Earlier we have fully introduced the performance_schema , sys , and information_schema system libraries. Starting today, we will open the "All-round understanding of the mysql system library" series for you. This is also the last system library in MySQL. " Do you really use MySQL's help command? "In fact, the help information table of the mysql system library has been introduced in the article. In the next series of articles, we will comprehensively introduce the mysql system library. Next, please follow us to start the learning journey of mysql system library.
The MySQL access authority system table contains the following tables:
user: Contains user accounts and global permissions and other non-permission lists (security configuration options and resource control options column)
db: database level permission table
tables_priv: table-level privilege table
columns_priv: column-level permission table
procs_priv: stored procedure and function privilege table
proxies_priv: proxy user privilege table
PS:
To change the content of the permission table, it is recommended to use account management statements (such as: CREATE USER, GRANT, REVOKE, etc.) to indirectly modify the permission table. It is not recommended to use DML statements to modify the permission table, otherwise you will be at your own risk
The following content is mainly organized for MySQL 5.7 version
1、user
This table provides query global authority information. The account password information in this table determines whether the user is allowed to connect during the authentication phase 1 (we will introduce the content related to the authentication phase in the next issue). For the connection through the account password authentication phase, If you pass the permission check in the user table at the same time, it means that the user has global permissions, and the permission information recorded in the table represents whether the user has the corresponding global permissions for all databases in the instance
Note: If any permission is listed as Y in the user table, it is considered to have global permissions, so the user can query a list of all database names when using show databases or using the schemata table of information_schema to query
The following is the content of the information stored in the table
root@localhost : mysql 12:51:40> select * from mysql.user limit 1\G;
*************************** 1. row ***************************
Host: %
User: qfsys
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: Y
Create_tmp_table_priv: N
Lock_tables_priv: Y
Execute_priv: N
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *3B3D7D2FD587C29C730F36CD52B4BA8CCF4C744F
password_expired: N
password_last_changed: 2017-07-01 14:37:32
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
Table field meaning:
The host and user columns are officially called range columns. It can be understood that these two fields constitute the scope of the client allowed to access and the range of database resources that the client can access (there is no db field like the db table to limit the library range, It can be understood as the entire instance-wide database)
* host: represents the host from which users are allowed to access the database, wildcards and DNS can be used
* user: user namePermission column: from Select_priv to Create_tablespace_priv and the columns in between, officially called the permission column, each column corresponds to a specific permission, Y means permission, N means no permission
The following are officially called security columns, which are related to the secure and encrypted communication between the client and the server
* ssl_type: If the user is configured to use encrypted ssl connection, this field records the type of encryption certificate used by the user
* ssl_cipher: indicates The list of passwords that may be used in the SSL connection handshake
* x509_issuer: x509 certificate related fields
* x509_subject: x509 certificate related fields
* plugin: the name of the password authentication plugin used by the user
* authentication_string: md5 encrypted string representing the user’s password
* password_expired: Indicates whether the user password has expired, Y try means the user password will expire, N means the user password will never expire
* password_last_changed: indicates the last modification time of the user password, if this field uses the built-in MySQL authentication plug-in (mysql_native_password or sha256_password) The field is non-empty. If the external authentication plug-in is used, the field is empty. When using the built-in authentication plug-in of MySQL, the initial value of this field is CREATE USER, ALTER USER, SET PASSWORD, and GRANT statement execution to create a user or modify Password time
* password_lifetime: If the password_expired field is Y, this field records the number of days that the user’s remaining password has not expired. Assuming the value of this field is N, it means that the user needs to change the password every N days. If the user does not specify the value separately, the value of the global system variable default_password_lifetime is used instead. When the field value is NULL and the global system variable default_password_lifetime is 0 or the field value is 0, it means that the user’s password will never expire
* account_locked: represents whether the current state of the user is locked or activeThe following columns are officially called resource control columns, which are used to restrict users' access to resources
* max_questions: represents the maximum number of concurrent queries per hour for all users * max_updates: represents the maximum number of
concurrent updates per hour for all users
* max_connections: represents all users per hour The maximum number of concurrent connections
* max_user_connections: represents the maximum number of concurrent connections per hour of the user in this row
2、db
This table provides query database-level object authority information. The authority information recorded in this table represents whether users can use these permissions to access all objects (tables or stored procedures) in which databases
The following is the content of the information stored in the table
root@localhost : mysql 12:53:28> select * from db limit 1\G;
*************************** 1. row ***************************
Host: localhost
Db: performance_schema
User: mysql.session
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)
Table field meaning:
The three columns of host, db, and user are officially called range columns. It can be understood that these two fields constitute the range of allowed clients and the range of database resources that clients can access.
* host: has the same meaning as the host field of the user table
* db: represents which library level range the user permission record belongs to
* user: has the same meaning as the user field of the user tablexxx_priv: It has the same meaning as the xxx_priv field of the user table. Each field corresponds to the corresponding permission. Y represents permission, and N represents no permission.
* Compared with the user table, Reload_priv, Shutdown_priv, Process_priv, File_priv, Show_db_priv, Super_priv, Repl_slave_priv, Repl_client_priv, Create_user_priv, Create_tablespace_priv and other fields, which means that the permissions corresponding to these fields are global in scope and do not distinguish between library table levels
3 、 tables_priv
This table provides query table level permission information, similar to the db table, but with more granularity. The permission information recorded in the tables_priv table represents whether the user can use these permissions to access all the columns in a table
The following is the content of the information stored in the table
root@localhost : mysql 12:54:14> select * from tables_priv;
+-----------+--------+---------------+------------+----------------+---------------------+----------------------------------------------------------------------------------------------+----------------------+
| Host | Db | User | Table_name | Grantor | Timestamp | Table_priv | Column_priv |
+-----------+--------+---------------+------------+----------------+---------------------+----------------------------------------------------------------------------------------------+----------------------+
| localhost | sys | mysql.sys | sys_config | root@localhost | 2017-07-01 14:31:32 | Select | |
| localhost | mysql | mysql.session | user | root@localhost | 2017-12-11 23:41:19 | Select | |
| % | sbtest | xx | sbtest1 | root@localhost | 0000-00-00 00:00:00 | | Select,Insert,Update |
| % | sbtest | test_table | sbtest1 | root@localhost | 0000-00-00 00:00:00 | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger | |
+-----------+--------+---------------+------------+----------------+---------------------+----------------------------------------------------------------------------------------------+----------------------+
4 rows in set (0.00 sec)
Table field meaning:
The four columns of host, db, user, and Table_name are officially called range columns. It can be understood that these two fields constitute the range of clients allowed to access and the range of table object resources that clients can access
Table_priv and Column_priv are officially called permission columns, corresponding to the table-level permissions and column-level permissions. It should be noted that these two columns of permission columns are different from the user and db tables. These two columns are set types and record the table level and column level. A collection of permissions instead of corresponding to a specific permission. Table_priv corresponds to'Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View' at the table level ,'Show view','Trigger' permission, Column_priv corresponds to the column-level'Select','Insert','Update','References' permission
Other fields:
* Grantor: on behalf of who granted the user permissions recorded in the table, that is, the user value returned by the current_user function (account form) when the user permissions in the table are granted
* Timestamp: Represents the account granted by Grantor Timestamp of permission
4、columns_priv
This table provides query column-level permission information, similar to the db table, but with more granularity. The permission information recorded in the columns_priv table represents that users can use these permissions to access the specified columns of a table
The following is the content of the information stored in the table
root@localhost : mysql 12:55:13> select * from columns_priv;
+------+--------+------+------------+-------------+---------------------+----------------------+
| Host | Db | User | Table_name | Column_name | Timestamp | Column_priv |
+------+--------+------+------------+-------------+---------------------+----------------------+
| % | sbtest | xx | sbtest1 | id | 0000-00-00 00:00:00 | Select,Insert,Update |
+------+--------+------+------------+-------------+---------------------+----------------------+
1 row in set (0.00 sec)
Table field meaning:
The five columns of host, db, user, Table_name, and Column_name are officially called range columns. It can be understood that these two fields constitute the range of allowed clients and the range of column object resources that clients can access.
Column_priv is officially called the permission column, which has the same meaning as the Column_priv column in the tables_priv table. It is also a collection, corresponding to the column level'Select','Insert','Update', and'References' permissions
Other fields
* Timestamp: have the same meaning as the Timestamp column in the tables_priv table
5、procs_priv
This table provides permission information for querying stored procedures. The permission information recorded in the table represents whether users can use these permissions to access the specified stored procedures (stored procedures and functions)
Table field meaning:
The five columns of host, db, user, Routine_name and Routine_type are officially called range columns. It can be understood that these two fields constitute the scope of the client that is allowed to be accessed and the storage object resources that the client can access.
Proc_priv is officially called the permission column. This permission column is also a collection type, representing the'Execute','Alter Routine', and'Grant' permissions of the stored procedure
Other columns:
* Timestamp: the same meaning as the Timestamp field in the tables_priv table
* Grantor: the same meaning as the Grantor field in the tables_priv table
PS: The permission data of the table is empty, and no method has been found to fill the table with data.
6 、 proxies_priv
This table provides query proxy user authority information. The authority information recorded in this table represents which users the user can act as an agent, and whether the user can grant the PROXY authority to other users
If a user needs to grant its PROXY permission to other accounts, then it must have a row of permission information in the table, and the With_grant field must be 1
The following is the content of the information stored in the table
root@localhost : mysql 12:58:16> select * from proxies_priv;
+-----------+------+--------------+--------------+------------+----------------------+---------------------+
| Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp |
+-----------+------+--------------+--------------+------------+----------------------+---------------------+
| localhost | root | | | 1 | boot@connecting host | 0000-00-00 00:00:00 |
+-----------+------+--------------+--------------+------------+----------------------+---------------------+
1 row in set (0.00 sec)
Table field meaning:
The meaning of the host and user fields is the same as the other permission tables above
Proxied_host and Proxied_user represent the account that is granted proxy permissions (corresponding host and user strings)
Other columns have the same meaning as tables_priv
Note: Some fields in the permission table have length storage restrictions, as follows:
Host, Proxied_host: 60 characters in length
User, Proxied_user: The length is limited to 32 characters
Password: 41 characters in length
Db: The length is limited to 64 characters
Table_name: The length is limited to 64 characters
Column_name: The length is limited to 64 characters
Routine_name: The length is limited to 64 characters
The content of this issue is introduced here, and the reference link for the content of this issue is as follows:
https://dev.mysql.com/doc/refman/5.7/en/grant-tables.html
| About the author
Luo Xiaobo·ScaleFlux Database Technology Expert
One of the authors of "A Thousand Gold Recipes-MySQL Performance Optimization Pyramid Rule", "Data Ecology: MySQL Replication Technology and Production Practice".
Familiar with MySQL architecture, good at overall database tuning, like to specialize in open source technology, and keen on the promotion of open source technology, have done many public database topic sharing online and offline, and published nearly 100 database-related research articles.
The full text is over.
Enjoy MySQL :)
Teacher Ye's "MySQL Core Optimization" class has been upgraded to MySQL 8.0, scan the code to start the journey of MySQL 8.0 practice