在创建用户的时候我们通常采用grant命令完成,并同时赋予相应的权限,例如我们创建一个名为test的用户,g并赋予其对数据库foo下所有表格select,delete,drop,create权限:
grant select,delete,drop,create on foo.* to test@localhost identified by 'test';
随后通过网上了解到的用户权限查看方式,有两种
1. mysql> show grants for test@localhost; 2. mysql> select * from user where user='test' G
首先我们试着采用:
mysql> show grants for test@localhost; +---------------------------------------------------------------------+ | Grants for test@localhost | +---------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'test'@'localhost' | | GRANT SELECT, DELETE, CREATE, DROP ON `foo`.* TO 'test'@'localhost' | +---------------------------------------------------------------------+ 2 rows in set (0.00 sec)
结果上很容易理解,结果与我们的预期一致。
然后我们再试试另一种方式:
mysql> select * from user where user='test' G
查看,输出结果如下:
*************************** 1. row *************************** Host: localhost User: test Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Create_user_priv: N Event_priv: N Trigger_priv: N Create_tablespace_priv: N ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: mysql_native_password authentication_string: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 password_expired: N password_last_changed: 2016-11-30 13:10:01 password_lifetime: NULL account_locked: N 1 row in set (0.00 sec)
如果在G后加了一个分号结束语句该语句,那么将会在执行结果的最后有no query specified这个一个错误。G 后不需要加分号。 |
那么问题来了,为什么两种查看用户权限的方式给出的结果不一样?而且在创建用户时明明赋予了select,delete,drop,create
权限但是第二种方法给出的结果中相应项都被标注为‘N'?是不是用grant命令给用户赋予权限失败了呢?应该以哪个结果为准呢?
究其原因是:select * from user where user='test' G;给出的是全局的权限,而不是针对某个DB或者SCHEMA得权限。赋权
语句是grant select,delete,drop,create on foo.* to test@localhost identified by 'test';也就是针对foo这个数据库赋权。那么
自然会得出权限为‘N’的结果。那所创建 的用户是否具有我预期指定的对数据库foo的操作权限呢?
我们再新建另一个用户test2,这次我们只给该用户赋予create权限
mysql> grant create on foo.* to test2@localhost identified by 'test2';
使用mysql> select * from user where user='test2' G 查看权限时所有权限妥妥的都是N.
我们先后使用test和test2登录mysql服务器。
1.test root@deamon-H55M-S2:/etc/init.d# mysql -u test -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 13 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +---------------+ | Tables_in_foo | +---------------+ | children | | runoob_tbl | | tcount_tbl | +---------------+ 3 rows in set (0.00 sec) mysql> select childno from children; +---------+ | childno | +---------+ | 1 | | 2 | | 3 | | 4 | | 5 | | 6 | | 7 | | 8 | +---------+ 8 rows in set (0.00 sec) 2.test2 oot@deamon-H55M-S2:/etc/init.d# mysql -u test2 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 14 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select childno from children; ERROR 1142 (42000): SELECT command denied to user 'test2'@'localhost' for table 'children' mysql>
从结果中可以看出test select操作成功了,但是test2的select操作被拒绝了,这跟我们未给test2用户赋予select权限相符。
结论:
mysql> select * from user where user='test' G方式查看的是全局权限,结果中的N不代表我们的赋权失败了。如果将创建语句改为
grant create on *.* to test2@localhost identified by 'test';那么结果就会都是’Y‘了。
两种查看用户权限的方式都没有错误,只是所代表的权限意义略有不同。show grants for test@localhost;方式能给我们更准确权限情况。
附文章深入学习MySQL授权表一篇:http://tech.it168.com/a2010/0114/837/000000837456.shtml