Rights Profile
1. User label permission control
At present, Mycat does not do too complicated control on the connection control of the middleware, and currently only controls the read and write permissions at the middleware logic library level. It is configured through the user tag of server.xml.
//Configure user password and other information in the user part of the server.xml file
2. privileges label access control
The privileges label under the user label can perform refined DML permission control on the logic library (schema) and table (table).
The check attribute under the privileges label, if true, enables permission checking, false does not enable, and the default is false. Since the schemas attribute of a user of Mycat can be configured with multiple logic libraries (schema), the subordinate node schema nodes of privileges can also be configured with multiple, and fine-grained DML permission control is performed on multiple databases and multiple tables.
//All permissions are prohibited for the t1 table
<user name="mycat" defaultAccount="true"> //针对mycat用户
<property name="password">123456</property>
<property name="schemas">TESTDB</property>
<property name="defaultSchema">TESTDB</property>
<!--No MyCAT Database selected 错误前会尝试使用该schema作为schema,不设置则为null,报错 -->
<!-- 表级 DML 权限设置 -->
<privileges check="true">
<schema name="TESTDB" dml="1111" > //TESTDB逻辑库所有权限
<table name="t1" dml="0000"></table> //t1表没有任何权限
</schema>
</privileges>
</user>
!Restart mycat
//Log in to mycat test
mysql -umycat -p123456 -P 8066 -h192.168.1.61
mysql> use TESTDB;
mysql> select * from t1;
ERROR 3012 (HY000): The statement DML privilege check is not passed, reject for user 'mycat'
//没有权限查看t1表
Configuration instructions
| DML permissions | Increase (insert) | Update | View (select) | delete |
|---|---|---|---|---|
| 0000 | Prohibit | Prohibit | Prohibit | Prohibit |
| 0010 | Prohibit | Prohibit | can | Prohibit |
| 1110 | can | can | can | Prohibit |
| 1111 | can | can | can | can |
SQL interception
The firewall label is used to define the firewall; the whitehost label under the firewall is used to define the IP whitelist, and the blacklist is used to define the SQL blacklist.
1. Whitelist
You can set a whitelist to realize that a user on a certain host can access Mycat, while users on other hosts are prohibited from accessing it.
<firewall>
<whitehost>
<host host="192.168.1.67" user="mycat"/> //mycat用户只允许在1.67主机上登录
</whitehost>
! Restart mycat
2. Blacklist
By setting a blacklist, Mycat can block specific SQL operations, such as adding, deleting, modifying, and checking operations.
<firewall>
<whitehost>
<host host="192.168.1.67" user="mycat"/>
</whitehost>
<blacklist check="true">
<property name="deleteAllow">false</property> //不可以使用delete语句
</blacklist>
</firewall>
List of blacklist SQL blocking functions that can be set
| Configuration item | Default value | description |
|---|---|---|
| selelctAllow | true | Whether to allow execution of SELECT statement |
| deleteAllow | true | Whether to allow execution of DELETE statement |
| updateAllow | true | Whether to allow execution of UPDATE statement |
| insertAllow | true | Whether to allow execution of INSERT statement |
| createTableAllow | true | Whether to allow table creation |
| setAllow | true | Whether to allow the use of SET syntax |
| alterTableAllow | true | Whether to allow execution of Alter Table statement |
| dropTableAllow | true | Whether to allow table modification |
| commitAllow | true | Whether to allow commit operation |
| rollbackAllow | true | Whether to allow roll back operation |
true allows, false rejects