:3306 as user agent_user (with password: YES) 2011-01-19 21:01:00: (critical) agent_mysqld.c:512: [127.0.0.1:3306] mysql_real_query("SELECT value FROM mysql.inventory WHERE name = 'uuid'") failed: MySQL server has gone away (errno=2006) Please GRANT SELECT ON mysql.inventory TO 'agent_user'@'%'; The problem is that suggested GRANT is too wide, because real user configured by agent is agent_user@127.0.0.1 , not agent_user@% How to repeat: 1. Configure agent to connect agent_user@127.0.0.1 and revoke access to mysql.invenory table 2. Try to start agent - it shutdowns with error: Please GRANT SELECT ON mysql.inventory TO 'agent_user'@'%'; Suggested fix: Do not specify '%' host in suggestion, when agent is configured to connect particular host.