forked from pingcap/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sql-statements: add statement reference for ROLES (pingcap#3198)
- Loading branch information
Null not nil
authored
Jul 8, 2020
1 parent
e65391c
commit 15966df
Showing
8 changed files
with
961 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,169 @@ | ||
| --- | ||
| title: CREATE ROLE | TiDB SQL Statement Reference | ||
| summary: An overview of the usage of CREATE ROLE for the TiDB database. | ||
| category: reference | ||
| --- | ||
|
|
||
| # CREATE ROLE | ||
|
|
||
| This statement creates a new role, which can be assigned to users as part of role-based access control. | ||
|
|
||
| ## Synopsis | ||
|
|
||
| **CreateRoleStmt:** | ||
|
|
||
|  | ||
|
|
||
| **IfNotExists:** | ||
|
|
||
|  | ||
|
|
||
| **RoleSpec:** | ||
|
|
||
|  | ||
|
|
||
| ## Examples | ||
|
|
||
| Create a new role for the analytics team, and a new user called `jennifer`: | ||
|
|
||
| ```sql | ||
| $ mysql -uroot | ||
| Welcome to the MySQL monitor. Commands end with ; or \g. | ||
| Your MySQL connection id is 37 | ||
| Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible | ||
|
|
||
| Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. | ||
|
|
||
| Oracle is a registered trademark of Oracle Corporation and/or its | ||
| affiliates. Other names may be trademarks of their respective | ||
| owners. | ||
|
|
||
| Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | ||
|
|
||
| mysql> CREATE ROLE analyticsteam; | ||
| Query OK, 0 rows affected (0.02 sec) | ||
|
|
||
| mysql> GRANT SELECT ON test.* TO analyticsteam; | ||
| Query OK, 0 rows affected (0.02 sec) | ||
|
|
||
| mysql> CREATE USER jennifer; | ||
| Query OK, 0 rows affected (0.01 sec) | ||
|
|
||
| mysql> GRANT analyticsteam TO jennifer; | ||
| Query OK, 0 rows affected (0.01 sec) | ||
| ``` | ||
|
|
||
| Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: | ||
|
|
||
| ```sql | ||
| $ mysql -ujennifer | ||
| Welcome to the MySQL monitor. Commands end with ; or \g. | ||
| Your MySQL connection id is 32 | ||
| Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible | ||
|
|
||
| Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. | ||
|
|
||
| Oracle is a registered trademark of Oracle Corporation and/or its | ||
| affiliates. Other names may be trademarks of their respective | ||
| owners. | ||
|
|
||
| Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | ||
|
|
||
| mysql> SHOW GRANTS; | ||
| +---------------------------------------------+ | ||
| | Grants for User | | ||
| +---------------------------------------------+ | ||
| | GRANT USAGE ON *.* TO 'jennifer'@'%' | | ||
| | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | | ||
| +---------------------------------------------+ | ||
| 2 rows in set (0.00 sec) | ||
|
|
||
| mysql> SHOW TABLES in test; | ||
| ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' | ||
| mysql> SET ROLE analyticsteam; | ||
| Query OK, 0 rows affected (0.00 sec) | ||
|
|
||
| mysql> SHOW GRANTS; | ||
| +---------------------------------------------+ | ||
| | Grants for User | | ||
| +---------------------------------------------+ | ||
| | GRANT USAGE ON *.* TO 'jennifer'@'%' | | ||
| | GRANT Select ON test.* TO 'jennifer'@'%' | | ||
| | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | | ||
| +---------------------------------------------+ | ||
| 3 rows in set (0.00 sec) | ||
|
|
||
| mysql> SHOW TABLES IN test; | ||
| +----------------+ | ||
| | Tables_in_test | | ||
| +----------------+ | ||
| | t1 | | ||
| +----------------+ | ||
| 1 row in set (0.00 sec) | ||
| ``` | ||
|
|
||
| The statement `SET DEFAULT ROLE` can be used to associate a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: | ||
|
|
||
| ```sql | ||
| $ mysql -uroot | ||
| Welcome to the MySQL monitor. Commands end with ; or \g. | ||
| Your MySQL connection id is 34 | ||
| Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible | ||
|
|
||
| Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. | ||
|
|
||
| Oracle is a registered trademark of Oracle Corporation and/or its | ||
| affiliates. Other names may be trademarks of their respective | ||
| owners. | ||
|
|
||
| Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | ||
|
|
||
| mysql> SET DEFAULT ROLE analyticsteam TO jennifer; | ||
| Query OK, 0 rows affected (0.02 sec) | ||
| ``` | ||
|
|
||
| ```sql | ||
| $ mysql -ujennifer | ||
| Welcome to the MySQL monitor. Commands end with ; or \g. | ||
| Your MySQL connection id is 35 | ||
| Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible | ||
|
|
||
| Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. | ||
|
|
||
| Oracle is a registered trademark of Oracle Corporation and/or its | ||
| affiliates. Other names may be trademarks of their respective | ||
| owners. | ||
|
|
||
| Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | ||
|
|
||
| mysql> SHOW GRANTS; | ||
| +---------------------------------------------+ | ||
| | Grants for User | | ||
| +---------------------------------------------+ | ||
| | GRANT USAGE ON *.* TO 'jennifer'@'%' | | ||
| | GRANT Select ON test.* TO 'jennifer'@'%' | | ||
| | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | | ||
| +---------------------------------------------+ | ||
| 3 rows in set (0.00 sec) | ||
|
|
||
| mysql> SHOW TABLES IN test; | ||
| +----------------+ | ||
| | Tables_in_test | | ||
| +----------------+ | ||
| | t1 | | ||
| +----------------+ | ||
| 1 row in set (0.00 sec) | ||
| ``` | ||
|
|
||
| ## MySQL compatibility | ||
|
|
||
| This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. | ||
|
|
||
| ## See also | ||
|
|
||
| * [DROP ROLE](/sql-statements/sql-statement-drop-role.md) | ||
| * [GRANT <role>](/sql-statements/sql-statement-grant-role.md) | ||
| * [REVOKE <role>](/sql-statements/sql-statement-revoke-role.md) | ||
| * [SET ROLE](/sql-statements/sql-statement-set-role.md) | ||
| * [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) | ||
| * [Role-Based Access Control](/role-based-access-control.md) |
Oops, something went wrong.