----- Original Message ----- > From: "Brent Clark" <brentgclarkl...@gmail.com> > > I know the answer (well I think I do :) ), but im still going to ask. > What is the risk if do the "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' > IDENTIFIED BY 'mysql' WITH GRANT OPTION;" > To satisfy the developer.
That said developer then has full privileges with that account, perhaps? :-) Check what privileges the stored procedure REALLY needs, and create an account with a strong, random password that has only those privileges. Do not give out the password to the developer. Any developer that demands full admin privileges is not to be left within a hundred miles of a production server. Developers get full DML rights on the dev environment. They're free to fuck up their own database as much as they want, there. If you have the comfort of a staging environment, they get select/insert/update/delete/execute to start off. More may be added depending on what is needed. Document the strict minimum privileges that make stuff work. Repeated requests for more privileges will be met with a frown, but granted. You *should* know what privileges you need, you wrote the damn thing. If you have the luxury of a preproduction environment, only the privileges documented from staging will be granted. Requests for additional privileges will be met with a thorough LARTing and a nuking of the account and data. Redo from start. On production, installs are performed strictly as per procedure; no exceptions; and only from the scripts that I have documented as working on preprod. You don't even get access to a mysql client on the app server. If a dump to dev is *really* not good enough for you to debug an issue, you can sit next to me while I query the database for you. Also, @John Siebert, DEFINER privileges define with which privileges the SP will execute, whereas it is the user invoking the SP who needs execute privileges on it. -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
