Google Cloud SQL only allows you to control the database root user password. I need to create a new user and limit his access to read-only, while maintaining the full privileged user.
Is there a way of doing that?
Thanks in advance,
You can achieve that using the regular MySQL permissions. Here is how you can add a user that has SELECT access to a database test
.
mysql> GRANT ALL ON test.* TO user@'%';
Query OK, 0 rows affected (0.07 sec)
mysql> SHOW GRANTS FOR user@'%'\G
*************************** 1. row ***************************
Grants for user@%: GRANT USAGE ON *.* TO 'user'@'%'
*************************** 2. row ***************************
Grants for user@%: GRANT ALL PRIVILEGES ON `test`.* TO 'user'@'%'
2 rows in set (0.07 sec)
mysql>
If you want to grant SELECT access to all the databases you can use GRANT ALL ON `%`.*
.
Reference: Cloud SQL: How can I use GRANT ALL?
不应使用 ALL
GRANT SELECT ON test.* TO user@'%';
Steps within GCP:
First create user
database using Built-in authentication
option at https://console.cloud.google.com/sql/instances/YOUR_INSTANCE_NAME/users
Revoke cloudsqlsuperuser
privilege:
REVOKE `cloudsqlsuperuser`@`%` FROM `user`@`%`;
Grant SELECT
privilege:
GRANT SELECT ON *.* TO `user`@`%`;
Verify:
SHOW GRANTS FOR 'user';
-- You should see:
-- GRANT SELECT ON *.* TO `user`@`%`
In my case, there are three read-write databases, db_dev
, db_qa
and db_prod
and two readonly databases, readonly_db1
and readonly_db2
.
I configure the DB account username@'<IP or %>'
below:
GRANT ALL ON db_dev.* TO username@'<IP or %>';
GRANT ALL ON db_qa.* TO username@'<IP or %>';
GRANT ALL ON db_prod.* TO username@'<IP or %>';
GRANT SELECT ON readonly_db1.* TO username@'<IP or %>';
GRANT SELECT ON readonly_db2.* TO username@'<IP or %>';
SHOW GRANTS FOR username@'<IP or %>';
REVOKE `cloudsqlsuperuser`@`%` FROM username@'<IP or %>';
SHOW GRANTS FOR username@'<IP or %>';
The GRANT
operation must execute before REVOKE
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.