mysql8[(none)]>show grants for dev01 using app_dev; +-----------------------------------------------------------------+ | Grants for dev01@% | +-----------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-----------------------------------------------------------------+
通过使用using app_dev,会将账号和角色的权限一并显示。
我们给角色app_dev添加create权限
1 2 3 4 5 6 7 8 9 10 11 12
mysql8[(none)]>grant create on test.* to app_dev; Query OK, 0 rows affected (0.10 sec)
mysql8[(none)]>show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
可以看到给角色添加权限后,dev01账号也具有了create权限。
激活角色
上面的一些列操作貌似完美,dev02账号可以使用了,其实还不行!使用dev01账号登陆:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
mysql> show grants for dev01 using app_dev; +-------------------------------------------------------------------------+ | Grants for dev01@% | +-------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `dev01`@`%` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` | | GRANT `app_dev`@`%` TO `dev01`@`%` | +-------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.01 sec)
发现权限也有,但并看不到test库,什么也无法执行。为什么呢?角色没有被激活
1 2 3 4 5 6 7 8
mysql> select current_role() -> ; +----------------+ | current_role() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
mysql8[(none)]>show global variables like 'activate_all_roles_on_login'; +-----------------------------+-------+ | Variable_name | Value | +-----------------------------+-------+ | activate_all_roles_on_login | OFF | +-----------------------------+-------+ 1 row in set (0.01 sec)
mysql8[(none)]>set global activate_all_roles_on_login=ON; Query OK, 0 rows affected (0.00 sec)
把activate_all_roles_on_login设置为ON就可以了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
mysql8[(none)]>create user query identified with mysql_native_password by 'query'; Query OK, 0 rows affected (0.04 sec)
mysql8[(none)]>show grants for query using app_read; +-----------------------------------------+ | Grants for query@% | +-----------------------------------------+ | GRANT USAGE ON *.* TO `query`@`%` | | GRANT SELECT ON `test`.* TO `query`@`%` | | GRANT `app_read`@`%` TO `query`@`%` | +-----------------------------------------+ 3 rows in set (0.00 sec)
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ 2 rows in set (0.00 sec)
mysql> select current_user(); +----------------+ | current_user() | +----------------+ | query@% | +----------------+ 1 row in set (0.00 sec)
mysql> select current_role(); +----------------+ | current_role() | +----------------+ | `app_read`@`%` | +----------------+ 1 row in set (0.00 sec)
可以看到角色已被激活。
角色和账号交互使用
角色和账号没有什么区别,可以把一个账号当做一个角色,将其授权给其它账号。详见MySQL 官方文档
1 2 3 4 5 6 7 8
USER「U1」を作成します。 ROLE「R1」を作成します。 GRANT SELECT ON DB1 * 'U1'に。 GRANT SELECT ONのDB2 * TO 'R1'。; USER「U2」を作成します。 R2 'の役割を作成します。 GRANT 'U1' 'U2'に、R1 ''; GRANT 'U1'、 'R2'にR1 '';