Wednesday, April 22, 2015

AWS RDS migration - Access denied; you need (at least one of) the SUPER privilege(s) for this operation

I had to migrate a small database from one AWS datacenter to a different data center. It was such a small database that I wasn't expecting any problems. When you setup an AWS RDS instance you choose a master password. Previously the people that set it up had chosen something that related to the app name. On the new AWS RDS setup, I wanted the master account to be "root". This was my first time setting up an RDS instances so I didn't really have any idea what the best practices were.

After everything was setup and all the port holes opened up for MySQL and such I started the import. I kept getting errors like this.

[ERROR in query ####] You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)

My database had a number of triggers but there was no way to grant the super priv in AWS RDS.

After some searching I discovered that AWS RDS MySQL triggers are not enabled by default.

I found this answer on stack overflow and applied to my AWS instance:
http://stackoverflow.com/questions/8919907/can-i-create-trigger-in-an-rds-db

--- Copied Part Begins

First off it seems to be impossible to apply Super Privileges to default parameter group. So what I had to do was to create a new DB Parameter group either through the Console, or the CLI.

What I found was, the key is that the default region was not the region I was trying to use so I had to use a --region parameter to apply it to the group in the correct region where I was deploying my DB Instance

rds-create-db-parameter-group --db-parameter-group-name allow-triggers --description 'parameter group to allow triggers' --region your-region

Next I had to then create a DB Instance which used that parameter group. (Again through the console or CLI)

rds-create-db-instance

Then I had to modify the Parameter group to allow log_bin_trust_function_creators only accomplishable through the CLI

rds-modify-db-parameter-group --db-parameter-group-name yourgroupname --region yourRegion --parameters 'name=log_bin_trust_function_creators,value=true,method=immediate'

Lastly I had to modify the created DB Instance to allow triggers, also CLI only.

rds-modify-db-instance --db-instance-identifier your-db-instance-id --db-parameter-group-name allow-triggers --apply-immediately

--- Copied Part End

However, I still couldn't complete the import! I was so confused. Then I found this link:
https://www.percona.com/blog/2014/07/02/using-mysql-triggers-and-views-in-amazon-rds/

I learned that if you are creating triggers and setting the definer for triggers in AWS RDS MySQL, it can only be with the same user that is doing the import/creation of the triggers. The import will fail if you are logging in as "bob" and trying to make "root" the definer. You need to run the import as root if you want root to be the definer or you remove the syntax that assigns the definer and let it default to whatever user you are logging in with. If you try to assign the definer to a different user, you will get errors like this:

ERROR 1227 (42000) at line 875: Access denied; you need (at least one of) the SUPER privilege(s) for this operation


No comments:

Post a Comment