In the MySQL database, there are actually two major modules for access control.
First: User management module
Second: User access action control module, the most common user access action is DML, DDL
The role of the user management module is to verify whether the user can legally log in to the mysql database, and the user access action control module controls the legal user to perform actions.
In fact, it is a little abstract to say so, let's take a look at the 4 tables in the mysql database about permissions and access control.
mysql.user
mysql.db
mysql.tables_priv
mysql.columns_privThe user management module is controlled by mysql.user, and the user access action control module is controlled by the three tables mysql.db, mysql.tables_priv, and mysql.columns_priv together.
The general process of authorization verification is as follows
Give an example of a select statement
select id,name
from test.t4
where status='delete'The user needs to execute this select statement. The
first step of the entire process : the application first needs to connect to the mysql database, verify the host, user, and password when connecting, if not, the connection is rejected, for example: incorrect username, incorrect password, host host Restricted to a special network segment (192.168.2.%), or restricted to log in locally (localhost)
Step 2: Verify whether the global level has select permission, that is, verify the select permission in the mysql.user table, if Select_priv is Y, then no subsequent verification
mysql> select * from mysql.user where user='abc'\G;
*************************** 1. row ***************************
Host: %
User: abc
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *0D3CED9BEC10A777AEC23CCC353A8C08A633045E
password_expired: N
password_last_changed: 2020-09-01 00:52:37
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)The third step: verify the select permission at the db level, if there is, then no subsequent verification
mysql> select * from mysql.db where user='abc'\G;
*************************** 1. row ***************************
Host: %
Db: test
User: abc
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)The fourth step: verify the table level permissions, if there is, then no subsequent verification
mysql> select * from mysql.tables_priv where user='abc'\G;
*************************** 1. row ***************************
Host: %
Db: test
User: abc
Table_name: t4
Grantor: root@localhost
Timestamp: 0000-00-00 00:00:00
Table_priv: Select
Column_priv:
1 row in set (0.00 sec)Step 5: Verify the column level permissions, if there are, then do not verify subsequently
mysql> select * from columns_priv;
+------+------+------+------------+-------------+---------------------+-------------+
| Host | Db | User | Table_name | Column_name | Timestamp | Column_priv |
+------+------+------+------------+-------------+---------------------+-------------+
| % | test | abc | t4 | id | 0000-00-00 00:00:00 | Select |
| % | test | abc | t4 | name | 0000-00-00 00:00:00 | Select |
| % | test | abc | t4 | status | 0000-00-00 00:00:00 | Select |
+------+------+------+------------+-------------+---------------------+-------------+
3 rows in set (0.00 sec)If all the above verifications are passed, the select statement will be rejected. The above detailed flowchart is shown below
The inside story of mysql permission access control, you get it.