grant授權“失敗”的原因
阿新 • • 發佈:2018-12-31
在建立使用者的時候我們通常採用grant命令完成,並同時賦予相應的許可權,例如我們建立一個名為test的使用者,g並賦予其對資料庫foo下所有表格select,delete,drop,create許可權:
grant select,delete,drop,create on foo.* to test@localhost identified by 'test';
隨後通過網上了解到的使用者許可權檢視方式,有兩種
1. mysql> show grants for test@localhost; 2. mysql> select * from user where user='test' \G
首先我們試著採用:
mysql> show grants for test@localhost; +---------------------------------------------------------------------+ | Grants for test@localhost | +---------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'test'@'localhost' | | GRANT SELECT, DELETE, CREATE, DROP ON `foo`.* TO 'test'@'localhost' | +---------------------------------------------------------------------+ 2 rows in set (0.00 sec)
結果上很容易理解,結果與我們的預期一致。
然後我們再試試另一種方式:
mysql> select * from user where user='test' \G
檢視,輸出結果如下:
*************************** 1. row *************************** Host: localhost User: test Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Create_user_priv: N Event_priv: N Trigger_priv: N Create_tablespace_priv: N ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: mysql_native_password authentication_string: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 password_expired: N password_last_changed: 2016-11-30 13:10:01 password_lifetime: NULL account_locked: N 1 row in set (0.00 sec)
| 如果在\G後加了一個分號結束語句該語句,那麼將會在執行結果的最後有no query specified這個一個錯誤。\G 後不需要加分號。 |
那麼問題來了,為什麼兩種檢視使用者許可權的方式給出的結果不一樣?而且在建立使用者時明明賦予了select,delete,drop,create
許可權但是第二種方法給出的結果中相應項都被標註為‘N'?是不是用grant命令給使用者賦予許可權失敗了呢?應該以哪個結果為準呢?
究其原因是:select * from user where user='test' \G;給出的是全域性的許可權,而不是針對某個DB或者SCHEMA得許可權。賦權
語句是grant select,delete,drop,create on foo.* to [email protected] identified by 'test';也就是針對foo這個資料庫賦權。那麼
自然會得出許可權為‘N’的結果。那所建立 的使用者是否具有我預期指定的對資料庫foo的操作許可權呢?
我們再新建另一個使用者test2,這次我們只給該使用者賦予create許可權
mysql> grant create on foo.* to test2@localhost identified by 'test2';
使用mysql> select * from user where user='test2' \G 檢視許可權時所有許可權妥妥的都是N.
我們先後使用test和test2登入mysql伺服器。
1.test root@deamon-H55M-S2:/etc/init.d# mysql -u test -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +---------------+ | Tables_in_foo | +---------------+ | children | | runoob_tbl | | tcount_tbl | +---------------+ 3 rows in set (0.00 sec) mysql> select childno from children; +---------+ | childno | +---------+ | 1 | | 2 | | 3 | | 4 | | 5 | | 6 | | 7 | | 8 | +---------+ 8 rows in set (0.00 sec) 2.test2 oot@deamon-H55M-S2:/etc/init.d# mysql -u test2 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 14 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select childno from children; ERROR 1142 (42000): SELECT command denied to user 'test2'@'localhost' for table 'children' mysql>
從結果中可以看出test select操作成功了,但是test2的select操作被拒絕了,這跟我們未給test2使用者賦予select許可權相符。
結論:
mysql> select * from user where user='test' \G方式檢視的是全域性許可權,結果中的N不代表我們的賦權失敗了。如果將建立語句改為
grant create on *.* to [email protected] identified by 'test';那麼結果就會都是’Y‘了。
兩種檢視使用者許可權的方式都沒有錯誤,只是所代表的許可權意義略有不同。show grants for [email protected];方式能給我們更準確許可權情況。