mysql8[(none)]>show grants for 'app_dev'; +-------------------------------------+ | Grants for app_dev@% | +-------------------------------------+ | GRANT USAGE ON *.* TO `app_dev`@`%` | +-------------------------------------+
mysql8[(none)]>select * from mysql.user; +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+ | Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time | +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+ | % | app_dev | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | app_read | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | app_write | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | repl | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | N | N | N | N | N
mysql8[(none)]>grant select , insert,update,delete on test.* to app_dev; Query OK, 0 rows affected (0.02 sec)
mysql8[(none)]>grant select on test.* to app_read; Query OK, 0 rows affected (0.10 sec)
mysql8[(none)]>show grants for app_read; +--------------------------------------------+ | Grants for app_read@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO `app_read`@`%` | | GRANT SELECT ON `test`.* TO `app_read`@`%` | +--------------------------------------------+ 2 rows in set (0.00 sec)
mysql8[(none)]>show grants for app_dev; +-------------------------------------------------------------------+ | Grants for app_dev@% | +-------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `app_dev`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `app_dev`@`%` | +-------------------------------------------------------------------+
授权后我们看到各角色已经具有了相应的权限。
将角色授权于账号
下面我们创建具体的账号,并将相应的role授权给账号。
1 2 3 4 5 6 7 8 9 10 11 12 13
mysql8[(none)]>create user dev01 identified with mysql_native_password by 'dev01'; Query OK, 0 rows affected (0.04 sec)
mysql8[(none)]>show grants for dev01; +------------------------------------+ | Grants for dev01@% | +------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +------------------------------------+
mysql8[(none)]>show grants for dev01 using app_dev; +-----------------------------------------------------------------+ | Grants for dev01@% | +-----------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-----------------------------------------------------------------+
通过使用using app_dev,会将账号和角色的权限一并显示。
我们给角色app_dev添加create权限
1 2 3 4 5 6 7 8 9 10 11 12
mysql8[(none)]>grant create on test.* to app_dev; Query OK, 0 rows affected (0.10 sec)
mysql8[(none)]>show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
可以看到给角色添加权限后,dev01账号也具有了create权限。
激活角色
上面的一些列操作貌似完美,dev02账号可以使用了,其实还不行!使用dev01账号登陆:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
mysql> show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.01 sec)
发现权限也有,但并看不到test库,什么也无法执行。为什么呢?角色没有被激活
1 2 3 4 5 6 7 8
mysql> select current_role() -> ; +----------------+ | current_role() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
mysql8[(none)]>show global variables like 'activate_all_roles_on_login'; +-----------------------------+-------+ | Variable_name | Value | +-----------------------------+-------+ | activate_all_roles_on_login | OFF | +-----------------------------+-------+ 1 row in set (0.01 sec)
mysql8[(none)]>set global activate_all_roles_on_login=ON; Query OK, 0 rows affected (0.00 sec)
把activate_all_roles_on_login设置为ON就可以了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
mysql8[(none)]>create user query identified with mysql_native_password by 'query'; Query OK, 0 rows affected (0.04 sec)
mysql8[(none)]>show grants for query using app_read; +-----------------------------------------+ | Grants for query@% | +-----------------------------------------+ | GRANT USAGE ON *.* TO `query`@`%` | | GRANT SELECT ON `test`.* TO `query`@`%` | | GRANT `app_read`@`%` TO `query`@`%` | +-----------------------------------------+ 3 rows in set (0.00 sec)
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ 2 rows in set (0.00 sec)
mysql> select current_user(); +----------------+ | current_user() | +----------------+ | query@% | +----------------+ 1 row in set (0.00 sec)
mysql> select current_role(); +----------------+ | current_role() | +----------------+ | `app_read`@`%` | +----------------+ 1 row in set (0.00 sec)
可以看到角色已被激活。
角色和账号交互使用
角色和账号没有什么区别,可以把一个账号当做一个角色,将其授权给其它账号。详见MySQL 官方文档
1 2 3 4 5 6 7 8
CREATE USER 'u1'; CREATE ROLE 'r1'; GRANT SELECT ON db1.* TO 'u1'; GRANT SELECT ON db2.* TO 'r1'; CREATE USER 'u2'; CREATE ROLE 'r2'; GRANT 'u1', 'r1' TO 'u2'; GRANT 'u1', 'r1' TO 'r2';