Best practices for temporarily enabling and disabling a MySQL user account?

Question

I have a MySQL user account that is used (only) as part of the deployment process to make changes to the database (add/drop tables and columns, etc). Because this user account has these high privileges, I want to keep it disabled most of the time, and only enable it when we are actually doing a deployment that involves database changes. What would be the best way to do this? Something in a couple stored procedures (proc_enable, proc_disable or similar) would be perfectly fine but I couldn't seem to find any best practices around this and MySQL doesn't seem to have an easy enable/disable toggle.

Answer 1

After experimenting with various methods, I went with setting the user's host field to something meaningless, then back to a valid value to re-enable the account when desired. This method is easily done through an admin tool or the mysql command prompt from an account with appropriate privileges, and doesn't require saving the password hash for later restore.

Answer 2

For MySQL versions 5.7.6 and later (and MariaDB 10.4.2 and later), user accounts can be locked and unlocked with the following commands:

ALTER USER 'user_name'@'host' ACCOUNT LOCK;
ALTER USER 'user_name'@'host' ACCOUNT UNLOCK;

When the account is locked, attempting to log in will result with the message:

Access denied for user 'user_name'@'host'.
Account is locked.

Sources:

• MySQL Account Locking
• MariaDB Account Locking

Answer 3

Set the user's password hash (in mysql.user.Password) to an invalid dummy value (e.g, "!") to disable the account, and set it back to the original value to reenable it.