MemSQL Documentation

MemSQL is a high-performance, in-memory database that combines the horizontal scalability of distributed systems with the familiarity of SQL.

Get Started    

Strict Mode Permissions

Licensing Note

As of the time of this publication, strict mode is made available and licensed only as part of the MemSQL Advanced Security Option. Before using or implementing this functionality, please consult with your enterprise's licensing administrator to confirm that your enterprise has purchased the necessary Advanced Security Option license from MemSQL

Strict Mode will be a cluster-level option that must be enabled at startup, and cannot be changed while a cluster is running. When Strict Mode is turned on, the MemSQL permissions model changes in two important ways:

  1. Strict Mode is irreversible: Strict Mode is enabled by setting ‘strict-mode=true’ in the memsql.cnf configuration file and then restarting the server. Once this happens, Strict Mode becomes irreversible on the current cluster.
  1. No “WITH GRANT OPTION”: In order to grant and revoke permissions, and manage roles and groups, a user must have the GRANT permission.
    1. A user with the GRANT permission will not need to possess a given permission in order to grant it to others.
    2. Under Strict Mode it is not possible to grant permissions to yourself.
  1. CREATE USER required for password changes: In order to change a user’s password using GRANT … TO [email protected] IDENTIFIED BY ‘password’, you must possess the CREATE USER permission. This prevents an admin with the GRANT permission to change the password on some user and grant them all permissions, thus effectively granting all permissions to themselves.
    Note that in Default Mode, to change a user’s password you need the GRANT permission. The abovementioned scenario is not an issue in Default Mode since you can only grant permissions which you possess.
  1. No "." permissions: when Strict Mode is turned on, most permissions may only be granted to a specific named database, not cluster-wide. The exceptions to this rule are:

CREATE DATABASE

DROP DATABASE

SHOW DATABASE

CREATE USER

GRANT

CLUSTER

SUPER

LOCK TABLES

RELOAD

BACKUP

FILE READ

FILE WRITE

PROCESS

USAGE

REPLICATION

SHOW METADATA

Strict Mode Permissions