Preface:
We will host a user specified when creating the database user, that can be described as a complete 'username' @ 'host'. When you create a user does not explicitly specify the default is host%,% ip representing all segments can use this user, we can also specify host for a ip and this will only allow the user to use the database in the specified ip host . But you should also understand that 'username' @ '%' and 'username'@'192.168.6.%' are two unrelated users, two users can have different passwords and permissions, it is not advisable to create a multi a host of different users of the same name, and do not easily change the user's host, I have encountered a failure because the changes triggered by the user host, will share their out for you about cause and effect.
1. fault simulation
At that time in order to standardize security, will host a program by the user of the application server ip% changed segment, over time some business feedback function error, the investigation found that because (you may think at first reason) can not call a stored procedure, the following fault simulation operation.
# 原有用户、表、存储过程模拟创建
mysql> create user 'testuser'@'%' identified by '123456';
Query OK, 0 rows affected (0.04 sec)
mysql> grant select,insert,update,delete,execute on `testdb`.* to 'testuser'@'%';
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for 'testuser'@'%';
+-------------------------------------------------------------------------------+
| Grants for testuser@% |
+-------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testuser'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `testdb`.* TO 'testuser'@'%' |
+-------------------------------------------------------------------------------+
CREATE TABLE `students` (
`id` int(11) NOT NULL ,
`name` varchar(20),
`age` int(11),
PRIMARY KEY (`id`)
) ENGINE=InnoDB ;
INSERT INTO `students` VALUES ('1001', 'lodd', '23');
INSERT INTO `students` VALUES ('1002', 'sdfs', '21');
INSERT INTO `students` VALUES ('1003', 'sdfsa', '24');
DROP PROCEDURE IF EXISTS select_students_count;
DELIMITER $$
CREATE DEFINER=`testuser`@`%` PROCEDURE `select_students_count`()
BEGIN
SELECT count(id) from students;
END
$$
DELIMITER ;
# 使用testuser用户调用存储过程 调用正常
mysql> call select_students_count();
+-----------+
| count(id) |
+-----------+
| 3 |
+-----------+
# 更改用户host 重命名用户
mysql> RENAME USER 'testuser'@'%' to 'testuser'@'192.168.6.%';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'testuser'@'192.168.6.%';
+---------------------------------------------------------------------------------------+
| Grants for testuser@localhost |
+---------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testuser'@'localhost' |
| GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `testdb`.* TO 'testuser'@'localhost' |
+---------------------------------------------------------------------------------------+
# 再次用testuser用户调用存储过程 无法调用 出现故障
mysql> call select_students_count();
ERROR 1449 (HY000): The user specified as a definer ('testuser'@'%') does not exist2. Troubleshooting and solutions
In fact, after our manually call a stored procedure, it can be seen clearly because 'testuser @'% 'there is no problem from the user error content. As defined by the stored procedure is' testuser @ '%', and we see this user's host changed 192.168.6.%, Then when we called after the stored procedure, the system determine the owner of this stored procedure user does not exist, the system rejects the request and throws an exception.
After know the above reasons, the solution will be a lot of uncertainty, we need only the owner of the stored procedure can be replaced by a new user. In fact, after changed by the user, views, stored procedures, functions, triggers, events will be under the users are affected, when we define views, stored procedures, use the function DEFINER attribute, if these objects are called, the system will first determine the object whether the owner user exists, there will be a direct throw an error.
The solution to this problem, there are two, one is safe property by this stored procedure DEFINER instead INVOKER , individuals do not recommend this program, as DEFINER and INVOKER different, the next chapter will be an additional explanation. Second, the changes are stored in this primary process, a method is given below and changes verified:
# 通过系统表更改存储过程的属主
mysql> update mysql.proc set definer='[email protected].%' where db='testdb' and name='select_students_count' and type='PROCEDURE';
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
# 使用testuser用户调用验证 调用成功
mysql> call select_students_count();
+-----------+
| count(id) |
+-----------+
| 3 |
+-----------+
1 row in set (0.00 sec)
3.DEFINER and expand knowledge INVOKER
MySQL, create a view (view), function (function), the stored procedure (procedure), the trigger (trigger), event (event), you can specify the security authentication (ie, SQL SECURITY) property whose value can be DEFINER or INVOKER, expressed in the implementation process, who use permissions to perform.
- DEFINER: user permissions specified by the definer (definer) to perform
- INVOKER: performed by the user's permission to call this view (stored procedures) of
By default, the system is specified as DEFINER. When SQL SECURITY property DEFINER, the database must exist DEFINER specified user, and the user has permission to the corresponding operating authority and related objects referenced in order to be successful. Is there nothing to do with the current user privileges. When SQL SECURITY property INVOKER, as long as the executive authority Executive authority and have references related objects, you can perform successfully.
After understanding the above knowledge, you may already understand the causes and effects of the above-mentioned failure. In daily production, is not recommended INVOKER property, because the SQL SECURITY defined as INVOKER after, other users want not only need to have execute permissions for the object when you call this object also have references to the rights of other related objects, a great increased operation and maintenance complexity. To review the entire article, sorting out what few personal recommendations for your reference:
- Different host multiple users of the same name is not created.
- Do not change the user's host.
- Please change the user host RENAME USER statement directly update the host property rights will mysql.user system table is missing.
- After changing user host, pay attention to the properties of each object DEFINER under this user.
- Creating views, stored procedures and other objects suggested that the definition SQL SECURITY as DEFINER.
- When database migration, pay attention to the existence of related objects DEFINER user-defined new environment.
to sum up:
Starting from a failure, a detailed record of knowledge and reason behind failure involved, in fact, something like DEFINER property classes of these details can easily be overlooked, we will only encounter a problem to explore. I hope this article makes you learn something new, especially a few suggestions summarized above are the author summarizes the daily operation and maintenance. The original is not easy, please support!
