这就结束了?
# 使用 [read_user1] 用户登录$ mysql -u read_user1 -p# 并没有已授权的[app_db]mysql> show databases;+--------------------+| Database|+--------------------+| information_schema |+--------------------+1 row in set (0.00 sec)# 当前也没有任何角色生效mysql> SELECT CURRENT_ROLE();+----------------+| CURRENT_ROLE() |+----------------+| NONE|+----------------+1 row in set (0.00 sec)当然,没有结束,默认情况前面创建的角色并未被激活 , 最后一步是还需要“激活角色”:
# 5.激活角色:即设置用户的默认角色,前提是用户有分配角色(前第4步)# 设置用户 [admin_user] 登录的默认角色是 {app_owner}SET DEFAULT ROLE 'app_owner' TO admin_user;# 一步到位:SET DEFAULT ROLE ALL,指的是将用户所有的角色都设置为默认角色SET DEFAULT ROLE ALL TO admin_user, read_user1, read_user2, rw_user1;# 查看默认角色设置mysql> select * from mysql.default_roles;+------+------------+-------------------+-------------------+| HOST | USER| DEFAULT_ROLE_HOST | DEFAULT_ROLE_USER |+------+------------+-------------------+-------------------+| %| admin_user | %| app_owner|| %| read_user1 | %| app_read|| %| read_user2 | %| app_read|| %| rw_user1| %| app_read|| %| rw_user1| %| app_write|+------+------------+-------------------+-------------------+5 rows in set (0.06 sec)# 若要删除默认角色设置:SET DEFAULT ROLE none TO user_name;# 另一种激活角色方式:通过设置 activate_all_roles_on_login = ON,实现用户登录时自动激活角色2、会话间的角色互换拥有多角色的用户,在当前会话里可以进行角色互换:SET ROLE role_name;$ mysql-u rw_user1 -p# 如前设置,激活默认是全部角色mysql> select current_role();+--------------------------------+| current_role()|+--------------------------------+| `app_read`@`%`,`app_write`@`%` |+--------------------------------+1 row in set (0.05 sec)# 切换到角色 {app_read}mysql> set role app_read;Query OK, 0 rows affected (0.05 sec)mysql> select current_role();+----------------+| current_role() |+----------------+| `app_read`@`%` |+----------------+1 row in set (0.06 sec)# app_read 角色是只读权限,insert操作是被拒绝的mysql> insert into app_db.t1(id) values(1);ERROR 1142 (42000): INSERT command denied to user 'rw_user1'@'10.99.17.133' for table 't1'# 切换到角色 {app_write}mysql> set role app_write;Query OK, 0 rows affected (0.05 sec)mysql> select current_role();+-----------------+| current_role()|+-----------------+| `app_write`@`%` |+-----------------+1 row in set (0.05 sec)# 切换到 app_write 角色是有插入权限,insert成功mysql> insert into app_db.t1(id) values(1);Query OK, 1 row affected (0.10 sec)3、何为强制角色mandatory_roles:强制所有用户默认角色 , 可以通过在 mandatory_roles 系统变量的值中命名角色,可以将角色指定为强制角色 ,服务器将强制角色视为授予所有用户 , 因此无需明确授予任何帐户 。# 设置强制给所有用户赋予角色{app_read}mysql> set global mandatory_roles = 'app_read';Query OK, 0 rows affected (0.06 sec)# 顺便设置默认激活角色mysql> set global activate_all_roles_on_login = on;Query OK, 0 rows affected (0.06 sec)# 创建新用户[kuzma]mysql> CREATE USER kuzma IDENTIFIED BY 'xxx';Query OK, 0 rows affected (0.06 sec)# 用户[kuzma]登录$ mysql -u kuzma -p# 查看用户权限,是被挂上了"强制角色"{app_read}的> show grants;+-------------------------------------------+| Grants for kuzma@%|+-------------------------------------------+| GRANT USAGE ON *.* TO `kuzma`@`%`|| GRANT SELECT ON `app_db`.* TO `kuzma`@`%` || GRANT `app_read`@`%` TO `kuzma`@`%`|+-------------------------------------------+3 rows in set (0.05 sec)4、撤销/删除角色# 撤销角色,从用户上拿掉某一角色,即同时的撤销该角色拥有的权限集合REVOKE role_name FROM user_name;# 回收角色上的授权(和旧时的用户回收权限类似)REVOKE DELETE ON db_name.* FROM role_name;# 删除角色DROP ROLE role_name1, role_name2;注意:无论是撤销 , 还是删除,都不能动 mandatory_roles 系统变量值中的强制角色 。5、用户也可以是个角色没错,用户也可以是个角儿 ^_~,这是怎么回事儿呢?其实 , 就用户也可以当角色来用的:# 8.0以前的MySQL GRANT语法中,用户权限授予到另一个用户上是违法的mysql> select @@version;+------------+| @@version|+------------+| 5.7.26-log |+------------+1 row in set (0.06 sec)mysql> CREATE USER user1, user2;Query OK, 0 rows affected (0.05 sec)mysql> GRANT user1 TO user2;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'user1 TO user2' at line 1# 8.0之后是实现了用户和角色可互换性mysql> select @@version;+-----------+| @@version |+-----------+| 8.0.23|+-----------+1 row in set (0.05 sec)mysql> CREATE USER user1, user2;Query OK, 0 rows affected (0.07 sec)# 给用户[user1]授权mysql> GRANT SELECT ON app_db.* TO user1;Query OK, 0 rows affected (0.06 sec)# 把[user1]的权限授予给[user2] ---> 未报错,语法通过的mysql> GRANT user1 TO user2;Query OK, 0 rows affected (0.06 sec)# 查看[user2]的权限 , 可以看到是把[user1]用户作为一个角色来授予mysql> SHOW GTANTS FOR user2;+-----------------------------------+| Grants for user2@%|+-----------------------------------+| GRANT USAGE ON *.* TO `user2`@`%` || GRANT `user1`@`%` TO `user2`@`%`|+-----------------------------------+2 rows in set (0.05 sec)# 查看[user2]的详细权限mysql> SHOW GTANTS FOR user2 USING user1;+-------------------------------------------+| Grants for user2@%|+-------------------------------------------+| GRANT USAGE ON *.* TO `user2`@`%`|| GRANT SELECT ON `app_db`.* TO `user2`@`%` || GRANT `user1`@`%` TO `user2`@`%`|+-------------------------------------------+3 rows in set (0.05 sec)
推荐阅读
- python+request+pymysql+pytest数据驱动
- CentOS 7.9 安装 MySQL 5.7.35
- 关于windows-server-下MySQL Community版本的的安装与配置
- CentOS 7 下安装 MySQL 8.x
- 2021年Q4手机用户偏好榜-2021年安兔兔第四季度用户偏好榜
- day04-MySQL常用函数01
- 我操作MySQL的惊险一幕
- centos7中配置java + mysql +jdk+使用jar部署项目
- day03-MySQL基础知识02
- gRPC+Protocol Buffer Go微服务实战 - 用户服务开发