Pop quiz: what is the most basic privilege an account can be assigned with?

I asked this during my presentation on the MySQL Conference this year. And I got a unanimous answer from the crowd. Take a moment to think this over, before coming up with the answer. Meanwhile, an intermezzo.

Tam dam dam…

Pom pom Pom pom Pom pom…

If your answer is that the most basic privilege an account can be assigned with is the USAGE privilege, you are right!

And then again, you’re also wrong.

Technically, USAGE is the right answer. Conceptually, there’s something far more fundamental than USAGE. An account with only USAGE privilege cannot do much, right? Well, I argue on that as well, but bear with me. How did that user get to login in the first place?

That’s right, the USAGE privilege first and foremost allows one to login. I wrote on this before, and I cannot stress this enough: there should be a LOGIN privilege for MySQL, one which can be turned off with REVOKE.

Can you REVOKE the USAGE privilege? You cannot. Once an account exists, it is allowed to login and do stuff. Actually:

USAGE = LOGIN + USE + ABUSE YOUR SYSTEM

Which is why ABUSAGE is a more fitting name for this privilege. There is no justification to the many things a user can do with USAGE.

Am I exaggerating? What does USAGE allow one to do? Let’s look at some unconventional usage:

SELECT benchmark(10000000000000000, sin(sqrt(rand())));
+-------------------------------------------------+
| benchmark(10000000000000000, sin(sqrt(rand()))) |
+-------------------------------------------------+
|                                               0 |
+-------------------------------------------------+
1 row in set (gazillion seconds to complete, one core down)
SELECT
 DISTINCT 0 * COUNT(*) AS result
FROM
 INFORMATION_SCHEMA.COLLATIONS c0,
 INFORMATION_SCHEMA.COLLATIONS c1,
 INFORMATION_SCHEMA.COLLATIONS c2,
 INFORMATION_SCHEMA.COLLATIONS c3,
 INFORMATION_SCHEMA.COLLATIONS c4,
 INFORMATION_SCHEMA.COLLATIONS c5,
 INFORMATION_SCHEMA.COLLATIONS c6,
 INFORMATION_SCHEMA.COLLATIONS c7,
 INFORMATION_SCHEMA.COLLATIONS c8,
 INFORMATION_SCHEMA.COLLATIONS c9
GROUP BY
 c1.COLLATION_NAME, c7.SORTLEN
;
+--------+
| result |
+--------+
|      0 |
+--------+
1 row in set (yet again gazillion seconds to complete, with huge disk temporary table)
SELECT COUNT(DISTINCT SLEEP(1000)) FROM INFORMATION_SCHEMA.TABLES;
+-----------------------------+
| COUNT(DISTINCT SLEEP(1000)) |
+-----------------------------+
|                           1 |
+-----------------------------+
1 row in set (want to gamble how much time your DB will spend in complete lockdown?)

And I should also mention open many concurrent connections (thankfully there is syntax to limit this!).

8 thoughts on “Pop quiz: what is the most basic privilege an account can be assigned with?

  1. @stewart:
    In situation #1, would Drizzle actually start to execute the query in order to find the number of joined rows exceeds the limit? Or is it part of query evaluation that tables are scanned?

    In situation #2, I don’t get it. How CAN I perform such query without Drizzle complaining about “Implicit cartesian join attempted”? Seems like the SQL_BIG_SELECTS did not make a change.

  2. So… for 1) I think it’s just part of query evaluation, and about the same time when detection for an attempted cartesian join. My guess is it’s getting row estimate from engine and then multiplying out and going “whooooo – huge!”.

    2) you have to use the explicit CROSS JOIN syntax. http://www.linuxjedi.co.uk/?p=89

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.