49

I'm using MySQL and I need to create an account that can connect from either the localhost or from another server, i.e. 10.1.1.1. So I am doing:

CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password123';
CREATE USER 'bob'@'10.1.1.1' IDENTIFIED BY 'password123';
GRANT SELECT, INSERT, UPDATE, DELETE on MyDatabse.* to 'bob'@'localhost', 'bob'@'10.1.1.1';

This works fine, but is there any more elegant way to create a user account that is linked to multiple IPs or does it need to be done this way?

My main worry is that in the future, permissions will be updated for one 'bob' account but not the other.

yoozer8
  • 322
  • 2
  • 12
DrStalker
  • 6,676
  • 24
  • 76
  • 106

4 Answers4

35

If you want to restrict to host and do not want to specify based on a subnet or wildcard using %, that's the only way to do it. More details are available in the MySQL documentation.

I am still trying to find ways to eliminate overhead when managing authentication to large MySQL installations and have yet to find a perfect solution.

Warner
  • 23,440
  • 2
  • 57
  • 69
  • You can also add multiple privilege entries which allows you to specify multiple IP addresses. I missed that the OP was able to succeed using this method and wanted to be sure others didn't miss it as well. – Mike Weir Jan 25 '20 at 01:07
21

Let's start by making a new user called "chaminda" within the MySQL shell:

CREATE USER 'chaminda'@'%' IDENTIFIED BY 'password';

The first thing to do is to provide the user with necessary permission and here I have given all permission to the particular user.

GRANT ALL PRIVILEGES ON * . * TO 'chaminda'@'%';

Reload all the privileges.

FLUSH PRIVILEGES;

If you want to allow range of IPs to a particular user use as follows 10.1.1.%

GRANT ALL PRIVILEGES ON * . * TO 'chaminda'@'10.1.1.%';

Note: Here host Name = % and that means you can access this database server from any host. Granting all privileges to the user is a big risk and that's not a best practice. Further you can replace user 'chaminda' to 'bob'.

Chaminda Bandara
  • 547
  • 6
  • 17
  • 10
    This doesn't answer the question. It grants access to a user from all IPs, but the OP is asking about a more elegant way to allow a single user to access the database from a list of IPs. Basically, instead of multiple statements to add a user multiple times from multiple IPs, the idea is to add a single user that can access the database from multiple IPs, which makes management easier and less error prone. – Anthony Sep 20 '16 at 02:07
  • You can also use _ as a wildcard like 10.1.1.1__ to match 100 -199 but for 200 you need to create a seperate account or use the % wildcard and include 0-99 and 201-255 too – Chaminda Bandara Oct 25 '16 at 08:42
2

Warner's answer can be refined by using CIDR ranges in your user specification (in 'network'/'netmask' notation), eg:

CREATE USER 'bob'@'10.0.0.0/255.0.0.0' IDENTIFIED BY 'password123';

CREATE USER 'bob'@'192.168.0.0/255.255.255.192' IDENTIFIED BY 'password123';

This construct allows finer-grained access control. Warner's answer will allow user 'bob' to connect from any host, anywhere on your network (or from any host on the public internet, if your server is exposed to the public network), which is probably not going to suit all use cases.

It is accepted practice to apply "Defence in Depth", which is furthered by limiting user access from desired and trusted host addresses only. Also remember to limit incoming connections at a host level by reflecting the desired and trusted host addresses in your host-based firewall (eg. iptables, firewalld, etc).

rosco
  • 21
  • 1
-4

MySQL allows multiple wildcards in one row. A possible solution is to set Host for user Bob to be

locahost/10.1.1.1

Reference:

http://dev.mysql.com/doc/refman/5.1/en/connection-access.html

GabrielC
  • 257
  • 4
  • 9
  • That is not what the documentation is saying. As listed in the table, the /255.255.255.0 is a netmask. If there is a way to list multiple wildcards in the host definition, that isn't the way to do it. – chizou Jan 14 '15 at 21:33