Strict Mode Permissions
As of the time of this publication, strict mode is made available and licensed only as part of the MemSQL Advanced Security Option. Before using or implementing this functionality, please consult with your enterprise’s licensing administrator to confirm that your enterprise has purchased the necessary Advanced Security Option license from MemSQL.
Strict Mode will be a cluster-level option that must be enabled at startup, and cannot be changed while a cluster is running. When Strict Mode is turned on, the MemSQL permissions model changes in two important ways:
Strict Mode is irreversible: Strict Mode is enabled by setting ‘strict-mode=true’ in the
memsql.cnfconfiguration file and then restarting the server. Once this happens, Strict Mode becomes irreversible on the current cluster.
No “WITH GRANT OPTION”: In order to grant and revoke permissions, and manage roles and groups, a user must have the GRANT permission.
- A user with the GRANT permission will not need to possess a given permission in order to grant it to others.
- Under Strict Mode it is not possible to grant permissions to yourself.
CREATE USER required for password changes: In order to change a user’s password using
GRANT … TO 'user'@'host' IDENTIFIED BY 'password', you must possess the CREATE USER permission. This prevents an admin with the GRANT permission to change the password on some user and grant them all permissions, thus effectively granting all permissions to themselves. Note that in Default Mode, to change a user’s password you need the GRANT permission. The aforementioned scenario is not an issue in Default Mode since you can only grant permissions which you possess.
*.*permissions: when Strict Mode is turned on, most permissions may only be granted to a specific named database, not cluster-wide. The exceptions to this rule are:
|CREATE DATABASE||DROP DATABASE||SHOW DATABASE||CREATE USER|
|RELOAD||BACKUP||FILE READ||FILE WRITE|