Question

REVOKE REPLICATION_APPLIER,ROLE_ADMIN ON *.* FROM "newuser"@"%"

Created a new user and tried to remove all grants, ended with:

GRANT USAGE ON *.* TO "user"@"%"
GRANT REPLICATION_APPLIER,ROLE_ADMIN ON *.* TO "new user"@"%"

I’m stuck trying to remove these the last grant (REPLICATION_APPLIER,ROLE_ADMIN) with my admin user in a MySQL8 managed database.

Ran

REVOKE REPLICATION_APPLIER,ROLE_ADMIN ON *.* FROM "newuser"@"%"

but gives me this error: Access denied for AuthId doadmin@% to database ‘mysql’.

Since having root access is not an option, how can i remove this grant?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
February 4, 2024

Heya,

Dealing with permission issues in a managed database environment like DigitalOcean can be challenging, especially without root access.

In such cases as yours the only option would be contacting DigitalOcean’s support. They can assist in removing the permission for you.

Please reach out to our amazing support team who will be more than happy to assist! :)

https://www.digitalocean.com/support/

Hope that helps! - KFSys.

Bobby Iliev
Site Moderator
Site Moderator badge
February 2, 2024

Hey @geralsquid,

When dealing with DigitalOcean’s Managed MySQL Database, you’re working within a slightly different environment compared to a self-managed MySQL instance. Managed databases often have certain restrictions to maintain security and stability across the platform. One such restriction is that you might not have the same level of access as a root user, which can limit your ability to perform certain actions, such as directly revoking privileges like REPLICATION_APPLIER and ROLE_ADMIN.

The error message you’re encountering, “Access denied for AuthId doadmin@% to database ‘mysql’,” indicates that your administrative user (doadmin) does not have the necessary permissions to revoke these specific grants from the “newuser” user. This is a common security measure in managed environments to prevent accidental or malicious alterations to critical database functionalities, including replication and role administration.

For actions that require higher privileges than your account possesses, the first step should be to contact DigitalOcean support. They can often make the necessary changes on your behalf or provide an alternative solution that complies with their managed database policies:

https://www.digitalocean.com/support/

Although direct revocation of certain system-level privileges like REPLICATION_APPLIER and ROLE_ADMIN might not be поссибле due to the reasons mentioned, it’s still worth reaching out to the DigitalOcean support team.

Hope that helps!

- Bobby.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel