Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cross join between multiple schemas in MySQL. Privileges and performance

I'm building two applications which will share some data in common schema. I'm using MySQL as RDBMS. Here is my first schema (test_schema_1):

test_schema_1

And second (test_schema_2):

test_schema_2

I recently learned that I can do JOINs between multiple schemas. When I'm connected with root user (unlimited access to everything), I do:

SELECT * FROM
TEST_SCHEMA_2.USERS U
JOIN TEST_SCHEMA_1.MASTER_USERS MU ON U.MASTER_ID = MU.ID
JOIN TEST_SCHEMA_2.ROLES R ON U.ROLE_ID = R.ID
WHERE MU.APP_ID = '[email protected]';

And get what I expect! This looks very cool for me, as I'm thinking of going to production with this design.

But I'm a bit afraid of performance implications of such design? Is this a good idea? What if in future I decide to shard (in MongoDB terminology) the database on different machines?

Also, I'm wondering of security problems. Currently, I have a separate user for each schema:

Host        Db              User    Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv   Grant_priv  References_priv Index_priv  Alter_priv  Create_tmp_table_priv   Lock_tables_priv    Create_view_priv    Show_view_priv  Create_routine_priv Alter_routine_priv  Execute_priv    Event_priv  Trigger_priv
%           test_schema_1   t1      Y           Y           Y           Y           N           N           N           N               N           N           N                       N                   N                   N               N                   N                   N               N           Y
localhost   test_schema_1   t1      Y           Y           Y           Y           N           N           N           N               N           N           N                       N                   N                   N               N                   N                   N               N           Y
%           test_schema_2   t2      Y           Y           Y           Y           N           N           N           N               N           N           N                       N                   N                   N               N                   N                   N               N           Y
localhost   test_schema_2   t2      Y           Y           Y           Y           N           N           N           N               N           N           N                       N                   N                   N               N                   N                   N               N           Y

So I expect that user t1 cannot read from test_schema_2. But the query above works. He even can insert in test_schema_2:

SELECT USER();
INSERT INTO TEST_SCHEMA_2.ROLES(ID, NAME) VALUES(4, 'TEST');
...
USER()
t1@localhost
-------------------------------------------
Updated Rows
1

What am I missing?

like image 462
madhead - StandWithUkraine Avatar asked Nov 14 '13 19:11

madhead - StandWithUkraine


2 Answers

MySQL maintains a single set of buffers for all databases. With regards to performances, it does not matter whether tables are in different databases.

Your use case is boderline, but seems to be a reasonnable case for aggregating data from separate databases.

I would be careful with this architecture though. If your applications start sharing more than just a few tables, ask yourself whether these applications are really distinct applications, or rather modules of the same application. In the latter case, it would make sense to me to have all tables in one sigle database.

If you are concerned about security, then please note that most access rights may be granted on a per-table (or even per-column) basis.

like image 75
RandomSeed Avatar answered Oct 05 '22 06:10

RandomSeed


First of all, you should adjust security settings. Probably, your users have granted access to all schemas. To keep things simple, try to invoke the following:

REVOKE ALL PRIVILEGES, GRANT OPTION from 't1','t2'; 
GRANT SELECT, INSERT, UPDATE, DELETE ON `test\_schema\_1`.* TO 't1';
GRANT SELECT, INSERT, UPDATE, DELETE ON `test\_schema\_2`.* TO 't2';
FLUSH PRIVILEGES;

The second part is about your schemas. Basically, this is not a problem to query different schemas. If you are confused about security issues, I would recommend you to switch your query to a procedure. And what is up to sharding, it is even less complicated to break apart different schemas.

like image 36
Michael Cheremuhin Avatar answered Oct 05 '22 07:10

Michael Cheremuhin