Experiment 2: Security Language Experiment
Experiment purpose: To
master the definition and maintenance method of autonomous access control authority
Experiment content:
1. Define users and roles
2. Assign permissions to users and roles, and recover permissions
3. Log in to the database with the corresponding user name and verify whether the permissions are assigned correctly
Experiment process and requirements:
1. Select an application scenario and use autonomous access control to cut off the design authority allocation. Two schemes can be adopted
. One: use the SYSTEM superuser to log in to the database, complete all authority allocation work, and then log in the data with the corresponding user name The correctness of authority assignment can be verified.
Option 2: Use the SYSTEM user to log in to the database to create three department manager users, and assign corresponding permissions, then log in to the database with the three manager usernames respectively, create the USER and ROLE of the corresponding department, and assign the corresponding permissions.
Key points and difficulties of the experiment
Key points of the experiment: defining roles, assigning permissions and recovering permissions
Experimental scenario:
There is an enterprise with three departments: purchasing, sales and customer management. The purchasing department manager David, the buyer Jeffery, the sales department manager Tom, and the salesperson Jane; the customer management department tries its best to Kathy, and the staff Mike. An information system of this enterprise covers the business of three departments: purchasing, sales and customer management, and the database model is Sales of TPCH. For this application scenario, use the autonomous access control mechanism to design a specific permission allocation scheme
experimental process:
1. Create customers
(1) Create user IDs for managers in three departments, including purchasing, sales, and customer management, and require the right to create users or roles.
(2) Create user IDs and passwords for employees in the three departments of purchasing, sales and customer management
2. Create roles and assign permissions
(1) Create a query role for each department and assign corresponding query permissions.
(2) Create a staff role for each department, and have the permission to view and insert the information of this department.
(3) Create a manager role for each department. The corresponding role has full control authority over the information of this department and the right to inquire about the information of other departments. The manager has the right to assign authority to the staff of this department. 3. Assign permissions
to users (1) Assign permissions to
managers of various departments
(2) Assign permissions to employees of various departments Department staff authority 5. Verify the correctness of authority assignment (1) Log in to the database with the user name of David, and verify the authority of the purchasing manager. (2) Revocation of Mike's customer department staff authority
reference:
1.创建客户
(1).为采购、销售和客户管理等三个部门的经理创建用户标识,要求具有创建用户或角色的权利
create user 'david'@'localhost' identified by 'david';
create user 'tom'@'localhost' identified by 'tom';
create user 'kathy'@'localhost' identified by 'kathy';
----------------------------------------------------
grant create on *.* to 'david'@localhost;
grant create on *.* to 'tom'@localhost;
grant create on *.* to 'kathy'@localhost;
----------------------------------------------------
(2).为采购、销售和客户管理等三个部门的职员创建用户标识和用户口令
create user 'jeffery'@'localhost' identified by 'jeffery';
create user 'jane'@'localhost' identified by 'jane';
create user 'mike'@'localhost' identified by 'mike';
----------------------------------------------------
2.创建角色并分配权限
(1).为每个部门分别创建一个查询角色,并分配相应的查询权限
create role 'PurchaseQueryRole';
create role 'SaleQueryRole';
create role 'CustomerQueryRole';
----------------------------------------------------
grant select on sales.part to PurchaseQueryRole;
grant select on sales.supplier to PurchaseQueryRole;
grant select on sales.partsupp to PurchaseQueryRole;
-----------------------------------------------------
grant select on sales.orders to SaleQueryRole;
grant select on sales.lineitem to SaleQueryRole;
----------------------------------------------------
grant select on sales.customer to CustomerQueryRole;
grant select on sales.nation to CustomerQueryRole;
grant select on sales.region to CustomerQueryRole;
(2)为各个部门分别创建一个职员角色,对本部门信息具有查看、插入权限。
create role 'PurchaseEmployeeRole';
create role 'SaleEmployeeRole';
create role 'CustomerEmployeeRole';
------------------------------------------------------------
grant select,insert on sales.part to PurchaseEmployeeRole;
grant select,insert on sales.supplier to PurchaseEmployeeRole;
grant select,insert on sales.partsupp to PurchaseEmployeeRole;
----------------------------------------------------------
grant select,insert on sales.orders to SaleEmployeeRole;
grant select,insert on sales.lineitem to SaleEmployeeRole;
---------------------------------------------------------
grant select,insert on sales.customer to CustomerEmployeeRole;
grant select,insert on sales.nation to CustomerEmployeeRole;
grant select,insert on sales.region to CustomerEmployeeRole;
(3)为各部门创建一个经理角色,相应角色对本部门的信息具有完全控制权限,
对其他部门的信息具有查询权。【经理有权给本部门职员分配权限】。
create role 'PurchaseManagerRole';
create role 'SaleManagerRole';
create role 'CustomerManagerRole';
-----------------------------------------------------------
grant all on sales.part to 'PurchaseManagerRole';
grant all on sales.supplier to 'PurchaseManagerRole';
grant all on sales.partsupp to 'PurchaseManagerRole';
----------------------------------------------------
grant all on sales.orders to 'SaleManagerRole';
grant all on sales.lineitem to 'SaleManagerRole';
----------------------------------------------------
grant all on sales.customer to 'CustomerManagerRole';
grant all on sales.nation to 'CustomerManagerRole';
grant all on sales.region to 'CustomerManagerRole';
------------------------------------------------------------
grant 'SaleQueryRole' to 'PurchaseManagerRole';
grant 'CustomerQueryRole' to 'PurchaseManagerRole';
----------------------------------------------------
grant 'PurchaseQueryRole' to 'SaleManagerRole';
grant 'CustomerQueryRole' to'SaleManagerRole';
----------------------------------------------------
grant 'PurchaseQueryRole' to 'CustomerManagerRole';
grant 'SaleQueryRole' to 'CustomerManagerRole';
-----------------------------------------------------------
3.给用户分配权限
(1)给各部门经理分配权限
grant 'PurchaseManagerRole' to 'david'@localhost;
grant 'SaleManagerRole' to 'tom'@localhost;
grant 'CustomerManagerRole' to 'kathy'@localhost;
----------------------------------------------------
(2)给各部门职员分配权限
grant PurchaseEmployeeRole to 'jeffery'@localhost;
grant SaleEmployeeRole to 'jane'@localhost;
grant CustomerEmployeeRole to 'mike'@localhost;
----------------------------------------------------
激活:
set default role all to david;
set default role all to tom
set default role all to kathy;
set default role all to jeffery;
set default role all to jane
set default role all to mike;
自动激活角色:
show global variables like 'activate_all_roles_on_login';
set global activate_all_roles_on_login=ON;
----------------------------------------------------
4.回收角色或用户权限
(1)回收客户经理角色的销售信息查看权
revoke 'SaleQueryRole' from 'CustomerManagerRole';
(2)回收Mike的客户部门职员权限
revoke 'CustomerEmployeeRole' from 'mike';