title | summary | category |
---|---|---|
Privilege Management |
Learn how to manage the privilege. |
user guide |
TiDB's privilege management system is implemented according to the privilege management system in MySQL. It supports most of the syntaxes and privilege types in MySQL. If you find any inconsistency with MySQL, feel free to open an issue.
TiDB user account names consist of a user name and a host name. The account name syntax is 'user_name'@'host_name'
.
- The
user_name
is case sensitive. - The
host_name
can be a host name or an IP address. The%
and_
wildcard characters are permitted in host name or IP address values. For example, a host value of'%'
matches any host name and'192.168.1.%'
matches every host on a subnet.
The CREATE USER
statement creates new MySQL accounts.
CREATE USER 'test'@'127.0.0.1' IDENTIFIED BY 'xxx';
If the host name is not specified, you can log in from any IP address. If the password is not specified, it is empty by default:
CREATE USER 'test';
Equals:
CREATE USER 'test'@'%' IDENTIFIED BY '';
Required Privilege: To use CREATE USER
, you must have the global CREATE USER
privilege.
You can use the SET PASSWORD
syntax to assign or modify a password to a user account.
SET PASSWORD FOR 'root'@'%' = 'xxx';
Required Privilege: Operations that assign or modify passwords are permitted only to users with the CREATE USER
privilege.
The DROP USER
statement removes one or more MySQL accounts and their privileges. It removes the user record entries in the mysql.user
table and the privilege rows for the account from all grant tables.
DROP USER 'test'@'%';
Required Privilege: To use DROP USER
, you must have the global CREATE USER
privilege.
If you forget the root password, you can skip the privilege system and use the root privilege to reset the password.
To reset the root password,
-
Start TiDB with a special startup option (root privilege required):
sudo ./tidb-server -skip-grant-table=true
-
Use the root account to log in and reset the password:
mysql -h 127.0.0.1 -P 4000 -u root
The GRANT
statement grants privileges to the user accounts.
For example, use the following statement to grant the xxx
user the privilege to read the test
database.
GRANT SELECT ON test.* TO 'xxx'@'%';
Use the following statement to grant the xxx
user all privileges on all databases:
GRANT ALL PRIVILEGES ON *.* TO 'xxx'@'%';
If the granted user does not exist, TiDB will automatically create a user.
mysql> SELECT * FROM mysql.user WHERE user='xxxx';
Empty set (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON test.* TO 'xxxx'@'%' IDENTIFIED BY 'yyyyy';
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user,host FROM mysql.user WHERE user='xxxx';
+------|------+
| user | host |
+------|------+
| xxxx | % |
+------|------+
1 row in set (0.00 sec)
In this example, xxxx@%
is the user that is automatically created.
Note: Granting privileges to a database or table does not check if the database or table exists.
mysql> SELECT * FROM test.xxxx;
ERROR 1146 (42S02): Table 'test.xxxx' doesn't exist
mysql> GRANT ALL PRIVILEGES ON test.xxxx TO xxxx;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user,host FROM mysql.tables_priv WHERE user='xxxx';
+------|------+
| user | host |
+------|------+
| xxxx | % |
+------|------+
1 row in set (0.00 sec)
You can use fuzzy matching to grant privileges to databases and tables.
mysql> GRANT ALL PRIVILEGES ON `te%`.* TO genius;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user,host,db FROM mysql.db WHERE user='genius';
+--------|------|-----+
| user | host | db |
+--------|------|-----+
| genius | % | te% |
+--------|------|-----+
1 row in set (0.00 sec)
In this example, because of the %
in te%
, all the databases starting with te
are granted the privilege.
The REVOKE
statement enables system administrators to revoke privileges from the user accounts.
The REVOKE
statement corresponds with the REVOKE
statement:
REVOKE ALL PRIVILEGES ON `test`.* FROM 'genius'@'localhost';
Note: To revoke privileges, you need the exact match. If the matching result cannot be found, an error will be displayed:
mysql> REVOKE ALL PRIVILEGES ON `te%`.* FROM 'genius'@'%';
ERROR 1141 (42000): There is no such grant defined for user 'genius' on host '%'
About fuzzy matching, escape, string and identifier:
mysql> GRANT ALL PRIVILEGES ON `te\%`.* TO 'genius'@'localhost';
Query OK, 0 rows affected (0.00 sec)
This example uses exact match to find the database named te%
. Note that the %
uses the \
escape character so that %
is not considered as a wildcard.
A string is enclosed in single quotation marks(''), while an identifier is enclosed in backticks (``). See the differences below:
mysql> GRANT ALL PRIVILEGES ON 'test'.* TO 'genius'@'localhost';
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''test'.* to 'genius'@'localhost'' at line 1
mysql> GRANT ALL PRIVILEGES ON `test`.* TO 'genius'@'localhost';
Query OK, 0 rows affected (0.00 sec)
If you want to use special keywords as table names, enclose them in backticks (``). For example:
mysql> CREATE TABLE `select` (id int);
Query OK, 0 rows affected (0.27 sec)
You can use the SHOW GRANTS
statement to see what privileges are granted to a user. For example:
SHOW GRANTS; -- show grants for the current user
SHOW GRANTS FOR 'root'@'%'; -- show grants for a specific user
To be more precise, you can check the privilege information in the Grant
table. For example, you can use the following steps to check if the test@%
user has the Insert
privilege on db1.t
:
-
Check if
test@%
has globalInsert
privilege:SELECT Insert_priv FROM mysql.user WHERE user='test' AND host='%';
-
If not, check if
test@%
has database-levelInsert
privilege atdb1
:SELECT Insert_priv FROM mysql.db WHERE user='test' AND host='%';
-
If the result is still empty, check whether
test@%
has table-levelInsert
privilege atdb1.t
:SELECT table_priv FROM mysql.tables_priv WHERE user='test' AND host='%' AND db='db1';
The following system tables are special because all the privilege-related data is stored in them:
- mysql.user (user account, global privilege)
- mysql.db (database-level privilege)
- mysql.tables_priv (table-level privilege)
- mysql.columns_priv (column-level privilege; not currently supported)
These tables contain the effective range and privilege information of the data. For example, in the mysql.user
table:
mysql> SELECT User,Host,Select_priv,Insert_priv FROM mysql.user LIMIT 1;
+------|------|-------------|-------------+
| User | Host | Select_priv | Insert_priv |
+------|------|-------------|-------------+
| root | % | Y | Y |
+------|------|-------------|-------------+
1 row in set (0.00 sec)
In this record, Host
and User
determine that the connection request sent by the root
user from any host (%
) can be accepted. Select_priv
and Insert_priv
mean that the user has global Select
and Insert
privilege. The effective range in the mysql.user
table is global.
Host
and User
in mysql.db
determine which databases users can access. The effective range is the database.
In theory, all privilege-related operations can be done directly by the CRUD operations on the grant table.
On the implementation level, only a layer of syntactic sugar is added. For example, you can use the following command to remove a user:
DELETE FROM mysql.user WHERE user='test';
However, the recommended usage is with DROP USER
:
DROP USER 'test';
When the client sends a connection request, TiDB server will verify the login operation. TiDB server first checks the mysql.user
table. If a record of User
and Host
matches the connection request, TiDB server then verifies the Password
.
User identity is based on two pieces of information: Host
, the host that initiates the connection, and User
, the user name. If the user name is not empty, the exact match of user named is a must.
User
+Host
may match several rows in user
table. To deal with this scenario, the rows in the user
table are sorted. The table rows will be checked one by one when the client connects; the first matched row will be used to verify. When sorting, Host is ranked before User.
When the connection is successful, the request verification process checks whether the operation has the privilege.
For database-related requests (INSERT
, UPDATE
), the request verification process first checks the user’s global privileges in the mysql.user
table. If the privilege is granted, you can access directly. If not, check the mysql.db
table.
The user
table has global privileges regardless of the default database. For example, the DELETE
privilege in user
can apply to any row, table, or database.
In the Db
table, an empty user is to match the anonymous user name. Wildcards are not allowed in the User
column. The value for the Host
and Db
columns can use %
and _
, which can use pattern matching.
Data in the user
and db
tables is also sorted when loaded into memory.
The use of %
in tables_priv
and columns_priv
is similar, but column value in Db
, Table_name
and Column_name
cannot contain %
. The sorting is also similar when loaded.
When TiDB starts, some privilege-check tables are loaded into memory, and then the cached data is used to verify the privileges. The system will periodically synchronize the grant
table from database to cache. Time of effect is determined by the synchronization cycle. Currently, the value is 5 minutes.
If an immediate effect is needed when you modify the grant
table, you can run the following command:
FLUSH PRIVILEGES;
Currently, the following privileges are not checked yet because they are less frequently used:
- FILE
- USAGE
- SHUTDOWN
- EXECUTE
- PROCESS
- INDEX
- ...
Note: The column-level privilege is not implemented at this stage.
CREATE USER [IF NOT EXISTS]
user [auth_spec] [, user [auth_spec]] ...
auth_spec: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
}
For more information about the user account, see TiDB user account management.
-
IDENTIFIED BY 'auth_string'
It is used to set the login password.
auth_string
is encrypted by TiDB and stored in themysql.user
table. -
IDENTIFIED BY PASSWORD 'hash_string'
It is also used to set the login password.
hash_string
is a 41-character string similar to*EBE2869D7542FCE37D1C9BBC724B97BDE54428F1
, which is directly stored in themysql.user
table by TiDB. To get this string, useSELECT password('auth_string')
to encrypt your password.TiDB supports the
mysql_native_password
authentication mechanism based on SHA-1, which is the default mechanism used in MySQL 5.7. Support for additional authentication mechanisms is planned in the future.