1. Event background
When it was near lunchtime today, a development colleague sent a request to create two views in the mariadb library, requiring the specified account to have read-only permission.
Very simple requirement, connect to the server, flash two grant commands, fulsh privileges and press Enter, the landlord can go to eat with peace of mind.
2. The key point is here, when the landlord returns from dinner, (he also played the king pesticide downstairs, and knelt twice in the ranking (┬_┬)),
the colleague who sent the request in the morning came to me.
3.
I was instantly confused by Liu An Hua Ming, and after waiting for a while, I quickly went to find out the reason.
After repeatedly confirming that the grant is OK, the landlord continued to be confused. At this time, it has been 20 minutes since I received this question.
I am very anxious. How can this be a small demand.
Just when the landlord was extremely helpless, he suddenly clicked on the advanced page of the design view and saw the security 'Definer' point.
A certain degree of omnipotence gave me the answer. When the security of the view is DEFINER, the user specified by DEFINER exists in the database, that is, the definer in the figure fills in. And the user has the corresponding permissions to execute. Regardless of whether the current user has permissions.
When the security of the view is INVOKER, as long as the executor has execute permission, it can be executed successfully.
The picture above is the one that solved the problem after I modified it, because it was written as '[email protected].%.%' and the security of the view was caused by DEFINER. Of course, if the development is not read-only for the specified account, the security can also be defined as INVOKER, so that anyone who has permission to this view can view it.
Reference: http://pdf.us/2018/02/24/679.html