Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update document of privilege management #3202

Merged
merged 5 commits into from
May 25, 2020
Merged

update document of privilege management #3202

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9365146
update privilege document
May 21, 2020
cf87ca2
Merge branch 'docs-special-week' into refactor_privilege
kissmydb May 21, 2020
4801b63
Merge branch 'docs-special-week' into refactor_privilege
lilin90 May 22, 2020
269e9c3
Apply suggestions from code review
jackysp May 23, 2020
fb57ac5
Merge branch 'docs-special-week' into refactor_privilege
lilin90 May 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 72 additions & 62 deletions privilege-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,44 +94,7 @@ SELECT user,host FROM mysql.user WHERE user='xxxx';

上述示例中,`xxxx@%` 即自动添加的用户。

`GRANT` 对于数据库或者表的授权,不检查数据库或表是否存在。

{{< copyable "sql" >}}

```sql
SELECT * FROM test.xxxx;
```

```
ERROR 1146 (42S02): Table 'test.xxxx' doesn't exist
```

{{< copyable "sql" >}}

```sql
GRANT ALL PRIVILEGES ON test.xxxx TO xxxx;
```

```
Query OK, 0 rows affected (0.00 sec)
```

{{< copyable "sql" >}}

```sql
SELECT user,host FROM mysql.tables_priv WHERE user='xxxx';
```

```
+------|------+
| user | host |
+------|------+
| xxxx | % |
+------|------+
1 row in set (0.00 sec)
```

`GRANT` 可以模糊匹配地授予数据库和表:
`GRANT` 还可以模糊匹配地授予数据库:
jackysp marked this conversation as resolved.
Show resolved Hide resolved

{{< copyable "sql" >}}

Expand Down Expand Up @@ -246,39 +209,56 @@ Query OK, 0 rows affected (0.27 sec)
SHOW GRANTS;
```

查看某个特定用户的权限:
```
+-------------------------------------------------------------+
| Grants for User |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------+
```

或者:

{{< copyable "sql" >}}

```sql
SHOW GRANTS for 'root'@'%';
SHOW GRANTS FOR CURRENT_USER();
```

更精确的方式,可以通过直接查看授权表的数据实现。比如想知道,名为 `test@%` 的用户是否拥有对 `db1.t` 的 `Insert` 权限
查看某个特定用户的权限

1. 先查看该用户是否拥有全局 `Insert` 权限:
{{< copyable "sql" >}}

{{< copyable "sql" >}}
```sql
SHOW GRANTS FOR 'user'@'host';
```

```sql
SELECT Insert_priv FROM mysql.user WHERE user='test' AND host='%';
```
例如,创建一个用户 `rw_user@192.168.%` 并为其授予 `test.write_table` 表的写权限,和全局读权限。

2. 如果没有,再查看该用户是否拥有 `db1` 数据库级别的 `Insert` 权限:
{{< copyable "sql" >}}

{{< copyable "sql" >}}
```sql
CREATE USER `rw_user`@`192.168.%`;
GRANT SELECT ON *.* TO `rw_user`@`192.168.%`;
GRANT INSERT, UPDATE ON `test`.`write_table` TO `rw_user`@`192.168.%`;
```

```sql
SELECT Insert_priv FROM mysql.db WHERE user='test' AND host='%';
```
查看 `rw_user@192.168.%` 的权限。
jackysp marked this conversation as resolved.
Show resolved Hide resolved

3. 如果仍然没有,则继续判断是否拥有 `db1.t` 这张表的 `Insert` 权限:
{{< copyable "sql" >}}

{{< copyable "sql" >}}
```sql
SHOW GRANTS FOR `rw_user`@`192.168.%`;
```

```sql
SELECT table_priv FROM mysql.tables_priv WHERE user='test' AND host='%' AND db='db1';
```
```
+------------------------------------------------------------------+
| Grants for rw_user@192.168.% |
+------------------------------------------------------------------+
| GRANT Select ON *.* TO 'rw_user'@'192.168.%' |
| GRANT Insert,Update ON test.write_table TO 'rw_user'@'192.168.%' |
+------------------------------------------------------------------+
```

## TiDB 各操作需要的权限

Expand All @@ -297,6 +277,8 @@ TiDB 用户目前拥有的权限可以在 `INFORMATION_SCHEMA.USER_PRIVILEGES`
| Insert | InsertPriv | 插入数据到表 |
| Update | UpdatePriv | 更新表中数据 |
| Delete | DeletePriv | 删除表中数据 |
| Reload | ReloadPriv | 执行 `FLUSH` 语句 |
| Config | ConfigPriv | 动态加载配置 |
| Trigger | TriggerPriv | 尚未使用 |
| Process | ProcessPriv | 显示正在运行的任务 |
| Execute | ExecutePriv | 执行 execute 语句 |
Expand All @@ -321,15 +303,15 @@ TiDB 用户目前拥有的权限可以在 `INFORMATION_SCHEMA.USER_PRIVILEGES`

### CREATE DATABASE

需要对数据库拥有 `CREATE` 权限。
需要拥有全局 `CREATE` 权限。

### CREATE INDEX

需要对所操作的表拥有 `INDEX` 权限。

### CREATE TABLE

需要对所操作的表拥有 `CREATE` 权限;若使用 `CREATE TABLE...LIKE...` 需要对相关的表拥有 `SELECT` 权限。
需要对要创建的表所在的数据库拥有 `CREATE` 权限;若使用 `CREATE TABLE...LIKE...` 需要对相关的表拥有 `SELECT` 权限。

### CREATE VIEW

Expand All @@ -351,6 +333,10 @@ TiDB 用户目前拥有的权限可以在 `INFORMATION_SCHEMA.USER_PRIVILEGES`

需要对所操作的表拥有 `DROP` 权限。

### LOAD DATA

`LOAD DATA` 需要对所操作的表拥有 `INSERT` 权限。

### TRUNCATE TABLE

需要对所操作的表拥有 `DROP` 权限。
Expand All @@ -369,6 +355,8 @@ TiDB 用户目前拥有的权限可以在 `INFORMATION_SCHEMA.USER_PRIVILEGES`

`SHOW CREATE VIEW` 需要 `SHOW VIEW` 权限。

`SHOW GRANTS` 需要拥有对 `mysql` 数据库的 `SELECT` 权限。如果是使用 `SHOW GRANTS` 查看当前用户权限,则不需要任何权限。

### CREATE ROLE/USER

`CREATE ROLE` 需要 `CREATE ROLE` 权限。
Expand All @@ -377,21 +365,43 @@ TiDB 用户目前拥有的权限可以在 `INFORMATION_SCHEMA.USER_PRIVILEGES`

### DROP ROLE/USER

`DROP ROLE` 需要 `DROPROLE` 权限。
`DROP ROLE` 需要 `DROP ROLE` 权限。

`DROP USER` 需要 `CREATEUSER` 权限
`DROP USER` 需要 `CREATE USER` 权限

### ALTER USER

`ALTER USER` 需要 `CREATEUSER` 权限。
`ALTER USER` 需要 `CREATE USER` 权限。

### GRANT

`GRANT` 需要 `GRANT` 权限并且拥有 `GRANT` 所赋予的权限。

如果在 `GRANTS` 语句中创建用户,需要有 `CREATE USER` 权限。

`GRANT ROLE` 操作需要拥有 `SUPER` 权限。

### REVOKE

`REVOKE` 需要 `SUPER` 权限。
`REVOKE` 需要 `GRANT` 权限并且拥有 `REVOKE` 所指定要撤销的权限。

`REVOKE ROLE` 操作需要拥有 `SUPER` 权限。

### SET GLOBAL

使用 `SET GLOBAL` 设置全局变量需要拥有 `SUPER` 权限。

### ADMIN

需要拥有 `SUPER` 权限。

### SET DEFAULT ROLE

需要拥有 `SUPER` 权限。

### KILL

使用 `KILL` 终止其他用户的会话需要拥有 `SUPER` 权限。

## 权限系统的实现

Expand Down