MySQL關於grant與revoke的詳細教程
grant命令主要是用來授權
語法:
1 grant 權限 on 數據庫對象 to 用戶; //僅給某用戶授予某數據庫對象某權限
grant 權限 on 數據庫對象 to 用戶@'ip或者localhost'; //注意:最好使用該格式,因爲mysql是根據User及Host來匹配用戶的。
2 grant 權限 on 數據庫對象 to 用戶@'ip地址' identified by '用戶密碼'; //給某個ip地址的某個用戶對某個數據庫對象授予某權限,並指定該用戶訪問密碼。
3 grant 權限 on 數據庫對象 to 用戶@'ip地址' identified by '用戶密碼' with grant option; //除了具備第二項的功能外,還額外賦予該ip的用戶授予其他用戶授權的權限。對應mysql.user表該用戶的Grant_priv字段爲Y,即該用戶也可以使用grant命令了給其他用戶授予他自身權力下的操作權限。(注意,不帶with grant option該字段爲N)
英文說明文檔:
After creating a new user account, the user doesn’t have any privileges. To grant privileges to a user account, you use the GRANT statement.
The following illustrates the syntax of the GRANT statement:
Let’s examine the GRANT statement in greater detail.
- First, specify one or more privileges after the
GRANTkeyword. If you grant the user multiple privileges, each privilege is separated by a comma. (see a list of privilege in the table below). - Next, specify the
privilege_levelthat determines the level at which the privileges apply. MySQL supports global (*.*), database (database.*), table (database.table) and column levels. If you use column privilege level, you must specify one or a list of comma-separated column after each privilege. - Then, place the
userthat you want to grant privileges. If user already exists, theGRANTstatement modifies its privilege. Otherwise, theGRANTstatement creates a new user. The optional clauseIDENTIFIED BYallows you set a newpasswordfor the user. - After that, you specify whether the user has to connect to the database server over a secure connection such as SSL, X059, etc.
- Finally, the optional
WITH GRANT OPTIONclause allows you to grant other users or remove from other users the privileges that you possess. In addition, you can use theWITHclause to allocate MySQL database server’s resource e.g., to set how many connections or statements that the user can use per hour. This is very helpful in the shared environments such as MySQL shared hosting.
Notice that in order to use the GRANT statement, you must have the GRANT OPTION privilege and the privileges that you are granting. If the read_only system variable is enabled, you need to have the SUPERprivilege to execute the GRANT statement.
Let’s practice with some examples of using MySQL GRANT statement to have a better understanding.
MySQL GRANT examples
For example, the followingCREATE USER statement creates a new super user account.CREATE USERsuper@localhostIDENTIFIED BY'dolphin';
To display the privileged assigned to super@localhost user, you use SHOW GRANTS statement.
SHOWGRANTSFORsuper@localhost;
如果未曾賦予用戶權限,則會提示:
1 2 3 4 5 6 | +-------------------------------------------+ |Grantsforsuper@localhost | +-------------------------------------------+ |GRANTUSAGEON*.*TO`super`@`localhost`| +-------------------------------------------+ 1rowinset(0.00sec) |
To grant all privileges to the super@localhost user account, you use the following statement.Note that USAGE privilege means no privileges in MySQL.
GRANTALLON*.*TO'super'@'localhost'WITH GRANT OPTION;、//賦予本地super用戶超級權限(含grant)
The
權限包含有:
SELECT /INSERT /UPDATE / DELETE / DROP / CREATE / CREATE USER / ALTER / ALTER ROUTINE (使用alter procedure和drop procedure) / CREATE ROUTINE (使用create procedure) / CREATE
TEMPORARY TABLES (使用create temporary table)/ CREATE VIEW / EXECUTE (使用call和存儲過程) / EVENT / FILE (使用select into outfile 和 load data infile) / GRANT OPTION (可以使用grant和revoke) / ALL / ALL PRIVILEGES / INDEX (可以使用create index和drop index) / LOCK TABLES (鎖表) / PROCESS (使用show full processlist) / RELOAD (使用flush) / REPLICATION CLIENT (服務器位置訪問) / REPLICATION SLAVE (由複製從屬使用) / SHOW DATABASES / SHOW VIEW / SHUT DOWN (使用mysqladmin shutdown 來關閉mysql)/ SUPER / USAGE (無訪問權限)
ALL PRIVILEGES; //等同於All
數據對象:
*.* 所有庫和所有表。
databaseName.* 某個庫中的所有表
databaseName.tableName 某個庫中某個表
使用案例:
grant 普通數據用戶,查詢、插入、更新、刪除 數據庫中所有表數據的權利。
grant select, insert, update, delete on testdb.* to common_user@’%’
grant 數據庫開發人員,創建表、索引、視圖、存儲過程、函數。。。等權限。
grant 創建、修改、刪除 MySQL 數據表結構權限。
grant create on testdb.* to developer@’192.168.0.%’;
grant alter on testdb.* to developer@’192.168.0.%’;
grant drop on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 外鍵權限。
grant references on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 臨時表權限。
grant create temporary tables on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 索引權限。
grant index on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 視圖、查看視圖源代碼 權限。
grant create view on testdb.* to developer@’192.168.0.%’;
grant show view on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 存儲過程、函數 權限。
grant create routine on testdb.* to developer@’192.168.0.%’; -- now, can show procedure status
grant alter routine on testdb.* to developer@’192.168.0.%’; -- now, you can drop a procedure
grant execute on testdb.* to developer@’192.168.0.%’;
grant 作用在整個 MySQL 服務器上:
grant select on *.* to dba@localhost; -- dba 可以查詢 MySQL 中所有數據庫中的表。
grant all on *.* to dba@localhost; -- dba 可以管理 MySQL 中的所有數據庫
grant 作用在單個數據庫上:
grant select on testdb.* to dba@localhost; -- dba 可以查詢 testdb 中的表。
grant 作用在單個數據表上:
grant select, insert, update, delete on testdb.orders to dba@localhost;
grant 作用在表中的列上:
grant select(id, se, rank) on testdb.apache_log to dba@localhost;
grant 作用在存儲過程、函數上:
grant execute on procedure testdb.pr_add to ’dba’@’localhost’
grant execute on function testdb.fn_add to ’dba’@’localhost’
注意:修改完權限以後 一定要刷新服務,或者重啓服務,刷新服務用:FLUSH PRIVILEGES。
同理:revoke英文文檔如下:
Introduction to the MySQL REVOKE Statement
In order to revoke privileges from a user account, you use the MySQL REVOKE statement. MySQL allows you to revoke one or more privileges or all privileges from a user.
The following illustrates the syntax of revoking specific privileges from a user:
Let’s examine the MySQL REVOKE statement in more detail.
- First, specify a list of privileges that you want to revoke from a user right after the
REVOKEkeyword. You need to separate privileges by commas. - Second, specify the privilege level at which privileges is revoked in the
ONclause . - Third, specify the user account that you want to revoke the privileges in the
FROMclause.
Note that to revoke privileges from a user account, you must have GRANT OPTION privilege and
the privileges that you are revoking.
To revoke all privileges from a user, you use the following form of the REVOKE statement:
To execute the REVOKE ALL statement , you must have the global CREATE USER privilege or the UPDATEprivilege for the mysql database.
To revoke proxy user, you use the REVOKE PROXY command as follows:
A proxy user is a valid user in MySQL who can impersonate another user, therefore, the proxy user has all privileges of the user that it impersonates.
Before revoking privileges of a user, it is good practice to check if the user has the privileges by using theSHOW
GRANTS statement as follows:
//查看rfc用戶的權限
SHOWGRANTSFORrfc;
//MySQL返回如下結果:
GRANTSELECT,UPDATE,DELETEON'classicmodels'.*TO'rfc'@'%'
//爲rfc用戶指定密碼
CREATE
USERIF
EXISTSrfcIDENTIFIED
BY'dolphin';
//授權
GRANTSELECT,UPDATE,DELETEON classicmodels.*TOrfc;
//解除 rfc用戶的更新、刪除權限
|
REVOKEUPDATE,DELETEONclassicmodels.* FROMrfc;
|
//查看rfc的權限
SHOWGRANTSFOR'rfc'@'localhost';
//返回結果:
GRANTSELECTON'classicmodels'.*TO'rfc'@'%'
//解除rfc所有權限及grant
REVOKE ALL PRIVILEGES,GRANT OPTIONFROMrfc;
//查看rfc權限
SHOWGRANTSFOR'rfc'@'localhost';
//返回結果
Note that USAGE privilege means no privileges in MySQL.