Just my 2 cents on the subject. I was having the exact same issue with trying to connect from MySQL Workbench. I’m running a bitnami-mysql virtual machine to set up a local sandbox for development.
Bitnami’s tutorial said to run the ‘Grant All Privileges’ command:
/opt/bitnami/mysql/bin/mysql -u root -p -e "grant all privileges on *.* to 'root'@'%' identified by 'PASSWORD' with grant option";
This was clearly not working, I finally got it to work using Mike Lischke’s answer.
What I think happened was that the root@% user had the wrong credentials associated to it. So if you’ve tried to modify the user’s privileges and with no luck try:
- Dropping the user.
- Create the user again.
- Make sure you have the correct binding on your MySQL config file.
In my case I’ve commented the line out since it’s just for a sandbox environment.
1. Dropping the user.
From Mysql Console:
List Users (helpful to see all your users):
select user, host from mysql.user;
Drop Desired User:
drop user '{{ username }}'@'%';
2. Create the user again.
Create User and Grant Permissions:
CREATE USER '{{ username }}'@'%' IDENTIFIED BY '{{ password }}';
GRANT ALL PRIVILEGES ON *.* TO '{{ username }}'@'%' WITH GRANT OPTION;
Run this command:
FLUSH PRIVILEGES;
3. Make sure you have the correct binding on your MySQL config file.
Locate your MySQL config file (additional notes at the end). If you want to have MySQL listen for connections on more than one network find the following line on the config file:
bind-address=127.0.0.1
and comment it using a ‘#’:
#bind-address=127.0.0.1
For production environments you might want to use limit the network access (additional notes at the end).
Then restart your MySQL service.
Hope this helps someone having the same issue!
Binding: If you want to know more about this I suggest looking at the following
solution How to bind MySQL server to more than one IP address. It
basically says you can leave MySQL open and limit connections by using
a firewall, or natively if you have MySQL version 8.0.13 and above.
MySQL Config File The file could have different locations depending on your
Linux distribution and installation. On my system it was located at
'/etc/my.cnf'. Here are other suggested locations:
- /etc/mysql/mysql.conf.d
- /etc/mysql/my.cnf
You can also search for the config locations as shown in this website:
How to find locations of MySQL config files.
I was trying to install wordpress on ubuntu using the link and struck at https://ubuntu.com/tutorials/install-and-configure-wordpress#4-configure-database
When I run this command,I get the error-
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
-> ON wordpress.*
-> TO wordpress@localhost
-> IDENTIFIED BY 'root';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IDENTIFIED BY 'root'' at line 1
I tried almost every syntax by changing the wordpress@localhost to 'wordpress'@'localhost'
I tried removing and adding the APOSTROPHE on 'root' in IDENTIFIED BY 'root',
then after searching I tried this command as well — GRANT ALL PRIVILEGES ON *.* TO 'wordpress'@'localhost' IDENTIFIED BY 'root‘ and got
Error — ERROR 1410 (42000): You are not allowed to create a user with GRANT
Nothing found working for me. Please help where am doing mistake. Thanks
P.S. Database is already there —
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
5 rows in set (0.01 sec)
I’m attempting to grant a user privileges within a database, and I’m receiving the error
#1410 - You are not allowed to create a user with GRANT
I’m executing the following:
GRANT ALL PRIVILEGES ON `database`.* TO 'user'@'localhost';
The user is already created, but I cannot grant privileges to it.
Below is an example of a user I’m attempting to edit.
asked Jun 18, 2021 at 15:46
FiravFirav
411 silver badge5 bronze badges
2
Conflicting authentication settings on users were preventing the user from registering properly. Deleted all affected users and created them again.
answered Jun 20, 2021 at 14:42
FiravFirav
411 silver badge5 bronze badges
The documentation for MySQL 5.7 states:
Use of GRANT to define account authentication characteristics is deprecated as of MySQL 5.7.6. Instead, establish or change authentication characteristics using CREATE USER or ALTER USER. This GRANT capability will be removed in a future MySQL release.
Instead you need to CREATE USER then GRANT:
CREATE USER 'user'@'localhost' IDENTIFIED WITH mysql_native_password BY 'superSecretPassword!123';
GRANT ALL ON `database`.* TO 'user'@'localhost';
answered Jun 18, 2021 at 23:04
matigomatigo
1,8831 gold badge4 silver badges15 bronze badges
2
It seems, that this is a question that regularly shows up in forums or stackoverflow.
To start, let’s highlight the fact that in MySQL 8.0 it’s not any more possible to create a user directly from the GRANT command (ERROR 1410 (42000): You are not allowed to create a user with GRANT).
This means that to grant some privileges, the user must be created first.
Let’s create a user ‘user1‘ with ‘ChangeMe‘ as password that the user will have to change:
mysql> create user 'user1' identified by 'ChangeMe' password expire;
Query OK, 0 rows affected (1.35 sec)
Let’s try to connect to MySQL using that new created user:
$ mysql -u user1 -pChangeMe -h localhost
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 347
Server version: 8.0.13
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql>
Nothing special, we are connected as expected… but didn’t I explicitly expired the password ?
Yes I did, let’s try any statement:
mysql> select now();
ERROR 1820 (HY000): You must reset your password using ALTER USER
statement before executing this statement.
We must change the password as expected. Let’s change it to ‘MySQL8isGreat‘:
mysql> set password='MySQL8isGreat';
Query OK, 0 rows affected (0.34 sec)
And now we can use MySQL and run any statement we are allowed to do (that we have the privileges for).
mysql> select now();
+---------------------+
| now() |
+---------------------+
| 2019-01-10 14:36:05 |
+---------------------+
1 row in set (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.20 sec)
It seems I don’t have access to many databases…
The default privilege is very limited:
mysql> show grants;
+-----------------------------------+
| Grants for user1@% |
+-----------------------------------+
| GRANT USAGE ON . TOuser1@%|
+-----------------------------------+
1 row in set (0.00 sec)
It’s now time to grant more privileges to our user… but which privileges are available ?
In 8.0.13, they are currently 46 privileges !
To list them all, just run:
mysql> show privileges;
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege | Context | Comment |
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create role | Server Admin | To create new roles |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Drop role | Server Admin | To drop roles |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
| XA_RECOVER_ADMIN | Server Admin | |
| SET_USER_ID | Server Admin | |
| ROLE_ADMIN | Server Admin | |
| RESOURCE_GROUP_USER | Server Admin | |
| RESOURCE_GROUP_ADMIN | Server Admin | |
| BINLOG_ADMIN | Server Admin | |
| SYSTEM_VARIABLES_ADMIN | Server Admin | |
| GROUP_REPLICATION_ADMIN | Server Admin | |
| CONNECTION_ADMIN | Server Admin | |
| REPLICATION_SLAVE_ADMIN | Server Admin | |
| ENCRYPTION_KEY_ADMIN | Server Admin | |
| BACKUP_ADMIN | Server Admin | |
| PERSIST_RO_VARIABLES_ADMIN | Server Admin | |
+----------------------------+---------------------------------------+-------------------------------------------------------+
46 rows in set (0.00 sec)
You can see that a new user doesn’t have access to the test database anymore:
mysql> use test;
ERROR 1044 (42000): Access denied for user ‘user1’@’%’ to database ‘test’
Let’s allow our user to create tables in the database users1 that we created for him and also allow him to perform the following actions:
- Alter
- Create
- Delete
- Drop
- Index
- Insert
- Select
- Update
- Trigger
- Alter routine
- Create routine
- Execute
- Create temporary tables
mysql> grant alter,create,delete,drop,index,insert,select,update,trigger,alter routine,
create routine, execute, create temporary tables on user1.* to 'user1';
Query OK, 0 rows affected (0.23 sec)
NO NEED TO RUN FLUSH PRIVILEGES !
And in the open session for user1, we can check the granted privileges:
mysql> show grantsG
******************** 1. row ********************
Grants for user1@%: GRANT USAGE ON . TOuser1@%
******************** 2. row ********************
Grants for user1@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE ROUTINE, ALTER
ROUTINE, TRIGGER ONuser1.* TOuser1@%
2 rows in set (0.00 sec)
Now let’s imagine we want to have multiple users that will have access to the same database (mydatabase), instead of specifying all the grants for each users, let’s use a common role for all of them. We will call it ‘developer_user‘:
mysql> create ROLE developer_users;
mysql> grant alter,create,delete,drop,index,insert,select,update,trigger,alter
routine,create routine, execute, create temporary tables
on mydatabase.* to 'developer_user';
Query OK, 0 rows affected (0.12 sec)
Let’s grant the role to user1:
mysql> grant 'developer_user' to 'user1';
Query OK, 0 rows affected (0.16 sec)
Now back again in user1‘s session and let’s verify:
mysql> SELECT CURRENT_ROLE();
+----------------+
| CURRENT_ROLE() |
+----------------+
| NONE |
+----------------+
1 row in set (0.00 sec)mysql> set role 'developer_user';
Query OK, 0 rows affected (0.00 sec)mysql> SELECT CURRENT_ROLE();
+----------------------+
| CURRENT_ROLE() |
+----------------------+
|developer_user@%|
+----------------------+
1 row in set (0.00 sec)mysql> show grantsG
******************** 1. row ********************
Grants for user1@%: GRANT USAGE ON . TOuser1@%
******************** 2. row ********************
Grants for user1@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE,
DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE,
CREATE ROUTINE, ALTER ROUTINE, TRIGGER ONmydatabase.* TOuser1@%
******************** 3. row ********************
Grants for user1@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE,
DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE,
CREATE ROUTINE, ALTER ROUTINE, TRIGGER ONuser1.* TOuser1@%
******************** 4. row ********************
Grants for user1@%: GRANTdeveloper_user@%TOuser1@%
4 rows in set (0.00 sec)
Now we would like that every time user1 logs into MySQL, his new role will be set:
mysql> set default role 'developer_user' to 'user1';
Query OK, 0 rows affected (0.22 sec)
Let’s also create a user2 having the default role:
mysql> create user 'user2' identified by 'DontChangeMe' default role 'developer_user';
Query OK, 0 rows affected (0.18 sec)
And we can immediately test it:
$ mysql -u user2 -pDontChangeMe -h localhost
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 352
Server version: 8.0.13 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> show grantsG
******************** 1. row ********************
Grants for user2@%: GRANT USAGE ON . TOuser2@%
******************** 2. row ********************
Grants for user2@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE,
DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE,
CREATE ROUTINE, ALTER ROUTINE, TRIGGER ONmydatabase.* TOuser2@%
******************** 3. row ********************
Grants for user2@%: GRANTdeveloper_user@%TOuser2@%
3 rows in set (0.18 sec)
Summary
In summary, now in MySQL 8.0 you cannot create a user from GRANT, you don’t need to run FLUSH PRIVILEGES command (this is effective for a long time already, please forget about it !), you can use ROLES and you have more password management options.
Subscribe to Blog via Email
#1 03.09.2009 13:12:33
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Не работает GRANT 
Уважаемые, может кто в курсе что не так.. Не могу привязать пользователя к базе, чё уже тока не пробовал 
Пишу: GRANT ALL ON `users`.`qq` TO ‘qq’ IDENTIFIED BY ’11’
Получаю: #1410 — You are not allowed to create a user with GRANT
Делаю рутом: grant grant option on *.* to ‘имя_юзера’
Лезу в таблицу прав, в столбце Grant_priv стоит Y.
А проблема остаётся.. Баг ли? Сервер 5.0.45, подскажите плз, мож что-то не так делаю.
ЗІ Юзер qq изначально отсутствует.
Человек без чувства юмора — не серьёзный человек 
Неактивен
#2 03.09.2009 13:15:43
- rgbeast
- Администратор
- Откуда: Москва
- Зарегистрирован: 21.01.2007
- Сообщений: 3874
Re: Не работает GRANT
Правильно ли указан хост для юзера? Попробуйте SHOW GRANT под требуемым юзером посмотреть.
Неактивен
#3 03.09.2009 13:17:15
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Re: Не работает GRANT
Хост вообще не указываю нигде… Я так понимаю, проблема ч том, что «create a user with GRANT» и «Юзер qq изначально отсутствует», ща проверю своё предположение 
Человек без чувства юмора — не серьёзный человек
Неактивен
#4 03.09.2009 13:20:09
- rgbeast
- Администратор
- Откуда: Москва
- Зарегистрирован: 21.01.2007
- Сообщений: 3874
Re: Не работает GRANT
Вы, возможно, даете права юзеру qq@’%’, а подключаетесь юзером qq@localhost
Неактивен
#5 03.09.2009 13:21:56
- paulus
- Администратор
- Зарегистрирован: 22.01.2007
- Сообщений: 6740
Re: Не работает GRANT
#1410 — You are not allowed to create a user with GRANT
SQL_MODE стоит в NO_AUTO_CREATE_USER, полагаю?
Неактивен
#6 03.09.2009 13:52:58
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Re: Не работает GRANT
rgbeast написал:
Вы, возможно, даете права юзеру qq@’%’, а подключаетесь юзером qq@localhost
Эммм… а разве localhost не входит в %? Я не указываю хост для юзера, значит берётся %, а с локального хоста эти права обычно доступны.
paulus написал:
SQL_MODE стоит в NO_AUTO_CREATE_USER, полагаю?
SQL_MODE пуст.
Результат SHOW GRANTS под юзером route, который должен создать юзера qq:
GRANT USAGE ON *.* TO ‘route’@’%’ IDENTIFIED BY PASSWORD ‘*E6CC90B878B948C35E92B003C792C46C58C4AF40’ WITH GRANT OPTION
GRANT ALL PRIVILEGES ON `route`.* TO ‘route’@’%’
GRANT ALL PRIVILEGES ON `users`.* TO ‘route’@’%’ WITH GRANT OPTION
Это в панике уже была куча прав добавлена.
Попытка создать юзера, ответ: #1227 — Access denied; you need the CREATE USER privilege for this operation
Пытаюсь добавить привелегию создания юзера: GRANT CREATE USER TO ‘route’
Ответ: #1064 — You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘USER TO ‘route», т.е. сервер такой привилегии вообще не знает :
ЗЫ Поменял USAGE на ALL PRIVILEGES и проблема прав исчезла. Получается, проблема была в том, что запрос привелегий юзера qq выполнялся при использовании базы `route`, в которой небыло привелегии GRANT. Как-то не логично, ведь юзера qq я привязывал к базе `users`, в которой есть привелегия GRANT, по идее должно быть всё равно в какой базе выполняется запрос…
В таком случае меня только интересует пример запроса создания юзера, почему сервер не знает CREATE USER?
Человек без чувства юмора — не серьёзный человек
Неактивен
#7 03.09.2009 14:48:45
- paulus
- Администратор
- Зарегистрирован: 22.01.2007
- Сообщений: 6740
Re: Не работает GRANT
Знает, только Вы синтаксис соблюдайте полностью.
mysql> grant create user on *.* to username@hostname identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)
Неактивен
#8 03.09.2009 15:14:11
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Re: Не работает GRANT
Вот так вот, оказывается…
И опять же, «on *.*» привязывает привилегию к конкретной базе : Как-то не логично это придумали, имхо.
Человек без чувства юмора — не серьёзный человек
Неактивен
#9 03.09.2009 15:38:58
- paulus
- Администратор
- Зарегистрирован: 22.01.2007
- Сообщений: 6740
Re: Не работает GRANT
«Конкретная» база — это любая? А «не конкретная» — это какая тогда?
Неактивен
#10 03.09.2009 16:08:32
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Re: Не работает GRANT
Не-не, я имею ввиду, что к примеру привилегия создания юзера разрешена в базе X, юзера нужно создать с доступом к базе X, а запрос выполняется в базе Y. Если в базе Y нет привилегии создания юзера, то мы не сможем его создать для базы X. Вот это для меня немного не логично По идее, сначала юзер создаётся «в корне», а уже потом получает доступ к базам. А тут получается, если запрос не из корня, то мол покажите права на создание не из корня, хотя право создания в корне имеется
ЗЫ А вообще, сабж решён — это главное))
Человек без чувства юмора — не серьёзный человек
Неактивен
#11 03.09.2009 16:42:58
- paulus
- Администратор
- Зарегистрирован: 22.01.2007
- Сообщений: 6740
Re: Не работает GRANT
Это не Oracle, пользователи тут глобальные, а не per-base.
Неактивен
#12 03.09.2009 16:49:07
- Neval
- Гуру
- Откуда: Киев
- Зарегистрирован: 11.03.2008
- Сообщений: 449
Re: Не работает GRANT
Правильно, но чтобы создать юзера, находясь в базе, нужно иметь права создания юзера именно в этой базе, вот где не логично Юзер глобальный, а без прав базы шиш тебе)))
Человек без чувства юмора — не серьёзный человек
Неактивен
#13 03.09.2009 17:39:42
- paulus
- Администратор
- Зарегистрирован: 22.01.2007
- Сообщений: 6740
Re: Не работает GRANT
В MySQL нет понятия «права создания юзера в этой базе». Есть право «CREATE USER», которое
является глобальным. Оно или есть у текущего пользователя, или нет. Безотносительно баз.
Неактивен