Access denied FILE privilege running fetch_trap_info․sh in DX NetOps Spectrum
search cancel

Access denied FILE privilege running fetch_trap_info․sh in DX NetOps Spectrum

book

Article ID: 433422

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

When you run the fetch_trap_info․sh script, you experience an access denied error indicating missing FILE privileges. ​​​​​‌‌‍‍

ERROR MESSAGE: "ERROR 1227 (42000) at line 1: Access denied; you need (at least one of) the FILE privilege(s) for this operation 02/27/26 01:08:12: Unable to execute the MySql command, verify MySql service is up and running".

 

SYMPTOMS:

  • The fetch_trap_info․sh script fails to execute

  • A MySQL access denied error appears in the command line output

CONTEXT: This issue occurs when running the script from the [SpectroSERVER] system in the MySQL bin directory

IMPACT: You are unable to update the TrapNameList․yaml file with newly added trap OIDs

Environment

DX NetOps Spectrum: 25.4.x

Cause

The MySQL root account does not have file-writing privileges and the secure_file_priv variable is set to NULL This configuration globally configures MySQL to refuse any INTO OUTFILE command.

Resolution

PREREQUISITES:

  • Access to the [SpectroSERVER] file system

  • Text editor to modify the script

     

STEPS:

  1. Open the $SPECROOT/mysql/bin/fetch_trap_info.sh script in a text editor.

  2. For Linux environments: Locate the following line (around line 24):

    Bash
     
    echo "select MIB_Trap_OID,MIB_Trap_Name from mibTraps INTO OUTFILE 'TrapNameList.yaml';" | ./mysql --defaults-file=../my-spectrum.cnf  $MYSQL_LOGIN -Dmibtools

     

    Replace it with:

    Bash
     
    echo "select MIB_Trap_OID,MIB_Trap_Name from mibTraps;" | ./mysql --defaults-file=../my-spectrum.cnf $MYSQL_LOGIN -Dmibtools -s -N > ../data/mibtools/TrapNameList.yaml

     

  3. For Windows environments: Locate the following line (around line 37):

    Bash
     
    echo "select MIB_Trap_OID,MIB_Trap_Name from mibtraps INTO OUTFILE 'TrapNameList.yaml';" | ./mysql.exe $MYSQL_LOGIN -Dmibtools

     

    Replace it with:

    Bash
     
    echo "select MIB_Trap_OID,MIB_Trap_Name from mibtraps;" | ./mysql.exe $MYSQL_LOGIN -Dmibtools -s -N > ../data/mibtools/TrapNameList.yaml

     

    (Note: The -s and -N flags ensure the output is tab-separated and lacks column headers, which identically mimics the behavior of INTO OUTFILE so the rest of the script continues to work correctly.)

  4. Save the file and execute fetch_trap_info.sh again.

 

EXPECTED: The script completes successfully and updates the TrapNameList․yaml file

 

VERIFY SUCCESS:

  • The TrapNameList․yaml file is successfully created or updated in the mibtools data directory

  • The file contains the expected trap OIDs

 

KNOWN LIMITATIONS:

  • The workaround bypasses the database privilege requirement by using standard bash output redirection

PREVENTION: Use output redirection instead of SQL INTO OUTFILE commands in scripts interacting with the locked down MySQL database

Additional Information

How to fix it (The DBA Workaround)

Since your root user has UPDATE privileges on *.* (the entire database), we can bypass the GRANT command entirely and directly edit MySQL's underlying user permissions table.

Log back into your interactive MySQL prompt (exactly how you did to run those SHOW GRANTS commands), and run these three commands one by one:

1. Switch to the system database:

SQL
 
USE mysql

2. Manually flip the FILE privilege switch to "Yes" for the root user:

SQL
 
UPDATE user SET File_priv = 'Y' WHERE User = 'root' AND Host = 'localhost';

3. Reload the permissions into memory so it takes effect immediately:

SQL
 
FLUSH PRIVILEGES;

Once you do that, you can run SHOW GRANTS FOR 'root'@'localhost'; one more time. You will now see FILE listed right at the beginning of that big block of privileges.

Exit MySQL, run your original .sh script, and the INTO OUTFILE command will work perfectly!

 

===========================

 

When secure-file-priv is set to NULL, it explicitly tells the MySQL server, "Do not allow ANY user to read or write files to the operating system, regardless of their privileges." To allow your INTO OUTFILE command to write to /tmp, you have to modify that configuration file and restart the database.

How to fix it:

1. Edit the Configuration File Open your configuration file using a text editor (like vi or nano):

Bash
 
vi $SPECROOT/mysql/my-spectrum.cnf

Find the line that says secure-file-priv=NULL and change it to specifically allow writes to the /tmp directory:

secure-file-priv="/tmp"

(Alternatively, you can set it to secure-file-priv="" which disables the check entirely and allows writes anywhere, but setting it to "/tmp" is much safer).

 

2. Restart the MySQL Service Configuration changes in my-spectrum.cnf do not take effect until the MySQL service is restarted.

Because this is a CA/Broadcom Spectrum environment, you will need to restart the MySQL database using Spectrum's process manager (or standard OS commands, depending on your version).

Typically, you can do this by navigating to your Spectrum bin directory:

From your $SPECROOT/bin directory, send the stop signal via cmdC:

Bash
./cmdC localhost 2 MYSQL

 

Launch the database application using the specific start script:

Bash
./launchinstdbapp localhost MYSQL y MYSQL.OUT

 

Powered by Wolken Software