MySQL8 role-based permissions management

MySQL8 new concept of roles (role) of the administrative account privileges, more flexible and convenient. The so-called role is a collection of some of the permission. Then put the collection authorization to an account (often a group of accounts, because the account would bind IP, different IP, although the account name the same are treated as different accounts), so that when we need to reduce or increase these accounts when permission, only need to modify the set of permissions (role) can, without a single account many changes. This does make it easy DBA operation and maintenance of a lot.

Here we look at how the role is used.

Creating a Role

Such as the development environment account the needs of all library privileges for a production environment often requires account CRUD these rights, we can build a separate role for these rights. If there are separate read and write, read and write can also build two role.

1 2 3 4 5 6 7 8

create role 'app_dev','app_read','app_write'; mysql8[(none)]>show grants for 'app_dev'; +-------------------------------------+ | Grants for app_dev@% | +-------------------------------------+ | GRANT USAGE ON *.* TO `app_dev`@`%` | +-------------------------------------+

When you create a character you can also bind Host (default%), namely the role name + host name into two parts, and this account is no different.
The same role is also created and stored in the same account mysql.user table. You can see the role of information by querying this table:

1 2 3 4 5 6 7 8

mysql8[(none)]>select * from mysql.user; +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+ | Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time | +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+ | % | app_dev | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | app_read | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | app_write | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | Y | 2018-06-14 11:27:35 | NULL | Y | N | N | NULL | NULL | | % | repl | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | N | N | N | N | N

Authorization to roles

We built above three role, but this role are only three usage rights, we also need to roles for authorization. License and to authorize the account is exactly the same.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

mysql8[(none)]>grant select , insert,update,delete on test.* to app_dev; Query OK, 0 rows affected (0.02 sec) mysql8[(none)]>grant select on test.* to app_read; Query OK, 0 rows affected (0.10 sec) mysql8[(none)]>show grants for app_read; +--------------------------------------------+ | Grants for app_read@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO `app_read`@`%` | | GRANT SELECT ON `test`.* TO `app_read`@`%` | +--------------------------------------------+ 2 rows in set (0.00 sec) mysql8[(none)]>show grants for app_dev; +-------------------------------------------------------------------+ | Grants for app_dev@% | +-------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `app_dev`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `app_dev`@`%` | +-------------------------------------------------------------------+

After seeing each character has authorized us to have the appropriate authority.

The role authorization to account

Let's create a specific account and authorize the appropriate role for the account.

1 2 3 4 5 6 7 8 9 10 11 12 13

mysql8[(none)]>create user dev01 identified with mysql_native_password by 'dev01'; Query OK, 0 rows affected (0.04 sec) mysql8[(none)]>grant app_dev to dev01; Query OK, 0 rows affected (0.05 sec) mysql8[(none)]>show grants for dev01; +------------------------------------+ | Grants for dev01@% | +------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +------------------------------------+

When we create an account dev01, and authorization roles app_dev, execute show grants permission to view, see the role, not the specific permissions. If you want to see specific permission is required to perform this show grants.

1 2 3 4 5 6 7 8

mysql8[(none)]>show grants for dev01 using app_dev; +-----------------------------------------------------------------+ | Grants for dev01@% | +-----------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-----------------------------------------------------------------+

通过使用using app_dev，会将账号和角色的权限一并显示。

我们给角色app_dev添加create权限

1 2 3 4 5 6 7 8 9 10 11 12

mysql8[(none)]>grant create on test.* to app_dev; Query OK, 0 rows affected (0.10 sec) mysql8[(none)]>show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec)

可以看到给角色添加权限后，dev01账号也具有了create权限。

激活角色

上面的一些列操作貌似完美，dev02账号可以使用了，其实还不行！使用dev01账号登陆：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

mysql> show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.01 sec)

发现权限也有，但并看不到test库，什么也无法执行。为什么呢？角色没有被激活

1 2 3 4 5 6 7 8

mysql> select current_role() -> ; +----------------+ | current_role() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)

执行select current_role()发现是None. 所授权的角色并没有被激活，因此这个账号 还是废柴一个。

对账号激活权限也很简单

1 2	mysql8[(none)]>set default role all to dev01; Query OK, 0 rows affected (0.06 sec)

这样对dev01授予的所有角色都会被激活。再使用dev01登陆就正常访问了。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ 2 rows in set (0.01 sec) mysql> select current_role(); +----------------+ | current_role() | +----------------+ | `app_dev`@`%` | +----------------+ 1 row in set (0.00 sec)

可以看到当前激活的角色为app_dev.

感觉流程太繁琐了，都授权完了还要激活，但MySQL8 提供已一个参数，可以使角色在账号登陆后自动被激活。

1 2 3 4 5 6 7 8 9 10

mysql8[(none)]>show global variables like 'activate_all_roles_on_login'; +-----------------------------+-------+ | Variable_name | Value | +-----------------------------+-------+ | activate_all_roles_on_login | OFF | +-----------------------------+-------+ 1 row in set (0.01 sec) mysql8[(none)]>set global activate_all_roles_on_login=ON; Query OK, 0 rows affected (0.00 sec)

把activate_all_roles_on_login设置为ON就可以了。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

mysql8[(none)]>create user query identified with mysql_native_password by 'query'; Query OK, 0 rows affected (0.04 sec) mysql8[(none)]>grant app_read to query; Query OK, 0 rows affected (0.06 sec) mysql8[(none)]>show grants for query using app_read; +-----------------------------------------+ | Grants for query@% | +-----------------------------------------+ | GRANT USAGE ON *.* TO `query`@`%` | | GRANT SELECT ON `test`.* TO `query`@`%` | | GRANT `app_read`@`%` TO `query`@`%` | +-----------------------------------------+ 3 rows in set (0.00 sec) mysql8[(none)]>exit

使用query账号登陆

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ 2 rows in set (0.00 sec) mysql> select current_user(); +----------------+ | current_user() | +----------------+ | query@% | +----------------+ 1 row in set (0.00 sec) mysql> select current_role(); +----------------+ | current_role() | +----------------+ | `app_read`@`%` | +----------------+ 1 row in set (0.00 sec)

可以看到角色已被激活。

角色和账号交互使用

角色和账号没有什么区别，可以把一个账号当做一个角色，将其授权给其它账号。详见MySQL 官方文档

1 2 3 4 5 6 7 8

CREATE USER 'u1'; CREATE ROLE 'r1'; GRANT SELECT ON db1.* TO 'u1'; GRANT SELECT ON db2.* TO 'r1'; CREATE USER 'u2'; CREATE ROLE 'r2'; GRANT 'u1', 'r1' TO 'u2'; GRANT 'u1', 'r1' TO 'r2';

This is too flexible, right? I was scared out of his chin!

Original link large column  https://www.dazhuanlan.com/2019/08/15/5d551447abf4d/