Issue creating users on mysql/mariadb on amazon RDS

Question

Still trying to figure out RDS on AWS. I setup an EC2 instance that I can SSH into. I then created an RDS instance of MariaDB. I can SSH into my EC2 and then use MySQL to connect to the RDS instance using the username/password I created when I setup the RDS instance. When I look at the users I see

'myusername'@'%' 
'rdsadmin'@'localhost'

While logged in as 'myusername' to the mysql db, I create a new user with more limited hosts:

CREATE USER 'otheruser'@'nnn.nnn.nnn.nnn' IDENTIFIED BY 'good_password'

No problems so far. Now give 'otheruser' some permissions:

GRANT ALL PRIVILEGES ON mydatabase.* TO 'otheruser'@'nnn.nnn.nnn.nnn' IDENTIFIED BY 'same_password';

Seems to work. From my IP address I can use Navicat to connect as 'otheruser' to 'mydatabase' and can create tables, add data, drop tables, create indexes no problem. However, when I do this, all privileges show 'N':

SELECT * FROM mysql.user WHERE user = 'otheruser'\G

If I look in information_schema the only privilege is 'usage'

SELECT * FROM information_schema.user_privileges;

If, as my root user created during RDS setup I try to specify a specific privilege for 'otheruser' I get an access denied error.

So if all of the permissions are showing 'N', and information_scheme just shows 'usage', how is Navicat able to connect as that user and do pretty much everything?

What's the correct way of creating a restricted user on an RDS instance? It seems the user created during instance creation is slightly limited vs. the 'rdsadmin'@'localhost', but AFAIK there's now way to connect to the RDS from localhost?

Answer 1

The privileges in the mysql.user table are global privileges. They apply to all databases on the server, present and future. You didn't issue a statement that would grant any of those.

SELECT * FROM mysql.db; will show you where the navicat user's permissions you granted can be found.

You can GRANT ALL PRIVILEGES ON some_database.* in RDS, which grants only the database-level permissions for that one database.

...but you cannot GRANT ALL PRIVILEGES ON *.* because you, the master user, do not possess all global privileges. RDS doesn't give them to you. To do global grants, you have to grant specific privileges.

SHOW GRANTS FOR 'myusername@'%';

The privileges you see listed there are the only global (server-level) privileges you can grant.

Yes, the things you can do with the privileges provided by RDS are limited, presumably because it's a managed service... so they don't want you to be able to break anything that they would have to fix for you... which they would, because it's a managed service. That's one of the drawbacks of RDS. You trade some flexibility for ease of administration (point in time recovery, creation/monitoring/destruction of read replicas, backup snapshots, etc.).

rdsadmin@localhost is the account the RDS infrastructure uses to manage and monitor your instance. That's why it has all those privs. You're correct -- you can't log in from localhost. Only the RDS supervisory process can.