在創建用戶的時候我們通常采用grant命令完成,並同時賦予相應的權限,例如我們創建一個名為test的用戶,g並賦予其對數據庫foo下所有表格select,delete,drop,create權限:
grant select,delete,drop,create on foo.* to test@localhost identified by 'test';
隨后通過網上了解到的用戶權限查看方式,有兩種
1. mysql> show grants for test@localhost; 2. mysql> select * from user where user='test' \G
首先我們試着采用:
mysql> show grants for test@localhost; +---------------------------------------------------------------------+ | Grants for test@localhost | +---------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'test'@'localhost' | | GRANT SELECT, DELETE, CREATE, DROP ON `foo`.* TO 'test'@'localhost' | +---------------------------------------------------------------------+ 2 rows in set (0.00 sec)
結果上很容易理解,結果與我們的預期一致。
然后我們再試試另一種方式:
mysql> select * from user where user='test' \G
查看,輸出結果如下:
*************************** 1. row *************************** Host: localhost User: test Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Create_user_priv: N Event_priv: N Trigger_priv: N Create_tablespace_priv: N ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: mysql_native_password authentication_string: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 password_expired: N password_last_changed: 2016-11-30 13:10:01 password_lifetime: NULL account_locked: N 1 row in set (0.00 sec)
| 如果在\G后加了一個分號結束語句該語句,那么將會在執行結果的最后有no query specified這個一個錯誤。\G 后不需要加分號。 |
那么問題來了,為什么兩種查看用戶權限的方式給出的結果不一樣?而且在創建用戶時明明賦予了select,delete,drop,create
權限但是第二種方法給出的結果中相應項都被標注為‘N'?是不是用grant命令給用戶賦予權限失敗了呢?應該以哪個結果為准呢?
究其原因是:select * from user where user='test' \G;給出的是全局的權限,而不是針對某個DB或者SCHEMA得權限。賦權
語句是grant select,delete,drop,create on foo.* to test@localhost identified by 'test';也就是針對foo這個數據庫賦權。那么
自然會得出權限為‘N’的結果。那所創建 的用戶是否具有我預期指定的對數據庫foo的操作權限呢?
我們再新建另一個用戶test2,這次我們只給該用戶賦予create權限
mysql> grant create on foo.* to test2@localhost identified by 'test2';
使用mysql> select * from user where user='test2' \G 查看權限時所有權限妥妥的都是N.
我們先后使用test和test2登錄mysql服務器。
1.test root@deamon-H55M-S2:/etc/init.d# mysql -u test -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +---------------+ | Tables_in_foo | +---------------+ | children | | runoob_tbl | | tcount_tbl | +---------------+ 3 rows in set (0.00 sec) mysql> select childno from children; +---------+ | childno | +---------+ | 1 | | 2 | | 3 | | 4 | | 5 | | 6 | | 7 | | 8 | +---------+ 8 rows in set (0.00 sec) 2.test2 oot@deamon-H55M-S2:/etc/init.d# mysql -u test2 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 14 Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select childno from children; ERROR 1142 (42000): SELECT command denied to user 'test2'@'localhost' for table 'children' mysql>
從結果中可以看出test select操作成功了,但是test2的select操作被拒絕了,這跟我們未給test2用戶賦予select權限相符。
結論:
mysql> select * from user where user='test' \G方式查看的是全局權限,結果中的N不代表我們的賦權失敗了。如果將創建語句改為
grant create on *.* to test2@localhost identified by 'test';那么結果就會都是’Y‘了。
兩種查看用戶權限的方式都沒有錯誤,只是所代表的權限意義略有不同。show grants for test@localhost;方式能給我們更准確權限情況。
附文章深入學習MySQL授權表一篇:http://tech.it168.com/a2010/0114/837/000000837456.shtml