# MySQL User Management, Access Control, and Encryption

In this lab, first you will learn how to manage MySQL user accounts and roles using phpMyAdmin graphical user interface (GUI) tool. Then you will learn how to control access to MySQL databases and their objects. Finally you will learn how to secure your data adding extra layer of security using data encryption.


### Objectives
After completing this lab, you will be able to use the phpMyAdmin to:

* Manage MySQL user accounts and roles
* Control access to MySQL databases and their objects
* Add last line of defense to secure data using encryption

https://www.coursera.org/learn/relational-database-administration/ungradedLti/PnmM8/hands-on-lab-mysql-user-management-access-control-and-encryption

In [45]:
!curl -O https://cf-courses-data.s3.us.cloud-object-storage.appdomain.cloud/IBM-DB0231EN-SkillsNetwork/datasets/World/world_mysql_script_full.sql

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  387k  100  387k    0     0  66246      0  0:00:05  0:00:05 --:--:-- 81181


#### Connecting to MySQL

In [8]:
import os
from dotenv import load_dotenv

# Cargar variables de entorno desde el archivo .env
load_dotenv()

# Obtener la contraseña de la variable de entorno
password = os.getenv("DB_PASSWORD")

In [75]:
!{path}mysql --host=127.0.0.1 --port=3306 --user=root --password={password} --execute="DROP DATABASE world" 2>/dev/null;

In [76]:
!{path}mysql --host=127.0.0.1 --port=3306 --user=root --password={password} --execute="CREATE DATABASE world" 2>/dev/null;

In [77]:
!{path}mysql --host=127.0.0.1 --port=3306 --user=root --password={password} world < world_mysql_script_full.sql 2>/dev/null;

In [9]:
%load_ext sql

The sql extension is already loaded. To reload it, use:
  %reload_ext sql


In [10]:
# Crear la URL de conexión
%sql mysql+pymysql://root:{password}@localhost:3306/world

In [46]:
%sql SHOW TABLES;

 * mysql+pymysql://root:***@localhost:3306/world
3 rows affected.


Tables_in_world
city
country
countrylanguage


#### Exercise 1: Manage MySQL user accounts and roles

In [15]:

%sql CREATE USER 'db_owner'@'localhost' IDENTIFIED BY '1234';

 * mysql+pymysql://root:***@localhost:3306/world
0 rows affected.


[]

In [17]:
%%sql

GRANT ALL PRIVILEGES ON *.* TO 'db_owner'@'localhost' 
WITH GRANT OPTION;

ALTER USER 'db_owner'@'localhost'
REQUIRE NONE
WITH
	MAX_USER_CONNECTIONS 0
	MAX_QUERIES_PER_HOUR 0
	MAX_UPDATES_PER_HOUR 0
	MAX_CONNECTIONS_PER_HOUR 0;

 * mysql+pymysql://root:***@localhost:3306/world
0 rows affected.
0 rows affected.


[]

#### Exercise 2: Control access to MySQL databases and their objects

In [19]:
%%sql

GRANT ALL PRIVILEGES ON `world`.* TO 'db_owner'@'localhost'; ALTER USER 'db_owner'@'localhost';


GRANT SELECT, INSERT, UPDATE (`Population`), DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE VIEW, TRIGGER, SHOW VIEW ON `world`.`city` TO 'db_owner'@'localhost'; ALTER USER 'db_owner'@'localhost';

 * mysql+pymysql://root:***@localhost:3306/world
0 rows affected.
0 rows affected.
0 rows affected.
0 rows affected.


[]

#### Exercise 3: Secure data using encryption


In [20]:
path = "/usr/local/mysql-8.0.31-macos12-arm64/bin/"

First, you will need to hash your passphrase (consider your passphrase is My secret passphrase) with a specific hash length (consider your hash length is 512) using a hash function (here you will use hash function from SHA-2 family). It is good practice to hash the passphrase you use, since storing the passphrase in plaintext is a significant security vulnerability.

In [66]:
%sql SELECT * FROM countrylanguage LIMIT 5;

 * mysql+pymysql://root:***@localhost:3306/world
5 rows affected.


CountryCode,Language,IsOfficial,Percentage
ABW,Dutch,T,5.3
ABW,English,F,9.5
ABW,Papiamento,F,76.7
ABW,Spanish,F,7.4
AFG,Balochi,F,0.9


To encrypt the Percentage column, we will first want to convert the data in the column into binary byte strings of length 255

Now to actually encrypt the Percentage column, we use the AES encryption standard and our hashed passphrase to execute the following command:

Let’s go ahead and see if the column was successfully encrypted by taking another look at the countrylanguage table.

In [78]:
%%sql

-- Make sure you have a suitable secret key
SET @key_str = SHA2('My secret passphrase', 512);

-- Convert Percentage column to VARBINARY to store encrypted data
ALTER TABLE countrylanguage MODIFY COLUMN Percentage VARBINARY(255);

-- Encrypt Percentage column using AES
UPDATE countrylanguage SET Percentage = AES_ENCRYPT(CAST(Percentage AS CHAR), @key_str);

-- Verify that the data is encrypted by executing a SELECT query
SELECT * FROM countrylanguage LIMIT 5;

 * mysql+pymysql://root:***@localhost:3306/world
0 rows affected.
984 rows affected.
984 rows affected.
5 rows affected.


CountryCode,Language,IsOfficial,Percentage
ABW,Dutch,T,b'\x03d\xfbL\xbd\x06D\xbd\xafe\xf7!\xb0\x7fh~'
ABW,English,F,b'\xadrG\xaa\x81\xaa\xc6\xe5\xff\x8c(\xbbR\xa4KK'
ABW,Papiamento,F,b'1\xac\x1a\xc7\xc3\x82\x9d;\xb8\x17\xa7\xdd\xa5z\x86m'
ABW,Spanish,F,b'\xac\xdc\xbe\x08K\xf8\xc8\xcf\xd9A\xdb\x00o\x16\xa3\xe9'
AFG,Balochi,F,"b""\xfd\xa7'\xa2hB\xcd\x02zI\x1bo\xa2H\x16r"""


The supposedly sensitive data is now encrypted and secured from prying eyes. However, we should still have a way to access the encrypted data when needed. To do this, we use the AES_DECRYPT command, and since AES is symmetric, we use the same key for both encryption and decryption. In our case, recall that the key was a passphrase which was hashed and stored in the variable key_str. Suppose we need to access the sensitive data in that column.

In [82]:
%%sql
SELECT CountryCode, Language, IsOfficial, CAST(AES_DECRYPT(Percentage, @key_str) AS DECIMAL(10,2)) AS Percentage 
FROM countrylanguage 
LIMIT 5;


 * mysql+pymysql://root:***@localhost:3306/world
5 rows affected.


CountryCode,Language,IsOfficial,Percentage
ABW,Dutch,T,5.3
ABW,English,F,9.5
ABW,Papiamento,F,76.7
ABW,Spanish,F,7.4
AFG,Balochi,F,0.9
