mySQL remote user account mySQL remote user account
Posts 1 to 7 of 7
  1. #1

    TykeLike

    SimonMac's Avatar
    Join Date
    Aug 2010
    Location
    God's Own Republic Of Yorkshire
    Posts
    23,005

    Default mySQL remote user account

    I am trying to backup an Azure mySQL database, I understand I need to create a user account on @remotehost called user@localhost

    However when I run the mysqldump command the user is coming back as user@publicIPaddress rather than user@localhost

    Code:
    Access denied for user 'backup'@'2.xxx.xxx.xxx' (using password: YES) when trying to connect
    I know I can create a user account user@publicIPaddress but as I do not have a static IP from my ISP so it will change periodically.

    Is there a method for getting this to work with a single user account? I have a dynamic DNS setting so user@dynamicDNSname will always resolve the same place even when the IP address changes
    Last edited by SimonMac; 23rd May 2019 at 13:42.
    “Live a good life. If there are gods and they are just, then they will not care how devout you have been, but will welcome you based on the virtues you have lived by. If there are gods, but unjust, then you should not want to worship them. If there are no gods, then you will be gone, but will have lived a noble life that will live on in the memories of your loved ones.”

    ― Marcus Aurelius

  2. #2

    Super poster

    woohoo's Avatar
    Join Date
    Nov 2007
    Location
    In the country
    Posts
    4,065

    Default

    I don't mean this in a funny way like go and google it. But the last couple of times I've contacted Azure with a question they have been really helpful. Might be worth asking them.

  3. #3

    TykeLike

    SimonMac's Avatar
    Join Date
    Aug 2010
    Location
    God's Own Republic Of Yorkshire
    Posts
    23,005

    Default

    Quote Originally Posted by woohoo View Post
    I don't mean this in a funny way like go and google it. But the last couple of times I've contacted Azure with a question they have been really helpful. Might be worth asking them.
    Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
    “Live a good life. If there are gods and they are just, then they will not care how devout you have been, but will welcome you based on the virtues you have lived by. If there are gods, but unjust, then you should not want to worship them. If there are no gods, then you will be gone, but will have lived a noble life that will live on in the memories of your loved ones.”

    ― Marcus Aurelius

  4. #4

    Fingers like lightning

    TheGreenBastard's Avatar
    Join Date
    Dec 2015
    Posts
    504

    Default

    Quote Originally Posted by SimonMac View Post
    Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
    Bit of an anti-pattern if you want to have some resemblance of security, you're basically opening it up to the world for convenience. You probably already know this feels wrong and is wrong.

    Typically you might have a "jump box" in this situation; a server instance on the Azure network which is white-listed to communicate with the MySQL server; this box is secured however to restrict access to trusted parties and you connect via SSH through the jump box. Most database clients that work with MySQL make this pretty seamless when creating a connection configuration using a SSH tunnel type connection.

    A jump box creates a common audit log if setup that way too.

  5. #5

    TykeLike

    SimonMac's Avatar
    Join Date
    Aug 2010
    Location
    God's Own Republic Of Yorkshire
    Posts
    23,005

    Default

    Quote Originally Posted by TheGreenBastard View Post
    Bit of an anti-pattern if you want to have some resemblance of security, you're basically opening it up to the world for convenience. You probably already know this feels wrong and is wrong.

    Typically you might have a "jump box" in this situation; a server instance on the Azure network which is white-listed to communicate with the MySQL server; this box is secured however to restrict access to trusted parties and you connect via SSH through the jump box. Most database clients that work with MySQL make this pretty seamless when creating a connection configuration using a SSH tunnel type connection.

    A jump box creates a common audit log if setup that way too.
    The mySQL box is on a NSG that is configured to only allow connections from my public IP, or from within the VLAN that the box and other webservers are attached to.

    Not fool proof but hopefully reduced the risk
    “Live a good life. If there are gods and they are just, then they will not care how devout you have been, but will welcome you based on the virtues you have lived by. If there are gods, but unjust, then you should not want to worship them. If there are no gods, then you will be gone, but will have lived a noble life that will live on in the memories of your loved ones.”

    ― Marcus Aurelius

  6. #6

    My post count is Majestic

    NickFitz's Avatar
    Join Date
    Jun 2007
    Location
    Your local branch
    Posts
    44,904

    Default

    Quote Originally Posted by SimonMac View Post
    Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
    As you suspect, that's pretty insecure, though I've often done it myself just to make life easier

    Quote Originally Posted by SimonMac View Post
    I know I can create a user account user@publicIPaddress but as I do not have a static IP from my ISP so it will change periodically.

    Is there a method for getting this to work with a single user account? I have a dynamic DNS setting so user@dynamicDNSname will always resolve the same place even when the IP address changes
    You should be able to create a user such as 'simonmacs-amazing-backup-automaton'@'simonmacs-dynamic-dns-name.example.com' which will work as long as your dynamic DNS thing auto-updates when your IP changes.

    Note that the username and domain bits should be in their own sets of quotes and the @ not, as explained in the docs at MySQL 8.0 Reference Manual :: 6.2.4 Specifying Account Names

    • The user name and host name need not be quoted if they are legal as unquoted identifiers. Quotes are necessary to specify a user_name string containing special characters (such as space or -), or a host_name string containing special characters or wildcard characters (such as . or %) (for example, 'test-user'@'%.com').

    • Quote user names and host names as identifiers or as strings, using either backticks (`), single quotation marks ('), or double quotation marks ("). For string-quoting and identifier-quoting guidelines, see Section 9.1.1, “String Literals”, and Section 9.2, “Schema Object Names”.

    • The user name and host name parts, if quoted, must be quoted separately. That is, write 'me'@'localhost', not 'me@localhost'; the latter is actually equivalent to 'me@localhost'@'%'.

  7. #7

    TykeLike

    SimonMac's Avatar
    Join Date
    Aug 2010
    Location
    God's Own Republic Of Yorkshire
    Posts
    23,005

    Default

    Quote Originally Posted by NickFitz View Post
    As you suspect, that's pretty insecure, though I've often done it myself just to make life easier



    You should be able to create a user such as 'simonmacs-amazing-backup-automaton'@'simonmacs-dynamic-dns-name.example.com' which will work as long as your dynamic DNS thing auto-updates when your IP changes.

    Note that the username and domain bits should be in their own sets of quotes and the @ not, as explained in the docs at MySQL 8.0 Reference Manual :: 6.2.4 Specifying Account Names
    Thanks, will have a go at that, I tried to look at those pages but got lost when they started talking about reverse DNS and the like
    “Live a good life. If there are gods and they are just, then they will not care how devout you have been, but will welcome you based on the virtues you have lived by. If there are gods, but unjust, then you should not want to worship them. If there are no gods, then you will be gone, but will have lived a noble life that will live on in the memories of your loved ones.”

    ― Marcus Aurelius

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •