grant授权“失败”的原因

在创建用户的时候我们通常采用grant命令完成，并同时赋予相应的权限，例如我们创建一个名为test的用户，g并赋予其对数据库foo下所有表格select,delete,drop,create权限：

grant select,delete,drop,create on foo.* to test@localhost identified by 'test';

随后通过网上了解到的用户权限查看方式，有两种

1. mysql> show grants for test@localhost;
2. mysql> select * from user where user='test' G

首先我们试着采用：

mysql> show grants for test@localhost;
+---------------------------------------------------------------------+
| Grants for test@localhost                                           |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test'@'localhost'                            |
| GRANT SELECT, DELETE, CREATE, DROP ON `foo`.* TO 'test'@'localhost' |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)

结果上很容易理解，结果与我们的预期一致。

然后我们再试试另一种方式：

mysql> select * from user where user='test' G

查看，输出结果如下：

*************************** 1. row ***************************
                  Host: localhost
                  User: test
           Select_priv: N
           Insert_priv: N
           Update_priv: N
           Delete_priv: N
           Create_priv: N
             Drop_priv: N
           Reload_priv: N
         Shutdown_priv: N
          Process_priv: N
             File_priv: N
            Grant_priv: N
       References_priv: N
            Index_priv: N
            Alter_priv: N
          Show_db_priv: N
            Super_priv: N
 Create_tmp_table_priv: N
      Lock_tables_priv: N
          Execute_priv: N
       Repl_slave_priv: N
      Repl_client_priv: N
      Create_view_priv: N
        Show_view_priv: N
   Create_routine_priv: N
    Alter_routine_priv: N
      Create_user_priv: N
            Event_priv: N
          Trigger_priv: N
Create_tablespace_priv: N
              ssl_type: 
            ssl_cipher: 
           x509_issuer: 
          x509_subject: 
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: mysql_native_password
 authentication_string: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
      password_expired: N
 password_last_changed: 2016-11-30 13:10:01
     password_lifetime: NULL
        account_locked: N
1 row in set (0.00 sec)

如果在G后加了一个分号结束语句该语句，那么将会在执行结果的最后有no query specified这个一个错误。G 后不需要加分号。

那么问题来了，为什么两种查看用户权限的方式给出的结果不一样？而且在创建用户时明明赋予了select,delete,drop,create

权限但是第二种方法给出的结果中相应项都被标注为‘N'？是不是用grant命令给用户赋予权限失败了呢？应该以哪个结果为准呢？

究其原因是：select * from user where user='test' G;给出的是全局的权限，而不是针对某个DB或者SCHEMA得权限。赋权

语句是grant select,delete,drop,create on foo.* to test@localhost identified by 'test';也就是针对foo这个数据库赋权。那么

自然会得出权限为‘N’的结果。那所创建 的用户是否具有我预期指定的对数据库foo的操作权限呢？

我们再新建另一个用户test2,这次我们只给该用户赋予create权限

mysql> grant create on foo.* to test2@localhost identified by 'test2';

使用mysql> select * from user where user='test2' G 查看权限时所有权限妥妥的都是N.

我们先后使用test和test2登录mysql服务器。

1.test
root@deamon-H55M-S2:/etc/init.d# mysql -u test -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 13
Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| children      |
| runoob_tbl    |
| tcount_tbl    |
+---------------+
3 rows in set (0.00 sec)

mysql> select childno from children;
+---------+
| childno |
+---------+
|       1 |
|       2 |
|       3 |
|       4 |
|       5 |
|       6 |
|       7 |
|       8 |
+---------+
8 rows in set (0.00 sec)



2.test2
oot@deamon-H55M-S2:/etc/init.d# mysql -u test2 -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 14
Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select childno from children;
ERROR 1142 (42000): SELECT command denied to user 'test2'@'localhost' for table 'children'
mysql> 

从结果中可以看出test select操作成功了，但是test2的select操作被拒绝了，这跟我们未给test2用户赋予select权限相符。

结论：

mysql> select * from user where user='test' G方式查看的是全局权限，结果中的N不代表我们的赋权失败了。如果将创建语句改为

grant create on *.* to test2@localhost identified by 'test';那么结果就会都是’Y‘了。

两种查看用户权限的方式都没有错误，只是所代表的权限意义略有不同。show grants for test@localhost;方式能给我们更准确权限情况。

 附文章深入学习MySQL授权表一篇：http://tech.it168.com/a2010/0114/837/000000837456.shtml