权限模型

HybridDB for MySQL的权限管理是参照MySQL的权限实现,控制登录的用户具备哪些数据库操作权限。具体用法请参见MySQL官方文档

支持的权限粒度

HybridDB for MySQL支持下面四种级别的权限控制,细化数据库权限控制的粒度。例如,如果希望创建一个User只能查询(SELECT)某个表的记录,就可以只赋予这个User对于这个TABLE的SELECT权限。

  • global
  • db
  • table
  • column

HybridDB for MySQL数据操作主要命令权限映射关系

命令 需要的权限 Database Table Column 备注
Select Select -
Insert Insert -
Insert … select …. Insert + Select -
Update Update -
Delete Delete × -
Truncate Table Drop × -
Alter Table Alter + Insert + Create × -
Create Database Create × × × -
Create Table Create × -
Drop Database Drop × × -
Drop Table Drop × -
Create View Create_View × × × -
Drop View Drop × × × -
Alter View Create_View × × × -
CREATE_PROCEDURE CREATE_ROUTINE × × × -
DROP_PROCEDURE ALTER_ROUTINE × × × -
CREATE_EVENT EVENT × × × -
DROP_EVENT EVENT × × × -
Create User/Drop User/Rename User Create_User × × × 创建/删除/修改用户
Set Password Super × × × 设置密码命令
Grant/Revoke Grant × × × 授权命令

权限相关命令

注意 CREATE USER Account_Name命令中, Account_Name格式为: 'user_name'@'host_name'。当前版本的host_name仅允许传入通配符 '%',即所有客户端主机都能匹配成功,目前通过白名单功能拦截客户端主机。

CREATE USER

语法:

CREATE USER
    [if not exists] user [auth_option] [, [if not exists] user [auth_option]] ...

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED BY PASSWORD 'hash_string'
}

MySQL CREATE USER命令文档:https://dev.mysql.com/doc/refman/5.6/en/create-user.html

相较于MySQL的CREATE USER语法,HybridDB for MySQL的语法有如下不同之处:

  • auth_option中不支持
    • IDENTIFIED WITH auth_plugin
    • IDENTIFIED WITH auth_plugin AS 'hash_string'
  • 增加了if not exists 的支持

示例:

CREATE USER if not exists 'test'@'%' IDENTIFIED BY 'passwd';
CREATE USER 'test2'@'%' IDENTIFIED BY 'passwd';

执行需要具备权限

CREATE USER权限。

RENAME USER

修改用户名。

语法:

RENAME USER old_user TO new_user
    [, old_user TO new_user] ...

DROP USER

语法:

DROP USER [if exists] user [, [if exists] user] ...

示例:

dropuserifexists'test'@'%', ifexists'test2'

执行需要具备权限

CREATE USER privilege

GRANT

GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON priv_level
    TO user [auth_option]
    [WITH {GRANT OPTION}]

priv_level: {
    *
  | *.*
  | db_name.*
  | db_name.tbl_name
  | tbl_name
}

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED BY PASSWORD 'hash_string'
}

示例:

#创建全局DML帐号 
grant insert,select,update,delete on *.* to 'test'@'%' identified by 'testpassword';
#创建db级别DML帐号 
grant insert,select,update,delete on dbName.* to 'test'@'%' identified by 'testpassword';

执行需要具备权限

  • GRANT OPTION privilege
  • 对赋予的权限,执行GRANT语句的用户必须拥有该权限

REVOKE

语法一:

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    FROM user

示范

#回收只读权限
revoke select on db.table from 'test'@'%'

执行需要具备权限

  • GRANT OPTION privilege
  • 对回收的权限,执行REVOKE语句的用户必须拥有该权限

语法二:

回收用户的所有权限。

REVOKE ALL [PRIVILEGES], GRANT OPTION
    FROM user

执行需要具备权限

CREATE USER privilege

查看当前用户的权限

SHOW GRANTS