Before we can go further with discussing how to allow or disallow certain access to data, we need some database users. So, let’s first explain how to cre- ate database user accounts. To cover a broad range of use, we will describe how to carry out this task as well as other database security tasks with SQL directly in the MySQL, MariaDB, and Oracle DBMSs. While the figures indicate use of MySQL DBMS, the exact same SQL statements will apply to MariaDB and Oracle unless otherwise noted.
In this scenario, we will create database user accounts for the employees within a business organization. We will choose the database username of an employee to be that employee’s last name in lowercase, which in this scenario happens to be unique. In general, if employee last names were not unique, we would have to define the database username on something that is unique, such as combining the last name with first name and/or a number.
When creating a database user account, we can optionally specify an authentication password. To reinforce this form of security, we will specify a password, although for ease of demonstration we will use passwords that are easy to remember for each user. Keep in mind that in practice, we would want to use stronger passwords. Figure 4.1 gives the usernames and passwords for the database accounts in our business scenario.
FIGURE 4.1 Database usernames and the corresponding authentication password for our business scenario.
The SQL CREATE USER statement can be used to create database accounts. The basic syntax for the CREATE USER statement with the MySQL, MariaDB, and Oracle DBMSs is given in Figure 4.2.
CREATE USER 'username'[@'hostname'] [IDENTIFIED BY 'password'];
FIGURE 4.2. Basic SQL syntax to create a database user account.
To understand this command representation, the italic characters are SQL symbols or keywords that are specified exactly as is. The bold content repre- sents where we fill in the specifications for our specific needs, such as user- name, hostname and password for this statement. The content within square brackets is optional and can be omitted or specified depending on whether we wish to leverage that particular feature.
The easiest SQL statement to create a user account for user roberts is one that specifies only the username, as shown in Figure 4.3, where we create a database account for user roberts with no password. This command consists of the SQL keywords CREATE USER followed by the username for the new account. The username does not require enclosing quotes if the username consists of only alphanumeric or underscore characters. If the username does contain hyphens (-), periods (.), or other special symbols, the entire username must be enclosed within quotes.
FIGURE 4.3 Creating a user account with no password.
Tip: The CREATE USER statement must be issued by the database root account or some other database administrative account that has been given the capability to issue those statements.
In Figure 4.3, we did enclose the username with straight single quotes ('), although technically quotes were not required in this specific example.
Even though enclosing quotes may not always be required for a username (and as we see later, for a hostname), it is common practice to always use enclosing quotes for a predictable and uniform appearance, as well as to
avoid surprise errors in situations when quotes are required. As such, the examples in this text will always enclose the username (and hostname). Most DBMSs and users prefer the use of straight single quotes when quotes are necessary, and that is the convention we follow. However, many DBMSs also allow use of straight double (") or back (') quotes in situations where quotes are required. No matter which form of quote you use, the form must be the same for each pair of matching quotes.
Tip: Be careful to use straight single or double quotes with SQL. Smart quotes are not recognized as single or double quotes in many DBMSs and may generate a syntax error if used.
That database user can then log into the database by specifying only the username with the SQL command shown in Figure 4.4.1 Here the mysql command includes the -u option, followed by one or more spaces and the username. The -u option specifies that the username is to follow next.
FIGURE 4.4 Logging into a database user account with no password.
While a simple way to create a database account, note that this approach does not involve any security measures—such as use of a password—with that account.
Because we are reinforcing database security concepts, we should involve such security measures. Let’s now incorporate a password for that account.
To add (as well as change) a password to an existing database user account, we can use the SQL ALTER USER statement, followed by the username of the account. This statement also contains the IDENTIFIED BY keywords which allow us to specify a security control for the account. All DBMSs provide a password-based control, and some DBMSs may also provide other security controls. For a password-based control, we follow those keywords with the password, enclosed in single quotes, as shown in Figure 4.5.
FIGURE 4.5 Setting (or changing) a password for a database user account.
1In an Oracle DBMS, after creating the account for 'username', we must then issue “GRANT CREATE SESSION TO 'username'” to allow that account to log into the DBMS. MySQL and MariaDB do not require this extra step.
Now if a login attempt is made to the account roberts without a password, the login is denied, as shown in Figure 4.6.
FIGURE 4.6 Failed login attempt without a password.
In order to log into the account now, we have to specify a password in one of two ways. One way involves specifying the password as part of the login command. We can do so with the mysql command we previously attempted, but also with the -p option immediately followed by the pass- word (that is, no spaces between the option and password), as shown in Figure 4.7.
FIGURE 4.7 Logging into a database user account with a password.
While the database account for roberts is now password-protected, this login approach does raise a new security concern. This concern stems from the inclusion of the password as part of the login command. On some systems, a user may be able to issue the operating system to generate a full process or command listing that would show the mysql command and its options while the mysql session is running. If the operating system does show all of the pro- gram or command options in plaintext, then the user account password may be compromised. More recently however, some operating systems will mask out passwords (such as with x’s or other synbols) that are part of a command or process listing, so that particular password vulnerability would not exist in that case.
The second way in which we can specify a password when logging in is similar to the first method, but does not include the password itself as part of the command. Here we issue the same command but omit the password itself after the -p option, as shown in Figure 4.8. If nothing immediately follows
the -p option, the DBMS will prompt the user for the password. This slight change to the login command yields two security benefits. First, as with most password prompts, the password itself will not be reflected on the screen as it is typed in, for security purposes pertaining to shoulder-surfing. Secondly, because the password is not included within the command itself, the password will not be revealed by a command or process listing, whether or not the oper- ating system masks the password in the listing.
FIGURE 4.8 Logging in a database user account with a prompted password.
We have other mysql options that we may provide when logging in, such as -D followed by a space and name of a database. The effect is that upon logging in, we do not have to specify the database name to access its compo- nents, as if we had chosen the database with the SQL USE statement. We will demonstrate this option later with our next scenario.
For the next database user account, let’s see how we can create the account and set the password in one command. This approach combines the two commands we issued to separately create the account and set the pass- word. We specify the CREATE USER statement followed by the username for the new account. We then add the IDENTIFIED BY keywords followed by the password enclosed with single quotes, as shown in Figure 4.9. As before, the username does not require surrounding quotes if the username consists of only alphanumeric or underscore characters. The password must be enclosed within quotes regardless.
FIGURE 4.9 Creating a database user account with a password.
There may be times when we want to remove a database user account.
For example, if we did not create the account properly, we may find it easier to remove the account and start over. Figure 4.10 gives the syntax to remove a particular database user’s account.
DROP 'user'[@'hostname'];
FIGURE 4.10 General SQL syntax to remove a database user account.
The [@'hostname'] portion of the statement is optional (we did not use it up to this point), but we incorporate that later in this chapter.