本文介紹角色權限管理相關語法及示例。

PolarDB-X兼容原生MySQL 8.0基于角色的權限控制,MySQL文檔請參見基于角色的權限控制

創建角色

語法:

CREATE ROLE role [, role]...
參數roleuser一樣也由Name和Host這兩部分組成,其中:
  • Name不能為空;
  • Host需滿足如下規則:
    • 必須是純IP地址,可以包含下劃線(_)和百分號(%),但這兩個符號僅代表2個普通字符,并不具備通配符意義;
    • Host留空等于%,但也是精準匹配,不具備通配符意義。

示例:

CREATE ROLE 'role_ro'@'%', 'role_write';

刪除角色

語法:

DROP ROLE role [, role] ...

示例:

DROP ROLE 'role_ro'@'%';

授予角色

將權限授予角色

語法:

GRANT priv_type [, priv_type] ... ON priv_level TO role [, role]... [WITH GRANT OPTION]

示例:

GRANT ALL PRIVILEGES ON db1.* TO 'role_write';
將角色授予用戶

語法:

GRANT role [, role] ...
    TO user_or_role [, user_or_role] ...
    [WITH ADMIN OPTION]
說明:
  • 執行該命令必須滿足如下條件的其中之一:
    • 當前用戶有CREATE_USER權限;
    • 當前用戶對Role有admin權限;
  • 如果包含WITH ADMIN OPTION選項,則目標用戶對該Role擁有admin權限;
  • 將角色授予用戶并不代表此用戶已擁有該角色下的權限,您還需要通過SET DEFAULT ROLE語句和SET ROLE語句為用戶設置需要激活的角色。

示例:

GRANT 'role_write' TO 'user1'@'127.0.0.1';
設置默認角色

語法:

SET DEFAULT ROLE
    {NONE | ALL | role [, role ] ...}
    TO user [, user ] ...
執行該命令必須滿足如下條件的其中之一:
  • 語句中所提到的Role已通過GRANT命令授予給目標用戶;
  • 當前用戶為目標用戶,或當前用戶有CREATE_USER權限。

示例:

SET DEFAULT ROLE 'role_write' TO 'user1'@'127.0.0.1';
設置當前連接角色

語法:

SET ROLE {
    DEFAULT
  | NONE
  | ALL
  | ALL EXCEPT role [, role ] ...
  | role [, role ] ...
}
說明
  • 若選擇執行SET ROLE DEFAULT ,則當前激活的角色為SET DEFAULT ROLE命令中選擇的角色;
  • 通過該語法激活的角色僅對使用當前連接的用戶生效。

示例:

SET ROLE 'role_write';;

查看角色權限

語法:

SHOW GRANTS
    [FOR user_or_role
        [USING role [, role] ...]]

示例:

SHOW GRANTS FOR 'role_write'@'%';
+---------------------------------------------------+
| GRANTS FOR 'ROLE_WRITE'@'%'                       |
+---------------------------------------------------+
| GRANT USAGE ON *.* TO 'role_write'@'%'            |
| GRANT ALL PRIVILEGES ON db1.* TO 'role_write'@'%' |
+---------------------------------------------------+

SHOW GRANTS FOR 'user1'@'127.0.0.1' USING 'role_write';
+------------------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1'                       |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1'            |
| GRANT ALL PRIVILEGES ON db1.* TO 'user1'@'127.0.0.1' |
| GRANT 'role_write'@'%' TO 'user1'@'127.0.0.1'        |
+------------------------------------------------------+

-- 以user1的會話執行
SELECT CURRENT_ROLE();
+------------------+
| CURRENT_ROLE()   |
+------------------+
| 'role_write'@'%' |
+------------------+

回收角色

回收角色的權限

語法:

REVOKE priv_type [, priv_type] ... ON priv_level FROM role [, role]...

示例:

REVOKE ALL PRIVILEGES ON db1.* FROM 'role_write';

SHOW GRANTS FOR 'role_write'@'%';
+----------------------------------------+
| GRANTS FOR 'ROLE_WRITE'@'%'            |
+----------------------------------------+
| GRANT USAGE ON *.* TO 'role_write'@'%' |
+----------------------------------------+
回收用戶的權限

語法:

REVOKE role [, role ] ... FROM user_or_role [, user_or_role ] ...

示例:

SHOW GRANTS FOR 'user1'@'127.0.0.1';
+-----------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1'                |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1'     |
| GRANT SELECT ON db1.* TO 'user1'@'127.0.0.1'  |
| GRANT 'role_write'@'%' TO 'user1'@'127.0.0.1' |
+-----------------------------------------------+

REVOKE 'role_write' FROM 'user1'@'127.0.0.1';

SHOW GRANTS FOR 'user1'@'127.0.0.1';
+----------------------------------------------+
| GRANTS FOR 'USER1'@'127.0.0.1'               |
+----------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'127.0.0.1'    |
| GRANT SELECT ON db1.* TO 'user1'@'127.0.0.1' |
+----------------------------------------------+