1.角色管理
2.proxies_priv(5.7)
3.role(MySQL8.0)
1.角色管理
对于MySQL 5.7.x版本采用proxies_priv(模拟角色或者代理用户组)实现类似用户组管理.
MySQL 8.0.X进入了role的概念,类似Oracle的使用(官方role like)。
2.proxies_priv(5.7)
开启proxies_priv
--proxy_users默认是关闭的
mysql> show variables like '%prox%';
+-----------------------------------+-------+
| Variable_name | Value |
+-----------------------------------+-------+
| check_proxy_users | OFF |
| mysql_native_password_proxy_users | OFF |
| proxy_user | |
| sha256_password_proxy_users | OFF |
+-----------------------------------+-------+
--如何开启呢?两种方式:修改配置文件,使其永久生效;修改全局参数,暂时生效;
SET global check_proxy_users=ON;
SET golbal mysql_native_password_proxy_users=ON;
--设置完成后退出当前会话重新登录,使其生效。
举例
--来模拟场景:比如有对jss_t1表的管理创建三个用户,jss_dba,jss_001,jss_002。jss_dba权限充当proxy user(role);
create user jss_dba identified by 'jss000';
create user jss_001 identified by 'jss001';
create user jss_002 identified by 'jss002';
--授权jss_dba权限
grant select,update,delete,insert on jssdb001.* to jss_dba;
--赋予其他用户jss_001模拟角色权限
grant proxy on jss_dba to jss_001;
mysql> show grants for jss_001;
+-----------------------------------------------+
| Grants for jss_001@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'jss_001'@'%' |
| GRANT PROXY ON 'jss_dba'@'%' TO 'jss_001'@'%' |
+-----------------------------------------------+
--使用jss_001登录
[root@jssdb01 ~]# mysql -ujss_001 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.7.32 MySQL Community Server (GPL)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| jssdb001 |
+--------------------+
2 rows in set (0.00 sec)
mysql> use jssdb001;
mysql> show tables;
+--------------------+
| Tables_in_jssdb001 |
+--------------------+
| jss_t1 |
| jss_t2 |
+--------------------+
mysql> show grants;
+-----------------------------------------------------------------------+
| Grants for jss_dba@% |
+-----------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'jss_dba'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `jssdb001`.* TO 'jss_dba'@'%' |
+-----------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> select user();
+-------------------+
| user() |
+-------------------+
| jss_001@localhost |
+-------------------+
-- 取消代理权限
revoke PROXY ON 'jss_dba'@'%' from 'jss_001'@'%';
3.role(MySQL8.0)
MySQL8.0新增了role功能:role可以看做一个权限的集合,这个集合有一个统一的名字role名。可以给多个账户统一的某个role的权限权限的修改直接通过修改role来实现,不需要每个账户一个一个的grant权限,方便运维和管理。role可以创建、删除、修改并作用到他管理的账户上。
mysql> select version();
+-----------+
| version() |
+-----------+
| 8.0.23 |
+-----------+
举例
/** 环境说明:
现有业务系统数据库一套,需要分配不同的权限
- app_dev :所有权限
- app_read:只读
- app_write:可写,可修改
比如
jss_dev为最高权限用户,
jss_r01为可读用户,
jss_w01为读写用户,分别赋予相应的权限
**/
-- 创建角色
CREATE ROLE 'app_dev','app_read','app_write';
FLUSH PRIVILEGES;
-- 赋予角色权限
GRANT ALL ON employees.* TO 'app_dev';
GRANT SELECT ON employees.* TO 'app_read';
GRANT INSERT,DELETE,UPDATE ON employees.* TO 'app_write';
-- 创建用户
CREATE USER jss_dev@'%' IDENTIFIED BY 'jss_dev';
CREATE USER jss_r01@'%' IDENTIFIED BY 'jss_r01';
CREATE USER jss_w01@'%' IDENTIFIED BY 'jss_w01';
-- 赋予角色给不同的用户
GRANT 'app_dev' TO 'jss_dev'@'%';
GRANT 'app_read' TO 'jss_r01'@'%';
GRANT 'app_write','app_read' TO 'jss_w01'@'%';
-- 查看角色以及所赋予的权限
SHOW GRANTS FOR 'app_dev';
SHOW GRANTS FOR 'app_read';
SHOW GRANTS FOR 'app_write';
SHOW GRANTS FOR 'jss_dev'@'%' USING 'app_dev';
SHOW GRANTS FOR 'jss_r01'@'%' USING 'app_read';
SHOW GRANTS FOR 'jss_w01'@'%' USING 'app_read','app_write';
-- 撤销角色role
REVOKE 'app_dev' FROM 'jss_dev';
REVOKE DELETE ON employees.* FROM 'app_write';
-- 删除角色
DROP ROLE 'app_dev';
DROP ROLE 'app_read';
DROP ROLE 'app_write';
-- 删除用户
DROP USER 'jss_dev'@'%';
DROP USER 'jss_r01'@'%';
DROP USER 'jss_w01'@'%';
文章转载自数据库BOSS,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
