MySQL關於grant與revoke的詳細教程

grant命令主要是用來授權

語法：

1   grant 許可權 on 資料庫物件 to 使用者;   //僅給某使用者授予某資料庫物件某許可權

grant 許可權 on 資料庫物件 to 使用者@'ip或者localhost';  //注意：最好使用該格式，因為mysql是根據User及Host來匹配使用者的。

2   grant 許可權 on 資料庫物件 to 使用者@'ip地址' identified by '使用者密碼';   //給某個ip地址的某個使用者對某個資料庫物件授予某許可權，並指定該使用者訪問密碼。

3   grant 許可權 on

 資料庫物件 to 使用者@'ip地址' identified by '使用者密碼' with grant option; //除了具備第二項的功能外，還額外賦予該ip的使用者授予其他使用者授權的許可權。對應mysql.user表該使用者的Grant_priv欄位為Y，即該使用者也可以使用grant命令了給其他使用者授予他自身權力下的操作許可權。（注意，不帶with grant option該欄位為N）

英文說明文件：

After creating a new user account, the user doesn’t have any privileges. To grant privileges to a user account, you use the GRANT

 statement.

The following illustrates the syntax of the GRANT statement:

1234	GRANTprivilege,[privilege],..ONprivilege_levelTOuser[IDENTIFIED BYpassword][REQUIREtsl_option][WITH[GRANT_OPTION|resource_option]];

Let’s examine the GRANT statement in greater detail.

• First, specify one or more privileges after the GRANT
   keyword. If you grant the user multiple privileges, each privilege is separated by a comma. (see a list of privilege in the table below).
• Next, specify the privilege_level that determines the level at which the privileges apply. MySQL supports global ( *.*), database ( database.*), table ( database.table) and column levels. If you use column privilege level, you must specify one or a list of comma-separated column after each privilege.
• Then, place the user that you want to grant privileges.  If user already exists, the GRANT statement modifies its privilege. Otherwise, the GRANT statement creates a new user. The optional clauseIDENTIFIED BY allows you set a new password for the user.
• After that, you specify whether the user has to connect to the database server over a secure connection such as SSL, X059, etc.
• Finally, the optional WITH GRANT OPTION clause allows you to grant other users or remove from other users the privileges that you possess. In addition, you can use the WITH clause to allocate MySQL database server’s resource e.g., to set how many connections or statements that the user can use per hour. This is very helpful in the shared environments such as MySQL shared hosting.

Notice that in order to use the GRANT statement, you must have the GRANT OPTION privilege and the privileges that you are granting. If the system variable is enabled, you need to have the SUPERprivilege to execute the GRANT statement.

Let’s practice with some examples of using MySQL GRANT statement to have a better understanding.

MySQL GRANT examples

For example, the following CREATE USER statement creates a new super user account.

CREATE USERsuper@localhostIDENTIFIED BY'dolphin';

To display the privileged assigned to [email protected] user, you use SHOW GRANTS statement.

SHOWGRANTSFORsuper@localhost;

如果未曾賦予使用者許可權，則會提示：

123456

+-------------------------------------------+|Grantsforsuper@localhost|+-------------------------------------------+|GRANTUSAGEON*.*TO`super`@`localhost`|+-------------------------------------------+1rowinset(0.00sec)

To grant all privileges to the [email protected] user account, you use the following statement.Note that USAGE privilege means no privileges in MySQL.

GRANTALLON*.*TO'super'@'localhost'WITH GRANT OPTION;、//賦予本地super使用者超級許可權（含grant）

The 

許可權包含有：

SELECT /INSERT /UPDATE / DELETE / DROP / CREATE / CREATE USER / ALTER / ALTER ROUTINE (使用alter procedure和drop procedure) / CREATE ROUTINE (使用create procedure) / CREATE

TEMPORARY TABLES （使用create temporary table）/ CREATE VIEW / EXECUTE (使用call和儲存過程) / EVENT / FILE （使用select into outfile 和 load data infile） / GRANT OPTION (可以使用grant和revoke) / ALL / ALL PRIVILEGES / INDEX （可以使用create index和drop index） / LOCK TABLES (鎖表) / PROCESS (使用show full processlist) / RELOAD （使用flush） / REPLICATION CLIENT (伺服器位置訪問) / REPLICATION SLAVE (由複製從屬使用) / SHOW DATABASES / SHOW VIEW / SHUT DOWN （使用mysqladmin shutdown 來關閉mysql）/ SUPER / USAGE (無訪問許可權)

ALL PRIVILEGES; //等同於All

資料物件：

*.*  所有庫和所有表。

databaseName.*  某個庫中的所有表

databaseName.tableName   某個庫中某個表

設定許可權時必須給出一下資訊1，要授予的許可權2，被授予訪問許可權的資料庫或表3，使用者名稱（及主機？有時候無需主機也可以）grant和revoke可以在幾個層次上控制訪問許可權1，整個伺服器，使用 grant ALL  和revoke  ALL2，整個資料庫，使用on  database.*3，特點表，使用on  database.table4，特定的列5，特定的儲存過程user表中host列的值的意義%              匹配所有主機localhost    localhost不會被解析成IP地址，直接通過UNIXsocket連線127.0.0.1      會通過TCP/IP協議連線，並且只能在本機訪問；::1                 ::1就是相容支援ipv6的，表示同ipv4的127.0.0.1

使用案例：

grant 普通資料使用者，查詢、插入、更新、刪除 資料庫中所有表資料的權利。

grant select, insert, update, delete on testdb.* to [email protected]’%’

grant 資料庫開發人員，建立表、索引、檢視、儲存過程、函式。。。等許可權。

grant 建立、修改、刪除 MySQL 資料表結構許可權。

grant create on testdb.* to [email protected]’192.168.0.%’;

grant alter on testdb.* to [email protected]’192.168.0.%’;

grant drop on testdb.* to [email protected]’192.168.0.%’;

grant 操作 MySQL 外來鍵許可權。

grant references on testdb.* to [email protected]’192.168.0.%’;

grant 操作 MySQL 臨時表許可權。

grant create temporary tables on testdb.* to [email protected]’192.168.0.%’;

grant 操作 MySQL 索引許可權。

grant index on testdb.* to [email protected]’192.168.0.%’;

grant 操作 MySQL 檢視、檢視檢視原始碼 許可權。

grant create view on testdb.* to [email protected]’192.168.0.%’;

grant show view on testdb.* to [email protected]’192.168.0.%’;

grant 操作 MySQL 儲存過程、函式 許可權。

grant create routine on testdb.* to [email protected]’192.168.0.%’; -- now, can show procedure status

grant alter routine on testdb.* to [email protected]’192.168.0.%’; -- now, you can drop a procedure

grant execute on testdb.* to d[email protected]’192.168.0.%’;

grant 作用在整個 MySQL 伺服器上：

grant select on *.* to [email protected]; -- dba 可以查詢 MySQL 中所有資料庫中的表。

grant all on *.* to [email protected]; -- dba 可以管理 MySQL 中的所有資料庫

grant 作用在單個數據庫上：

grant select on testdb.* to [email protected]; -- dba 可以查詢 testdb 中的表。

grant 作用在單個數據表上：

grant select, insert, update, delete on testdb.orders to [email protected];

grant 作用在表中的列上：

grant select(id, se, rank) on testdb.apache_log to [email protected];

grant 作用在儲存過程、函式上：

grant execute on procedure testdb.pr_add to ’dba’@’localhost’

grant execute on function testdb.fn_add to ’dba’@’localhost’

注意：修改完許可權以後 一定要重新整理服務，或者重啟服務，重新整理服務用：FLUSH PRIVILEGES。

同理：revoke英文文件如下：

Introduction to the MySQL REVOKE Statement

In order to revoke privileges from a user account, you use the MySQL REVOKE statement. MySQL allows you to revoke one or more privileges or all privileges from a user.

The following illustrates the syntax of revoking specific privileges from a user:

1 2 3 4

REVOKEprivilege_type[(column_list)] [,priv_type[(column_list)]]... ON[object_type]privilege_level FROMuser[,user]...

Let’s examine the MySQL REVOKE statement in more detail.

• First, specify a list of privileges that you want to revoke from a user right after the REVOKE keyword. You need to separate privileges by commas.
• Second, specify the privilege level at which privileges is revoked in the ON clause .
• Third, specify the user account that you want to revoke the privileges in the FROM clause.

Note that to revoke privileges from a user account, you must have GRANT OPTION privilege and the privileges that you are revoking.

To revoke all privileges from a user, you use the following form of the REVOKE statement:

1	REVOKE ALL PRIVILEGES,GRANT OPTIONFROMuser[,user]…

To execute the REVOKE ALL statement , you must have the global CREATE USER privilege or the UPDATEprivilege for the mysql database.

To revoke proxy user, you use the REVOKE PROXY command as follows:

1	REVOKE PROXY ONuserFROMuser[,user]...

A proxy user is a valid user in MySQL who can impersonate another user, therefore, the proxy user has all privileges of the user that it impersonates.

Before revoking privileges of a user, it is good practice to check if the user has the privileges by using theSHOW GRANTS statement as follows:

1	SHOWGRANTSFORuser;

使用案例：

//檢視rfc使用者的許可權

SHOWGRANTSFORrfc;

//MySQL返回如下結果：

GRANTSELECT,UPDATE,DELETEON'classicmodels'.*TO'rfc'@'%'

//為rfc使用者指定密碼

CREATE USERIF EXISTSrfc

相關推薦