SET GLOBAL log_bin_trust_function_creators = 1; DELIMITER // CREATE DEFINER=`dbusr`@`%` FUNCTION `calculateMoney`(id VARCHAR(255), companyType VARCHAR(255)) RETURNS DOUBLE BEGIN DECLARE result DOUBLE DEFAULT 0; DECLARE c_borrow_money DOUBLE DEFAULT 0; DECLARE c_back_money DOUBLE DEFAULT 0; END
When creating the function, the error mysql 1418 is always reported. The result is that the value of the DEFINER parameter is wrong. The current user is not dbuser.
After deleting DEFINER=`dbusr`@`%`, the execution is successful
. See how to modify all definers in mysql.
quote
What is the definer in mysql and what does it do?
We define a Definer='xxx' when we create view, trigger, function, procedure, and event in mysql, similar to the following: CREATE ALGORITHM = UNDEFINED
DEFINER = `root`@`%` SQL SECURITY DEFINER VIEW `v_ questions` AS SELECT `q`.`id` AS `id`, `q`.`title` AS `title` FROM Test q; or like this: CREATE DEFINER=`root`@`%` PROCEDURE `user_count`() LANGUAGE SQL NOT DETERMINISTIC CONTAINS SQL SQL SECURITY DEFINER COMMENT '' BEGIN select count(*) from mysql.user; END
The red part of SQL SECURITY actually has two options, one is DEFINER and the other is INVOKER
SQL SECURITY { DEFINER | INVOKER } : Indicates who has permission to execute. DEFINER means to execute according to the authority possessed by the
definer. INVOKER means to execute with the authority of the caller. By default, the system is specified as DEFINER.
Take the stored procedure as an example:
(1) The MySQL stored procedure is the actual user who executes the stored procedure by specifying the SQL SECURITY clause;
(2) If the SQL SECURITY clause is specified as DEFINER, the stored procedure will Use the DEFINER of the stored procedure to execute the stored procedure, and verify whether the user calling the stored procedure has the execute authority of the stored procedure and whether the DEFINER user has authority to the related objects referenced by the stored procedure;
(3) If the SQL SECURITY clause is specified as INVOKER, then MySQL This procedure will be executed with the user currently calling the stored procedure, and verify whether the user has the execute authority of the stored procedure and the authority of the related objects referenced by the stored procedure;
(4) If the specified SQL SECURITY clause is not displayed, MySQL will default to DEFINER Execute the stored procedure.
Let's look at a few small examples below. Authorize one first
: grant all on testdb.* to 'user1'@'%' identified by '000000' with grant option; then we create a stored procedure as follows: USE `testdb`;
DROP procedure IF EXISTS `user_count`;
DELIMITER $$
USE `testdb`$$
CREATE DEFINER=`root`@`%` PROCEDURE `user_count`()
LANGUAGE SQL
NOT DETERMINISTIC
CONTAINS SQL
SQL SECURITY INVOKER
COMMENT ''
BEGIN
select count(*) from mysql.user;
END$$
DELIMITER ;
复制代码
用root帐号登陆:
复制代码
mysql> use testdb;
Database changed
mysql> call user_count();
+----------+
| count(*) |
+----------+
| 3 |
+----------+
1 row in set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
can be queried normally.
We use user1 to log in again:
mysql> use testdb;
Database changed
mysql> call user_count(); ERROR 1142 ( 42000
): SELECT command denied to user 'user1'@'localhost' for table 'user' No, this is because the SQL SECURITY value we defined above is INVOKER. During the execution of the stored procedure, it will be executed with the permissions that user1 has, which calls the mysql library, and our user1 account only has the permission to use the testdb library. So it will return failure. Let's change the above invoker to definer and try again: copy code update mysql.proc set security_type='DEFINER' where db='testdb' and name='user_count'; log in with user1 again: mysql> use testdb; Database changed mysql> call user_count();
| 3 |
+----------+
1 row in set (0.00 sec) Query
OK, 0 rows affected (0.00 sec) Permission, although it still does not have permission to directly operate the mysql library, since the SQL SECURITY we defined is DEFINER, it is executed as root during execution, so it can be queried normally. If it is convenient to modify all defined definers in mysql? Due to the development of the test library in the early stage, the definer we often defined is `root`@`%`, and then it was moved to the production library and then changed back. There are a lot of updates, hundreds of views, functions, etc. It is too cumbersome to change one by one and may also be missed. The following is a summary of the methods for modifying all definers, which can be used to check for leaks and fill in the gaps. The definers involved in MySQL now include view, trigger, function, procedure, and event. Let's introduce them one by one. 1. Modify the definer select definer from mysql.proc of function and procedure; -- function, stored procedure update mysql.proc set definer='user@localhost'; -- If there is a limited library or other, you can add where condition 2. Modify definer of event select DEFINER from mysql.EVENT; -- timed event
update mysql.EVENT set definer=' user@localhost ';
3. Modifying the definer of the view is more troublesome
than the modification of the function:
select DEFINER from information_schema.VIEWS;
select concat("alter DEFINER=`user`@`localhost` SQL SECURITY DEFINER VIEW ",TABLE_SCHEMA,".",TABLE_NAME," as ",VIEW_DEFINITION,";") from information_schema.VIEWS where DEFINER<>'user@localhost';
just execute the queried statement again.
4. There
is no specific and convenient way to modify the definer of the trigger. You can modify it one by one with the help of tools such as HeidiSQL and sqlyog. Note that it is necessary to lock the table before the change, because if other tables are changed and triggered during the change process, it will cause data inconsistency.
Flush tables with readlock
Unlock tables