MySQL – Revoke Privileges


MySQL – REVOKE Statement



”;


Earlier, we discussed how a root user gets access to a MySQL server with default privileges after installation. These privileges are sufficient for performing basic operations on the data. However, in some special situations, users might need to request the server”s host to take away certain privileges. To do so, we use the MySQL REVOKE statement.

The MySQ REVOKE statement

The MySQL REVOKE statement is used to remove certain administrative privileges or roles from users. It revokes permissions that were previously granted.

Syntax

Following is the syntax of the MySQL REVOKE Statement −


REVOKE privileges
   ON database_name.table_name
   FROM ''user''@''host'';

Example

Assume we have created a user named ”test_user”@”localhost” in MySQL using the CREATE USER statement as shown below −


CREATE USER ''test_user''@''localhost'' IDENTIFIED BY ''testpassword'';

Following is the output produced −


Query OK, 0 rows affected (0.23 sec)

Now, let us create a database named ”test_database” −


CREATE DATABASE test_database;

The output produced is as follows −


Query OK, 1 row affected (0.56 sec)

Next, we will use the created database −


USE test_database;

We get the output as shown below −


Database changed

Now, let us create a table in the database −


CREATE TABLE MyTable(data VARCHAR(255));

The output obtained is as follows −


Query OK, 0 rows affected (0.67 sec)

Following query grants privileges on the table created above to the user ”test_user”@”localhost −


GRANT SELECT ON test_database.MyTable TO ''test_user''@''localhost'';

After executing the above code, we get the following output −


Query OK, 0 rows affected (0.31 sec)

You can verify the granted privileges using the SHOW GRANTS statements −


SHOW GRANTS FOR ''test_user''@''localhost'';

The output we get is as shown below −





Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT SELECT ON `test_database`.`mytable` TO `test_user`@`localhost`

Now, you can revoke the above granted privilege using the REVOKE statement as shown below −


REVOKE SELECT ON test_database.MyTable FROM ''test_user''@''localhost'';

We get the output as follows −


Query OK, 0 rows affected (0.25 sec)

Verification

We can verify whether the SELECT privilege has been revoked or not using the SHOW GRANTS statements as shown below −


SHOW GRANTS FOR ''test_user''@''localhost'';

We can see that the output no longer lists the SELECT privilege, indicating that it has been revoked −




Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`

Revoking All Privileges

If a user has multiple privileges with a user, you can revoke all those privileges at once using the REVOKE ALL statement in MySQL.

Syntax

Following is the syntax to revoke all privileges in MySQL −


REVOKE ALL PRIVILEGES ON *.* FROM ''user''@''host'';

Example

Assume we have created a user as follows −


CREATE USER ''sample_user''@''localhost'';

Following is the output produced −


Query OK, 0 rows affected (0.18 sec)

We also create a procedure as shown below −


DELIMITER //
CREATE PROCEDURE sample ()
   BEGIN
      SELECT ''This is a sample procedure'';
   END//
DELIMITER ;

The output obtained is as follows −


Query OK, 0 rows affected (0.29 sec)

Additionally, we create a table named ”sample” in a database −


CREATE TABLE sample(data INT);

We get the output as shown below −


Query OK, 0 rows affected (0.68 sec)

Now, the following queries grants ALTER ROUTINE, EXECUTE privileges on the above created procedure to the user named ”sample_user”@”localhost”.


GRANT ALTER ROUTINE, EXECUTE 
ON PROCEDURE test_database.sample TO ''sample_user''@''localhost'';

Output of the above code is as shown below −


Query OK, 0 rows affected (0.20 sec)

Similarly, following query grants SELECT, INSERT and UPDATE privileges on the table ”sample” to the user ”sample_user”@”localhost −


GRANT SELECT, INSERT, UPDATE 
ON test.sample TO ''sample_user''@''localhost'';

The result produced is −


Query OK, 0 rows affected (0.14 sec)

You can verify the list of all privileges granted for the user using the SHOW GRANTS statement −


SHOW GRANTS FOR ''sample_user''@''localhost'';

The result obtained is as follows −






Grants for sample_user@localhost
GRANT USAGE ON *.* TO `sample_user`@`localhost`
GRANT SELECT, INSERT, UPDATE ON `test`.`sample` TO `sample_user`@`localhost`
GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `test_database`.`sample` TO `sample_user`@`localhost`

Finally, to revoke all the privileges granted to ”sample_user”@”localhost”, you can use the following statement −


REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''sample_user''@''localhost'';

The result produced is −


Query OK, 0 rows affected (0.30 sec)

Verification

After revoking privileges, you can check the user”s grants again −


SHOW GRANTS FOR ''sample_user''@''localhost'';

The output below confirms that all privileges have been revoked −




Grants for sample_user@localhost
GRANT USAGE ON *.* TO `sample_user`@`localhost`

Revoking Proxy Privilege

You can make one user as a proxy of another by granting the PROXY privilege to it. If you do so, both users have the same privileges.

Example

Assume we have created users named sample_user, proxy_user in MySQL using the CREATE statement −


CREATE USER sample_user, proxy_user IDENTIFIED BY ''testpassword'';

Following is the output obtained −


Query OK, 0 rows affected (0.52 sec)

Now, we are creating a table ”Employee” −


CREATE TABLE Employee (
ID INT, Name VARCHAR(15), Phone INT, SAL INT);

We get the output as shown below −


Query OK, 0 rows affected (6.47 sec)

Following query grants SELECT and INSERT privileges on the table created above, to the user sample_user


GRANT SELECT, INSERT ON Emp TO sample_user;

The output obtained is as follows −


Query OK, 0 rows affected (0.28 sec)

Now, we can assign proxy privileges to the user proxy_user using the GRANT statement as shown below −


GRANT PROXY ON sample_user TO proxy_user;

The result produced is −


Query OK, 0 rows affected (1.61 sec)

You can revoke a proxy privilege using the REVOKE PROXY statement as shown below −


REVOKE PROXY ON sample_user FROM proxy_user;

We get the following result −


Query OK, 0 rows affected (0.33 sec)

Revoking a Role

A role in MySQL is a set of privileges with name. You can create one or more roles in MySQL using the CREATE ROLE statement. If you use the GRANT statement without the ON clause, you can grant a role instead of privileges.

Example

Following query creates a role named TestRole_ReadOnly


CREATE ROLE ''TestRole_ReadOnly'';

Following is the output of the above code −


Query OK, 0 rows affected (0.13 sec)

Now, let us grant read only privilege to the created role using the GRANT statement −


GRANT SELECT ON * . * TO ''TestRole_ReadOnly'';

The result obtained is −


Query OK, 0 rows affected (0.14 sec)

Then, you can GRANT the created role to a user as follows −


CREATE USER ''newuser''@''localhost'' IDENTIFIED BY ''password'';

Output of the above code is as follows −


Query OK, 0 rows affected (0.14 sec)

Next, you can grant the ”TestRole_ReadOnly” role to the ”newuser”@”localhost”−


GRANT ''TestRole_ReadOnly'' TO ''newuser''@''localhost'';

We get the following result −


Query OK, 0 rows affected (0.13 sec)

Following query revokes the role from the user −


REVOKE ''TestRole_ReadOnly'' FROM ''newuser''@''localhost'';

After executing the above code, we get the following output −


Query OK, 0 rows affected (1.23 sec)


Revoking Privileges Using a Client Program

We can also revoke privileges from a MySQL user using a client program.

Syntax

Following are the syntaxes to revoke MySQL Privileges in various programming languages −

To revoke all the privileges granted to an user in MySQL database using the PHP program, we need to execute the REVOKE ALL statement as shown below −


$sql = "REVOKE ALL, GRANT OPTION FROM user_name";
$mysqli->query($sql);

Following is the syntax to revoke a particular privilege from the desired user using a JavaScript program −


sql= "REVOKE privilege_name(s) ON object FROM user_account_name";
con.query(sql, function (err, result) {
   if (err) throw err;
      console.log(result);
});

To revoke all the privileges granted to a particular user, we need to execute the REVOKE ALL PRIVILEGES statement using the JDBC execute() function as −


String sql = "REVOKE ALL PRIVILEGES, GRANT OPTION FROM USER_NAME";
statement.execute(sql);

Following is the syntax to revoke a particular privilege to the desired user using a Python program −


sql = f"REVOKE {privileges} ON your_database.* FROM ''{username_to_revoke}''@''localhost''";
cursorObj.execute(sql);

Example

Following are the implementations of this operation in various programming languages −


$dbhost = ''localhost'';
$dbuser = ''root'';
$dbpass = ''password'';
$mysqli = new mysqli($dbhost, $dbuser, $dbpass);
if($mysqli->connect_errno ) {
   printf("Connect failed: %s
", $mysqli->connect_error); exit(); } //printf(''Connected successfully.
''); $sql = "REVOKE ALL, GRANT OPTION FROM Sarika"; if($result = $mysqli->query($sql)){ printf("Revoke privileges executed successfully...!"); } if($mysqli->error){ printf("Failed..!" , $mysqli->error); } $mysqli->close();

Output

The output obtained is as follows −


Revoke privileges executed successfully...!


var mysql = require(''mysql2'');
var con = mysql.createConnection({
    host: "localhost",
    user: "root",
    password: "Nr5a0204@123"
});
  //Connecting to MySQL
  con.connect(function (err) {
  if (err) throw err;
  console.log("Connected!");
  console.log("--------------------------");

  sql = "CREATE USER ''test_user''@''localhost'' IDENTIFIED BY ''testpassword'';"
  con.query(sql);

  sql = "CREATE DATABASE test_database;"
  con.query(sql);

  sql = "USE test_database;"
  con.query(sql);

  sql = "CREATE TABLE MyTable(data VARCHAR(255));"
  con.query(sql);

  sql = "GRANT SELECT ON test_database.MyTable TO ''test_user''@''localhost'';"
  con.query(sql);

  sql = "SHOW GRANTS FOR ''test_user''@''localhost'';";
  con.query(sql, function(err, result){
    if (err) throw err;
    console.log("**Granted privileges:**");
    console.log(result);
    console.log("--------------------------");
  });
  sql = "REVOKE SELECT ON test_database.MyTable FROM ''test_user''@''localhost'';"
  con.query(sql);

  sql = "SHOW GRANTS FOR ''test_user''@''localhost'';";
  con.query(sql, function(err, result){
    if (err) throw err;
    console.log("**Grants after revoking:**");
    console.log(result);
  });
});

Output

The output produced is as follows −


Connected!
--------------------------
**Granted privileges:**
[
  {
    ''Grants for test_user@localhost'': ''GRANT USAGE ON *.* TO `test_user`@`localhost`''
  },
  {
    ''Grants for test_user@localhost'': ''GRANT SELECT ON `test_database`.`mytable` TO `test_user`@`localhost`''
  }
]
--------------------------
**Grants after revoking:**
[
  {
    ''Grants for test_user@localhost'': ''GRANT USAGE ON *.* TO `test_user`@`localhost`''
  }
]


import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
public class RevokePriv {
	public static void main(String[] args) {
		String url = "jdbc:mysql://localhost:3306/TUTORIALS";
		String user = "root";
		String password = "password";
		try {
			Class.forName("com.mysql.cj.jdbc.Driver");
            Connection con = DriverManager.getConnection(url, user, password);
            Statement st = con.createStatement();
            //System.out.println("Database connected successfully...!");
            String sql = "REVOKE ALL PRIVILEGES, GRANT OPTION FROM Vivek";
            st.execute(sql);
            System.out.println("You revoked all the privileges form user ''Vivek''");    
		}catch(Exception e) {
			e.printStackTrace();
		}
	}
}

Output

The output obtained is as shown below −


You revoked all the privileges form user ''Vivek''


import mysql.connector
# creating the connection object
connection = mysql.connector.connect(
    host=''localhost'',
    user=''root'',
    password=''password''
)
username_to_revoke = ''newUser''
# privileges we want to revoke
privileges = ''SELECT, INSERT, UPDATE''
# Create a cursor object for the connection
cursorObj = connection.cursor()
cursorObj.execute(f"REVOKE {privileges} ON your_database.* FROM ''{username_to_revoke}''@''localhost''")
print(f"Privileges revoked from the user ''{username_to_revoke}'' successfully.")
cursorObj.close()
connection.close()

Output

Following is the output of the above code −


Privileges revoked from the user ''newUser'' successfully.

Advertisements

”;

Leave a Reply

Your email address will not be published. Required fields are marked *