![]() ![]()
Access
Road 0.7.1
|
|
Creating
MySQL | Main properties |
Creating ACL |
Generic ACL
| MySQL
ACL
This getting-started two-hours tutorial is for designing the access controls of a simulated software. It introduces the MySQL Server® modeling by Access Road, using it as an example of design. If you have only 15 minutes for a simple reading, you may switch to the last section, where the design of MySQL access controls is explained. This tutorial should be ridden by all the Access Road users. The first tutorial about learning access controls is a requisite. The best way, which is not a waste of time, is to read it twice: first as a simple reading, and then to operate on Access Road. This is the most important tutorial, even if it may appear not very easy. In an ideal world, the inner complexity of the access control features would be masked by Access Road, to help the user. In the real world, this inner complexity can never be oversimplified, since our commitment is to provide an exact simulation. Furthermore, to help the user to build up a thorough understanding of the issues and their solutions, it is proved that extended explanations and multiple points of view are the best approach. This is both the Access Road way, and the spirit that has guided the design of this present tutorial. To follow this tutorial, there is no requisite about the knowledge of MySQL Server® as a database management system. We will discover together the Access Road generic features and a given simulation. This tutorial explains the following actions:
This tutorial is a good start to understand the basics of MySQL access controls. At any time, you would stop the tutorial before its end. How to exit Access Road and save the current configuration is explained at the end of this tutorial.
Creating a MySQL Server ACS
Run the Access Road program from the installation instructions. Close the central information box. If it is closed, open the ACS 'tubun' the first tutorial has created, through the command File → Open → Open Access Control System. To create the out-of-the-box simulation of a MySQL 5 Server, select in the main menu the command File → New → 'New Access Control system'. A window appears. Enter the name 'IO' for the ACS IS, the name 'sqyl' for the new ACS, select the first choice 'MySQL 5 Server', and click on the 'OK' button. A dialog selection appears about the parent. Click the node 'IO:: one:: tubun' then 'OK', to create the new MySQL Server under the node of the Linux Ubuntu 'tubun'. A second question appears to create a new component. Click 'No' then 'OK'. The MySQL Server ACS 'sqyl' is created, opened and selected in the explorer. You should have the opening of at least two internal windows: the explorer at the top left, and the beamer at the top right. If the beamer is closed, select in the main menu the command Window → Beamer. If other windows are open, close them by clicking the top cross of their windows. The explorer shows for 'sqyl' an additional node which is not displayed for 'tubun'. This is 'Virtual Folder for all (access target)'. A virtual folder is a folder of Resources. The relation virtual folder/member is weak, on the contrary of a Directory, and this means deleting the virtual folder does not delete its members. Virtual Folders are used by the MySQL ACS to model the MySQL views, which then are NOT Access Road views! This is why it is so important to know the generic terms Access Road uses to designate the common concepts for all the ACS.
|
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
The 22 ACS main structural
properties
|
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
Creating a generic AclEntry
To understand the rights simulation, let's see the generic ACL for the authorization sucACS into the ACS 'tubun'. In the explorer, click the node 'IO:: one:: tubun:: <authorization_subacs>:: org:: gnome:: clockapplet:: mechanism:: set time zone:: '. In this authorization subACS, 'set time zone' is an action to attribute to Linux Ubuntu users through AclEntries. In the beamer, click the tab 'ACL', and for the first list at the top of the tab, click the button 'New'. This dialog window appears. ![]()
To enter the properties of the ACL to create:
The new AclEntry 'tom >> set time zone' is created. The explorer and the beamer display it. We may note that the rights Access Road has listed for creating this ACL was very different to the AG rights in the previous section. In complex cases, some entered values are not truly authorized. The user sees then an error message which explains clearly the issue. This new ACL enables the right 'authorize' to the UserID 'tom' for the target 'set time zone'. This means 'tom' may then change the time zone into this Linux Ubuntu operating system. In the beamer, the ACL is shown, and the property 'Right users in ACL' has the value 'tom'. The property 'Condition groups' has been set to null for this new ACL, because it is not conditional. Otherwise, this dialog allows to select the first condition group. With condition group(s), the ACL is disabled and it delivers no rights if the right user is not a direct or an indirect member of one of the condition group. There are two types of conditional ACL. This feature is used for instance by the MySQL Server® ACS addon, in the next tutorial, and in the RBAC application ACS. The condition groups list has to remain empty there, since they are not managed by the Linux Ubuntu ACS addon. An AclEntry may be managed by an ACS different to the ACS of the right user and/or the ACS of the resource. This has to be permitted by each implied ACS. We call such ACL external AclEntries. In the beamer, click the back button, to go back to the previous displayed object. The beamer displays the 'set time zone' action, and its ACL list contains the new ACL. This ACL name includes there the name of the ACL source and the name of the ACL target, like into the explorer. We may see that the beamer displays an 'ACL' tab only for the Resources of the authorization subACS, and not for the 'files_tree' Resources. This is a result of the ACS rights policy. By the same way, the node 'AclEntries: right user >> access target' appears in the explorer only for the relevant ACS. The explorer sorts the AclEntries by their ACL sources. It displays first the groups, then the users. For other ACS, the explorer may display other standard nodes the Linux Ubuntu does not handle, like when there are privileges or external ACL, for instance. We have seen there an example of how the generic ACL are handled in Access Road. One could be astonished to see a generic handling of ACL in an ACS addon like Linux Ubuntu. In fact, this ACS addon provides specific features on the Account/Group rights, while it simply uses the generic ACL features of Access Road into the authorization subACS. |
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
Handling the generic AclEntry
In the explorer, click the first AclEntry of the ACS 'sqyl', under the node 'AclEntries...', which starts with '<U>'. The ACL name is '<U>:: jerry:: >> MySQL server:: || grant || localhost'. The beamer title becomes 'Beamer: ACL jerry >> MySQL server'. An ACL name may have several presentations in the explorer, in the beamer, in a 'See Why' view text. In the explorer and the beamer, an ACL name is composed of:
For an external ACL, the format of the detailled name is as following: ACS: ACS_name | (full or incomplete) Eligible Party name >> (full or incomplete) Resource name || grant OR deny || <Source ACS group> OR <Target ACS group> || first condition group last component. An Eligible Party or Resource name is incomplete when the component belongs to the ACS of the AclEntry. The tag '<Source ACS group>' indicates the condition group belongs to the EligibleParty ACS, that is the source ACS. An ACL name does not contain the ACL rights, which may change. This instance of ACL is conditional, with 'localhost' as first condition group, while the explorer shows another non-conditional ACL. In the beamer on this ACL, click the tab 'ACL'. In this tab, the property 'Enabled rights' is true, and it is important to understand why. A non-conditional ACL simply grants or denies rights without condition group, and then, 'Enabled rights' is always true. As a generic concept, a conditional ACL enables its rights only if its right user (also called an ACL source) is member of all the condition groups of the ACL. The property 'Enabled rights' may then be true or false. This ACL is enabled because 'jerry' is member of the server 'localhost. To display 'jerry': click on the beamer tab 'General' and the 'See' button of the first property 'Right User'. 'jerry' is selected, and its type is 'account'. Click on the tab 'Members'. The beamer shows a generic list named 'Is direct member of', where 'localhost' is the first item. To check this ACL, it is possible to use the sketcher : open the sketcher with command Window → Sketcher (Ctrl+k). In the explorer, select the root Directory 'MySQL server'. The sketcher finds that 'jerry' has an 'USAGE' right which comes from our ACL. Unfortunately, the sketcher handles the simplest cases. It does not processes the inherited ACL, while they are the central part of the MySQL rights. For the root having no parent, it delivers a correct result, but not for the other Resources. This is the job of the full views. The root 'MySQL server' is now displayed in the beamer. Click the tab 'ACL'. The first property, entitled 'Sorted list for users 'account'...', displays the list of the direct AclEntries of any Resource. 'Direct ACL' there is the opposite of 'inherited ACL'. The property title is proper to the MySQL ACS, but it is a generic ACS property. This list displays of course the ACL named: '<U>:: jerry:: >> MySQL server:: || grant || localhost'. The second list, in the same 'ACL' tab, shows all the right users into these direct ACL. In this list, select the item 'IO:: one:: tubun:: sqyl:: <U>:: jerry::', and click the 'See' button. The beamer displays the same 'ACL' tab for 'jerry'. The list of Resources contains the root 'MySQL server' as a target of one or several 'jerry' ACL. All the links between objects in Access Road are so managed and displayed into the beamer. |
|
Introducing the MySQL AclEntry
The account 'jerry' is member of 'localhost', and it is also logged to the server 'localhost' as its 'First host'. In the tab 'Members' for the account 'jerry', there is a MySQL-specific property 'First host', having 'localhost' as value. For each new UserID, the MySQL ACS enforces the choice of such a first host. It is defined as the computer from which the account is logged on the MySQL server. All this explains why, through a conditional ACL, the MySQL user 'jerry' has the right 'USAGE' on the root 'MySQL server'. In the MySQL ACS, only one condition group is allowed to an account. This is not always true into another ACS. Compared to the MySQL syntax, this conditional ACL simulates a right statement on 'jerry@localhost'. The management of access controls by the MySQL server ACS may be summarized by 6 cases. To put it simple, this tutorial will cover only the three first cases. The other kinds of MySQL rights are covered by the MySQL ACS addon documentation. The simulation of the MySQL server access control in this tutorial can take the following forms:
We will see now how these two kinds of ACL are summarized by the beamer, not as a generic ACL - we have already ridden it at the previous section - but rather as an object that mimics the MySQL syntax for the right statements. To return to the root 'MySQL server', click the back button of the beamer. Click the tab 'ACL Inheritance'. The second property is an empty sorted list, since the root has no inherited ACL. The third property, called 'Unsorted primary rights', is more interesting. Click, on the left side of the 'Unsorted primary rights...' map, the key 'IO:: one:: tubun:: sqyl:: <U>:: jerry@localhost:: 0::'. At right, the value 'USAGE' appears. As you may have noticed, this is another kind to display our well-known ACL, always the same old ACL 'jerry >> MySQL server', but there, it is possible to get its effective rights, and it uses a MySQL-friendly syntax! Getting the effective rights means there is no key in this map if the ACL has no rights, or if it has disabled rights. For instance, the first displayed ACL into the explorer (<G>:: anonymous§@%:: >> MySQL server:: || grant) does not produce any primary right, because this ACL has been created with no rights at all. The 4 current keys of primary rights ends with '0'. This indicates simply they come from the direct ACL of the current Resource, the root MySQL server. To compare the same list, Click the explorer on the child 'BASE One'. The beamer displays a larger list, where:
This explains the title of this map: 'Unsorted primary rights at each parent level – The level is the key ending number'. For the Resource 'BASE One', the Resource 'MySQL server' is a parent at the level '1'. The primary rights map summarizes all the applicable ACL on the current node – with a key end at '0' - and from any direct or indirect parent delivering some inherited AclEntries. This is an Access Road property, so the term is unknown in the MySQL Server documentation. The primary rights represent an intermediate level between the original ACL and the effective rights of a couple (right user, access target). By the way, it would also great to have a look on how the MySQL server selects the applicable statements for a given couple (right user, access target). Let's study another list in this tab 'ACL Inheritance'. ![]() This is the sorted list of the inherited ACL on the base 'BASE One', from the parent 'MySQL server'. Click the beamer on the back button (to display 'MySQL server'), then on the tab 'ACL'. It is the same list. The direct ACL list on the root has been simply copied into this property of its child 'BASE One'. Click the tab 'ACL Inheritance', then, in the explorer, click the node 'Products table', direct child of 'BASE One'. 'Products table' has a sorted list where the 8 first ACL are also copied from the root 'MySQL server', and the 3 other ACL are copied from the direct ACL list of its direct parent 'BASE One'. The list has the title 'matched ACL at each parent level: user@host or accounts-for-hosts or...'. It tries to recall the rules used for the selection of rights by the MySQL Server. First, to understand the term 'accounts-for-hosts' in the title of this sorted list of ACL, keep in mind that the groups 'jerry§@local%' and 'jerry§@%' have the type 'pattern-name_accounts-for-hosts group'. We will study the 'pattern-name' entities along with the Access Road full views. We introduce now the selection of rights. It is based on our well-known example. When the account 'jerry' requests an access to MySQL server, we see in the last list of ACL – remember they are coming from the direct ACL of the root – that it seems to have 3 matched statements for 'jerry':
Three rules are the ground of all the access controls into the MySQL Server. They take the following forms: MySQL Rule 1: for a given level of parent, the MySQL server selects only one applicable right statement (one ACL in Access Road), and it is always the first one to match. Of course, the administrator cannot change the MySQL Server sorting rules on the right statements. This means, for this example, that the first sorted ACL 'jerry >> MySQL server' will deliver its rights to the account 'jerry' on 'localhost'. For this account, the two other ACL will never be used until the first ACL is deleted. The MySQL server ACS addon provides a precise sorting of the AclEntries to simulate this MySQL Server behavior. MySQL Rule 2: the MySQL rejects the connection of an account if it has no applicable global rights (that are on the root 'MySQL server' into Access Road). When a right statement is set on any server component like a base or a table, as a help to the administrator, the MySQL Server and Access Road create automatically a global 'USAGE' right on the server, for the same couple (user, host). MySQL Rule 3: for a couple (right user, access target), the MySQL server adds all the applicable rights at each parent level. This means the 'jerry' rights on, say, the target 'Products table', are simply the sum of the 3 sets of applicable rights on the root 'MySQL server', on the base 'BASE One' and on the target 'Products table'. Again, the MySQL server ACS addon handles the direct ACL and the inherited ACL to simulate this MySQL Server behavior. Note: the first rule is correct for the 3 first forms of rights, which are those this tutorial covers. It has to be adapted for some of the 3 other cases. The second rule is correct for the 5 last forms of rights, but not for the first one. The third rule is correct for the 6 forms of rights the MySQL Server handles. Well, at this step of the tutorial, we have to thank you to have been patient, learning MySQL rather Access Road! Now, by the way of the Access Road full views, these 3 MySQL rules will be illustrated much better. |
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
Creating an Access Road full view
The full view is the main Access Road tool for simulating rights and relations between objects. A full view contains from 0 to 48 objects. The view objects are always coming from the open ACS. The aim is to detect all the access paths, if any, between each couple of objects in the view. The full view provides the functions to display the paths in two forms: a diagram and a text. An access path is called direct when there is no intermediate node. A path may be indirect, with a number of intermediate nodes up to 40. The view text is the support and the reference to explain in details the results of the view diagram. For each access path, the text describes the nature of each link for each couple of intermediate nodes. ![]() In the main menu, select the command: File → New → 'New view'. The first dialog appears. Select 'Full view' then 'OK'.
![]() The second dialog appears to define the full view name. Enter the names 'sqyl' and 'jerry' in the two fields, then click 'OK'.
In the explorer, click the UserID 'jerry' and the 2 Resources 'MySQL Server' and 'BASE One'. If a selected object is both an EligibleParty and a Resource, it appears in the two relevant lists in the window, but it is not the case for these 3 objects. If you make an error, the 'Remove in list(s)' button should be used to deselect, for the view, an object which is currently selected in the dialog window. When all is OK, click on the 'OK' button. The view 'jerry in the set sqyl' appears as a diagram in the right bottom coin of the main window. With the mouse, increase the size of the view window. In the view diagram, click the node 'MYSQL SERVER' at right, and drag&drop the node to move it and obtain the following result. ![]() After the creation of a view, the explorer selects it as a node under 'Full Views'. The beamer displays its properties. They are very simple. The property 'Elements' displays the view elements. It allows to change them through the buttons 'Select' and 'Remove'. These elements are also displayed in the explorer, under the view node. One can remark the view nodes are drawn with distinct patterns. There is one graphical pattern for each great type of ACS objects: UserID (like 'jerry'), Resources (like 'BASE One'), GroupID, VirtualFolder and Actor. The name of an object in the diagram is just its name last component, so it is not possible to separate for instance the node 'jerry' from 'tubun' to the node 'jerry' from 'sqyl'. This is why it is recommended to put the ACS name in the set name of the view. All the access paths between each couple of view objects have been detected and displayed by Access Road. An arrow or a line between two view elements means there is one or several access paths between them. Nothing between 'BASE One' and 'MySQL Server' means that there is no access path. An arrow or line is generally drawn with a text which explain very shortly the rights, or the relation, between the two objects. The rights may be ACS rights, as there, or generic rights. The two arrows are similar in this view, because the two relations are from an UserID to a Resource. Note: Generally speaking, Access Road does never copy the internal algorithms of the software it simulates. This is technically impossible in most cases, since the simulated software does not model its concepts exactly like Access Road does. This is also difficult in practice, and even sometimes prohibit by law. Let's compare this full view to the sketcher. Use together the keys Ctrl+k to open the sketcher. An empty sketcher appears. Click on the node 'jerry' in the full view 'jerry'. The direct links around the UserID 'jerry' are displayed, and this includes the two links in the previous full view. In the view 'jerry', click on the node 'BASE one'. The sketcher shows 2 nodes above 'BASE one', including 'jerry'. The difference is the sketcher rights from 'jerry' to 'BASE one' are 'SELEC EXECU' without '<via> ...'. A full view shows all the access paths, as we will see, while the sketcher shows there the direct ACL, not the inherited ones. The explorer displays the types of ACS right for the MySQL Server. It displays the ACS rights from the greater ones. Click the right 'SELECT' in the explorer. The beamer displays, for this right, the comments 'Authorize to SELECT rows on TABLE, COLUMN or VIEW' to explain the meaning of 'SELECT' for the MySQL Server. This right is then applied to all the tables, columns and views of 'BASE One'. Access Road handles a full view only if all the view objects are in open ACS. This rule is enforced by Access Road, which informs the user about any issue. When the user closes an ACS, the open views having objects from this closing ACS are closed by Access Road without view saving. In the same way, the closed views are checked when an ACS is removed definitely from the Access Road base. The view saving covers the list of the elements in the view, the location of the view diagram window and the 'See Why' window in the Access Road main window. The view saving covers also the relative positions of the nodes in the view diagram. The opening of Access Road restores the last saving of the open ACS and the open views, with all the open internal windows like the IS Structure, the sketcher and the beamer. At the opening of a view, if a view element is from a closed or removed ACS, a message to the user is displayed and the view is not open. The reading of a diagram is very intuitive. The objective is to offer a 'smart' reading to the eye. If there is an arrow from A to B and a second arrow from B to C, then this means there is an indirect access path from A to C. But such an indirect path is not always true. This is an example which justifies the need of a simple drawing coding for the links into a diagram. The links between two nodes in a diagram may use varied formats:
Note: In most of the cases, the view diagram displays the rights names as they are in the relevant ACS. There are few exceptions for some generic administrative rights, like for instance the generic right '|transfer_limited_rights|'. It is the reference of the MySQL right 'GRANT ALL'. This is why, if this MySQL right has to be displayed in a full view diagram, it is replaced by the term '<grant to second>'. The glossary defines this case as when the rights owner may delegate to a second owner all the non-administrative rights he gets, excluding his administrative rights like this one. For these important administrative rights, the view diagrams display always the generic description of the right, and not the ACS-specific term, while the 'See why' text keeps the ACS-specific term. Let's see now what exactly means, in the view diagram, the term '<via>' in the comments of the two arrows, and above all, what is a 'See why' text. |
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
The 'See why' text
|
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
The updating of an Access Road full
view
We will create now a second full view, for Linux Ubuntu objects, just to make a quick test. First, we return to the display mode of independent windows for the full views: Close the 'Full views' window. A dialog appears to close all the open full views. Click 'No'. The view 'sqyl:: jerry' remains open in the explorer. Follow the creation procedure of a full view, with 'tubun' as set name and 'any' as view name. Select for the view, in the explorer, exactly 12 'tubun' objects of your choice, with both UserID, GroupID and Resource objects. The user would see during few seconds a message 'Please wait', while Access Road detects all the access paths of the view. The new view diagram should appear as a unreadable network of links! Enlarge the diagram window, and try to drag&drop some nodes to get a clear presentation. Unfortunately, this is not always possible if the number of links is too great. If a node is dropped on a location the diagram forbids, there is no move. Access Road uses for the full views a layout of the allowed locations that depends on the number of nodes in the view. The range of locations is squares of 4x4, 5x5, 7x7 or 10x10 node locations. Up to 7 nodes, the view diagram uses a layout of 16 possible positions. A diagram of 12 nodes is displayed in a layout of 25 locations, while a 13-nodes diagram uses a layout of 49 possible locations. Then, to clear the diagram, you may remove some objects in the view, or you may enlarge the layout adding a new object to the view: Click in the explorer the view node 'tubun:: any', click into the beamer the 'Select' button of the property 'Elements', and select in the explorer a new object for this view. The new node is added at the top left of the diagram window. It is recommended to move any new node immediately, to let empty this place for other additions. The good new is you use now a layout of 49 locations for the nodes. The diagram nodes would be well positioned, to get a clear network of links. Nonetheless, we have to be realistic. If the number of links is too great, the diagram will stay unreadable, even if the 'See why' text is always workable. The best choice is then to get less nodes in the diagram, and for instance, to split the view in two complementary views. Note: A new view node is added at the top left coin of the diagram, but sometimes it is not alone. It is necessary to add a second element when there is a hard alias relation. An example is a MySQL view, which is modeled as an Actor being alias of a Virtual Folder. When the user adds to a view one of these two components, the second element is automatically added by Access Road in the bottom right coin of the full view diagram. Save your current work through the command File → Save All (Ctrl+s). Note: the first view diagram and 'See why' text locations have been already saved. It does not matter to not have them open during this second saving. We will discover now one of the most powerful feature of Access Road. It updates immediately an open view at any change in the base properties which may modify the results of the view. This is true for example when the rights change in any implied ACL, or when an UserID is no more member of an implied GroupID. We will use the view 'sqyl:: jerry' to test the application of the MySQL rule 1: for a given level of parent, the MySQL server selects only one applicable right statement (one ACL in Access Road), and it is always the first one to match. The idea is to delete the matched global ACL 'jerry >> MySQL server', and to see how the rights change in the view. Close the diagram of the second view 'tubun:: any'. Click 'Yes' in the dialog window, to close this view. In the explorer, select the first view 'sqyl:: jerry', then use the command Window → View diagram or ACS tree (Ctrl+u). The diagram and the 'See why' text are opened. Click in the explorer the sqyl node 'MySQL server', then in the beamer, click the tab 'ACL'. Into the sorted list of ACL, select the ACL '<U>:: jerry:: >> MySQL server:: || grant || localhost'. Click the list button 'Delete'. When the view has very complex paths, the updating of the access paths needs several seconds. The user may see a message 'Please wait' at the top left coin of the diagram. But this should not be the case there. ![]() The view 'sqyl:: jerry' is updated, both its diagram and its 'See why' text. The resulting text is totally changed. The rights of 'jerry' on 'BASE One' is now CREATE. The current user is no more (jerry, localhost) but (jerry, jerry§@local%). CREATE is delivered by a direct ACL on 'BASE One': '<G>:: jerry§@local%:: >> MySQL server:: BASE One:: || grant'. It is easy to check it through the beamer, when 'BASE One' is selected in the explorer, as we have seen in the section 'Introducing the MySQL Server AclEntry'. Note: when a global right statement is deleted, the MySQL Server deletes all the similar statements at the other levels. This behavior is reproduced by the MySQL server ACS addon. This is why deleting the global ACL 'jerry@localhost' has produced a deleting of the second ACL 'jerry@localhost' on 'BASE One'. As we have already seen, the reading of a diagram is very intuitive. An important property is to offer a 'smart' reading to the eye. So, the rights is get now through this strange group 'jerry§@local%'. What about the diagram, if this group is added to the view? ![]() Click in the explorer the view 'sqyl:: jerry'. In the beamer, on the properties, 'Elements', click the 'Select' button, then click in the explorer the GroupID 'jerry§@local%'. The view is updated. Move the new node to get this resulting diagram. The first look shows no link between 'jerry' and 'BASE One'. This is due to the indirect path 'the eye' may find via 'jerry§@local%'. With or without this group into the view, the overall result is exactly the same. The presentation is different to remain intuitive. The last state of the view shows us a new property of MySQL Server for a pattern-name group like 'jerry§@local%'. This GroupID contains automatically and uniquely all the accounts having a name with the form 'jerry' or 'jerry(x)' (whatever the character 'x'), and belonging to any host having a name with the form 'local%'. '%' is for MySQL Server a wildcard meaning 'any sequence of characters'. This is why 'localhost' matches as a host. The 'See why' text describes the link from 'jerry§@local%' to 'BASE One' without current user, because it may be used by any member of this group, and not only by 'jerry'. If you know how MySQL Server works, you may note the group 'jerry§@local%' is the equivalent to the MySQL right statement 'jerry@local%'. The difference '§' is specific to Access Road, to ensure an account has only one first simple host. ![]() If the MySQL Server ACS addon finds for this view a direct path from 'jerry' to 'BASE One' that forbids the current indirect path via 'jerry§@local%', then this direct path would be drawn in a double-lenght-line arrow, to indicate it is the only applicable one. To see it, we may simply return to the next state of 'sqyl'! Create the new ACL 'jerry@localhost' on 'BASE One', with the rights SELECT and EXECUTE. The procedure to follow is from the first tutorial. This image of the new diagram demonstrates the behavior of a full view. Save your current work through the command File → Save All (Ctrl+s). Of course, to design access controls for the MySQL Server, we cannot read a full view and take the results without question. We have to master the rights sorting and the rights inheritance management. Access Road is there to help us. |
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
About the MySQL Server design
This tutorial does not study the MySQL Server privileges with the vocabulary of MySQL Server. Its purpose is to handle the MySQL Server access controls with the vocabulary of the MySQL Server ACS addon, into Access Road. To connect the concepts of the two worlds, let's see the guide for this ACS addon. In the last section, we will see how to use the full views to define and verify the design of the rights on a MySQL Server. There is already a powerful and well-known free software called MySQL Workbench®. It is able to design the access controls through administrative and technical roles. Above all, it can inject the resulting design, as right statements, into an instance of MySQL Server. For instance, it is quite easy to design, with MySQL Workbench:
For simple and stable needs of access controls, MySQL Workbench is quite good. It is also efficient for managing the administrative roles. However, this tool has some important limitations each time the MySQL Server contains complex or unstable bases, or with fine-grained needs of access control. It does not cover the full range of the MySQL access control features:
Furthermore, MySQL Workbench cannot use flexible strategies of access control, while Access Road is able to design them. There are some things to remember first, about what you can and cannot do with the MySQL Server:
There are also some MySQL best practices to know:
With this last MySQL best practicee, a SHOW GRANTS statement cannot show all the applicable rights of 'bob', since for instance the 'bob@%.exemple.com' right statements are not listed. On the contrary, the Access Road beamer displays all the ACL of 'bob' in one list, and more, it is a sorted list. |
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
Designing MySQL Server access
controls
|
![]()
One-hour tutorial for learning access controls
One-hour tutorial for verifying access controls ![]()
|
Creating
MySQL | Main properties | Creating
ACL | Generic
ACL | MySQL
ACL
Creating full view | 'See
why' text | Full
view updating | MySQL
design
Designing
with Access Road
®All trademarks are property of their respective holders. Copyright ACCBEE – 02 May 2012