权限模型
HybridDB for MySQL的权限管理是参照MySQL的权限实现,控制登录的用户具备哪些数据库操作权限。具体用法请参见MySQL官方文档
支持的权限粒度
HybridDB for MySQL支持下面四种级别的权限控制,细化数据库权限控制的粒度。例如,如果希望创建一个User只能查询(SELECT)某个表的记录,就可以只赋予这个User对于这个TABLE的SELECT权限。
- global
- db
- table
- column
HybridDB for MySQL数据操作主要命令权限映射关系
| 命令 | 需要的权限 | Database | Table | Column | 备注 |
|---|---|---|---|---|---|
| Select | Select | √ | √ | √ | - |
| Insert | Insert | √ | √ | √ | - |
| Insert … select …. | Insert + Select | √ | √ | √ | - |
| Update | Update | √ | √ | √ | - |
| Delete | Delete | √ | √ | × | - |
| Truncate Table | Drop | √ | √ | × | - |
| Alter Table | Alter + Insert + Create | √ | √ | × | - |
| Create Database | Create | × | × | × | - |
| Create Table | Create | √ | √ | × | - |
| Drop Database | Drop | √ | × | × | - |
| Drop Table | Drop | √ | √ | × | - |
| Create View | Create_View | × | × | × | - |
| Drop View | Drop | × | × | × | - |
| Alter View | Create_View | × | × | × | - |
| CREATE_PROCEDURE | CREATE_ROUTINE | × | × | × | - |
| DROP_PROCEDURE | ALTER_ROUTINE | × | × | × | - |
| CREATE_EVENT | EVENT | × | × | × | - |
| DROP_EVENT | EVENT | × | × | × | - |
| Create User/Drop User/Rename User | Create_User | × | × | × | 创建/删除/修改用户 |
| Set Password | Super | × | × | × | 设置密码命令 |
| Grant/Revoke | Grant | × | × | × | 授权命令 |
权限相关命令
注意
CREATE USER Account_Name命令中,Account_Name格式为:'user_name'@'host_name'。当前版本的host_name仅允许传入通配符'%',即所有客户端主机都能匹配成功,目前通过白名单功能拦截客户端主机。
CREATE USER
语法:
CREATE USER
[if not exists] user [auth_option] [, [if not exists] user [auth_option]] ...
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
}MySQL CREATE USER命令文档:https://dev.mysql.com/doc/refman/5.6/en/create-user.html
相较于MySQL的CREATE USER语法,HybridDB for MySQL的语法有如下不同之处:
auth_option中不支持IDENTIFIED WITH auth_pluginIDENTIFIED WITH auth_plugin AS 'hash_string'
- 增加了
if not exists的支持
示例:
CREATE USER if not exists 'test'@'%' IDENTIFIED BY 'passwd';
CREATE USER 'test2'@'%' IDENTIFIED BY 'passwd';执行需要具备权限
CREATE USER权限。
RENAME USER
修改用户名。
语法:
RENAME USER old_user TO new_user
[, old_user TO new_user] ...DROP USER
语法:
DROP USER [if exists] user [, [if exists] user] ...
示例:
dropuserifexists'test'@'%', ifexists'test2'执行需要具备权限
CREATE USER privilege
GRANT
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON priv_level
TO user [auth_option]
[WITH {GRANT OPTION}]
priv_level: {
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
}
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
}示例:
#创建全局DML账号
grant insert,select,update,delete on *.* to 'test'@'%' identified by 'testpassword';
#创建db级别DML账号
grant insert,select,update,delete on dbName.* to 'test'@'%' identified by 'testpassword';执行需要具备权限
- GRANT OPTION privilege
- 对赋予的权限,执行GRANT语句的用户必须拥有该权限
REVOKE
语法一:
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user示范
#回收只读权限
revoke select on db.table from 'test'@'%'执行需要具备权限
- GRANT OPTION privilege
- 对回收的权限,执行REVOKE语句的用户必须拥有该权限
语法二:
回收用户的所有权限。
REVOKE ALL [PRIVILEGES], GRANT OPTION
FROM user执行需要具备权限
CREATE USER privilege
查看当前用户的权限
SHOW GRANTS