Create Users and Permissions

Create Users and Permissions
From: https://mariadb.com/kb/en/mariadb-authorization-and-permissions-for-sql-server-users/

Intro Understanding Accounts And Users Setting Or Changing Passwords	Authentication Plugins Permissions Roles

MariaDB Authorization and Permissions
for SQL Server Users



Understanding Accounts and Users
MariaDB authorizes access and check permissions on accounts, rather than users.
Even if MariaDB supports standard SQL commands like CREATE USER and DROP USER,
it is important to remember that it actually works with accounts.

An account is specified in the format 'user'@'host'. The quotes are optional
and allow one to include special characters, like dots. The host part can
actually be a pattern, which follows the same syntax used in LIKE
comparisons. Patterns are often convenient because they can match several
hostnames.

Here are some examples.

Omitting the host part indicates an account that can access from any host.
So the following statements are equivalent:
	CREATE USER viviana;
CREATE USER viviana@'%';

However, such accounts may be unable to connect from localhost if an
anonymous user ''@'%' is present. See localhost and % for the details.

Accounts are not bound to a specific database. They are global. Once an
account is created, it is possible to assign it permissions on any existing
or non existing database.

The sql_mode system variable has a NO_AUTO_CREATE_USER flag. In recent
MariaDB versions it is enabled by default. If it is not enabled, a GRANT
statement specifying privileges for a non-existent account will
automatically create that account.

For more information: Account Management SQL Commands.



Setting or Changing Passwords
Accounts with the same username can have different passwords.

By default, an account has no password. A password can be set, or changed,
in the following way:
By specifying it in CREATE USER.
By the user, with SET PASSWORD.
By root, with SET PASSWORD or ALTER USER.

With all these statements (CREATE USER, ALTER USER, SET PASSWORD) it is
possible to specify the password in plain or as a hash:
	-- specifying plain passwords:
CREATE USER tom@'%.example.com' IDENTIFIED BY 'plain secret';
ALTER USER tom@'%.example.com' IDENTIFIED BY 'plain secret';
SET PASSWORD = 'plain secret';
-- specifying hashes:
CREATE USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash';
ALTER USER tom@'%.example.com' IDENTIFIED BY PASSWORD 'secret hash';
SET PASSWORD = PASSWORD('secret hash');

The PASSWORD() function uses the same algorithm used internally by MariaDB
to generate hashes. Therefore it can be used to get a hash from a plain password
. Note that this function should not be used by applications, as its output may
depend on MariaDB version and configuration.

SET PASSWORD applies to the current account, by default. Superusers can change 
other accounts passwords in this way:
	SET PASSWORD FOR tom@'%.example.com' = PASSWORD 'secret hash';

MariaDB starting with 10.4.3
Passwords can have an expiry date, set by default_password_lifetime. To set
a different date for a particular user:

CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE INTERVAL 365 DAY;

To set no expiry date for a particular user:
CREATE USER 'tom'@'%.example.com' PASSWORD EXPIRE NEVER;

For more details, see User Password Expiry.
	MariaDB starting with 10.4.2
It is also possible to lock an account with immediate effect:
	CREATE USER 'tom'@'%.example.com' ACCOUNT LOCK;

See Account Locking for more details.



Authentication Plugins
MariaDB supports authentication plugins. These plugins implement user's
login and authorization before they can use MariaDB.

Each user has one or more authentication plugins assigned. The default one
is mysql_native_password. It is the traditional login using the username and
password set in MariaDB, as described above.
	MariaDB starting with 10.4
On UNIX systems, root is also assigned the unix_socket plugin, which allows
a user logged in the operating system to be recognized by MariaDB.

Windows users may be interested in the named pipe and GSSAPI plugins. GSSAPI
also requires the use of a plugin on the client side.

A plugin can be assigned to a user with CREATE USER, ALTER USER or GRANT,
using the IDENTIFIED VIA syntax. For example:
	CREATE USER username@hostname IDENTIFIED VIA gssapi;
GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA named_pipe;

TLS connections
A particular user can be required to use TLS connections. Additional
requirements can be set:

Having a valid X509 certificate.
The certificate may be required to be issued by a particular authority.
A particular certificate subject can be required.
A particular certificate cipher suite can be required.

These requirements can be set with CREATE USER, ALTER USER or GRANT. For the
syntax, see CREATE USER.

MariaDB can be bundled with several cryptography libraries, depending on its
version. For more information about the libraries, see TLS and Cryptography
Libraries Used by MariaDB.

For more information about secure connections, see Secure Connections
Overview.



Permissions
Permissions can be granted to accounts. As mentioned before, the specified
accounts can actually be patterns, and multiple accounts may match a
pattern. For example, in this example we are creating three accounts, and we
are assigning permissions to all of them:
	CREATE USER 'tom'@'example.com';
CREATE USER 'tom'@'123.123.123.123;
CREATE USER 'tom'@'tomlaptop';
GRANT USAGE ON *.* TO tom@'%';

The following permission levels exist in MariaDB:
	
Global privileges
Database privileges
Column privileges
Table privileges
Function and procedure privileges.

Note that database and schema are synonymous in MariaDB.

Permissions can be granted for non-existent objects that could exist in the
future.

The list of supported privileges can be found in the GRANT page. Some
highlights can be useful for SQL Server users:
USAGE privilege has no effect. The GRANT command fails if we don't grant at
least one privilege; but sometimes we want to run it for other purposes, for
example to require a user to use TLS connections. In such cases, it is
useful to grant USAGE.
Normally we can obtain a list of all databases for which we have at least
one permission. The SHOW DATABASES permission allows getting a list of all
databases.
There is no SHOWPLAN privilege in MariaDB. Instead, EXPLAIN requires the
SELECT privilege for each accessed table and the SHOW VIEW privilege for
each accessed view.
The same permissions are needed to see a table structure (SELECT) or a view
definition (SHOW VIEW).
REFERENCES has no effect.

MariaDB does not support negative permissions (the DENY command).

Some differences concerning the SQL commands:

In MariaDB GRANT and REVOKE statements can only assign/revoke permissions
to one user at a time.
While we can assign/revoke privileges at column level, we have to run a
GRANT or REVOKE statement for each column. The table (column_list) syntax is
not recognized by MariaDB.
In MariaDB it is not needed (or possible) to specify a class type.



Roles
MariaDB supports roles. Permissions can be assigned to roles, and roles can
be assigned to accounts.

An account may have zero or one default roles. A default role is a role that
is automatically active for a user when they connect. To assign an account
or remove a default role, these SQL statements can be used:
	SET DEFAULT ROLE some_role FOR username@hostname;
SET DEFAULT ROLE NONE FOR username@hostname;

Normally a role is not a default role. If we assign a role in this way:
	GRANT some_role TO username@hostname;

...the user will not have that role automatically enabled. They will have to
enable it explicitly:
	SET ROLE some_role;

MariaDB does not have predefined roles, like public.

For an introduction to roles, see Roles Overview.