本文介紹角色權限管理相關語法及示例。
PolarDB-X兼容原生MySQL 8.0基于角色的權限控制,MySQL文檔請參見基于角色的權限控制。
創建角色
語法:
CREATE ROLE role [, role]...參數role同user一樣也由Name和Host這兩部分組成,其中:
- Name不能為空;
- Host需滿足如下規則:
- 必須是純IP地址,可以包含下劃線(_)和百分號(%),但這兩個符號僅代表2個普通字符,并不具備通配符意義;
- Host留空等于%,但也是精準匹配,不具備通配符意義。
示例:
CREATE ROLE 'role_ro'@'%', 'role_write';刪除角色
語法:
DROP ROLE role [, role] ...示例:
DROP ROLE 'role_ro'@'%';授予角色
將權限授予角色語法:
GRANT priv_type [, priv_type] ... ON priv_level TO role [, role]... [WITH GRANT OPTION]示例:
GRANT ALL PRIVILEGES ON db1.* TO 'role_write';語法:
GRANT role [, role] ...
TO user_or_role [, user_or_role] ...
[WITH ADMIN OPTION]說明:
- 執行該命令必須滿足如下條件的其中之一:
- 當前用戶有CREATE_USER權限;
- 當前用戶對Role有admin權限;
- 如果包含WITH ADMIN OPTION選項,則目標用戶對該Role擁有admin權限;
- 將角色授予用戶并不代表此用戶已擁有該角色下的權限,您還需要通過
SET DEFAULT ROLE語句和SET ROLE語句為用戶設置需要激活的角色。
示例:
GRANT 'role_write' TO 'user1'@'127.0.0.1';語法:
SET DEFAULT ROLE
{NONE | ALL | role [, role ] ...}
TO user [, user ] ...執行該命令必須滿足如下條件的其中之一:
- 語句中所提到的Role已通過GRANT命令授予給目標用戶;
- 當前用戶為目標用戶,或當前用戶有CREATE_USER權限。
示例:
SET DEFAULT ROLE 'role_write' TO 'user1'@'127.0.0.1';語法:
SET ROLE {
DEFAULT
| NONE
| ALL
| ALL EXCEPT role [, role ] ...
| role [, role ] ...
}說明
- 若選擇執行
SET ROLE DEFAULT,則當前激活的角色為SET DEFAULT ROLE命令中選擇的角色; - 通過該語法激活的角色僅對使用當前連接的用戶生效。
示例:
SET ROLE 'role_write';;查看角色權限
語法:
SHOW GRANTS
[FOR user_or_role
[USING role [, role] ...]]示例:
SHOW GRANTS FOR 'role_write'@'%';
+---------------------------------------------------+
| GRANTS FOR 'ROLE_WRITE'@'%' |
+---------------------------------------------------+
| GRANT USAGE ON *.* TO 'role_write'@'%' |
| GRANT ALL PRIVILEGES ON db1.* TO 'role_write'@'%' |
+---------------------------------------------------+
SHOW GRANTS FOR 'user1'@'127.0.0.1' USING 'role_write';
+------------------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1' |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1' |
| GRANT ALL PRIVILEGES ON db1.* TO 'user1'@'127.0.0.1' |
| GRANT 'role_write'@'%' TO 'user1'@'127.0.0.1' |
+------------------------------------------------------+
-- 以user1的會話執行
SELECT CURRENT_ROLE();
+------------------+
| CURRENT_ROLE() |
+------------------+
| 'role_write'@'%' |
+------------------+回收角色
回收角色的權限語法:
REVOKE priv_type [, priv_type] ... ON priv_level FROM role [, role]...示例:
REVOKE ALL PRIVILEGES ON db1.* FROM 'role_write';
SHOW GRANTS FOR 'role_write'@'%';
+----------------------------------------+
| GRANTS FOR 'ROLE_WRITE'@'%' |
+----------------------------------------+
| GRANT USAGE ON *.* TO 'role_write'@'%' |
+----------------------------------------+語法:
REVOKE role [, role ] ... FROM user_or_role [, user_or_role ] ...示例:
SHOW GRANTS FOR 'user1'@'127.0.0.1';
+-----------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1' |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1' |
| GRANT SELECT ON db1.* TO 'user1'@'127.0.0.1' |
| GRANT 'role_write'@'%' TO 'user1'@'127.0.0.1' |
+-----------------------------------------------+
REVOKE 'role_write' FROM 'user1'@'127.0.0.1';
SHOW GRANTS FOR 'user1'@'127.0.0.1';
+----------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1' |
+----------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1' |
| GRANT SELECT ON db1.* TO 'user1'@'127.0.0.1' |
+----------------------------------------------+