MySQL列权限和程序权限管理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了MySQL列权限和程序权限管理相关的知识,希望对你有一定的参考价值。

列权限管理

            mysql是由列级别权限存在的。这也体现了MySQL高级特性。实现了限制用户对表上特定列的访问权限。
            一般都是实现对表级别不具备访问权限,但是对某些列有访问权限。当然也存在其他情形。

1# 列权限相关的字典表:

([email protected])[mysql]> desc columns_priv;
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+
| Field       | Type                                         | Null | Key | Default           | Extra                       |
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+
| Host        | char(60)                                     | NO   | PRI |                   |                             |
| Db          | char(64)                                     | NO   | PRI |                   |                             |
| User        | char(16)                                     | NO   | PRI |                   |                             |
| Table_name  | char(64)                                     | NO   | PRI |                   |                             |
| Column_name | char(64)                                     | NO   | PRI |                   |                             |
| Timestamp   | timestamp                                    | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
| Column_priv | set(‘Select‘,‘Insert‘,‘Update‘,‘References‘) | NO   |     |                   |                             |
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+
7 rows in set (0.00 sec)
            总共7列,很好理解。一条特定的列级别权限共需要定义5个维度,host+db+user+table+column。可授予的
            权限种类分为4中,select, insert, update, refernces。其中前3项已经投入使用,references在5.6中还未正式
            生效。

2# 授权方法
列权限的授权方法和其他维度的授权方法有些许的差异,因为并非按照想像中会用on db.table.column这样的形式,而是将列名附带在授权种类之后:
测试update,确认没有update权限在name列上,表上也没有。

([email protected])[sample2]> update smp set name=‘bbb‘;
ERROR 1142 (42000): UPDATE command denied to user ‘test1‘@‘localhost‘ for table ‘smp‘
([email protected])[sample2]> 
            对name列授权update:
([email protected])[mysql]> grant update (name) on sample2.smp to test1;
Query OK, 0 rows affected (0.00 sec)
            再次尝试update  name列,更新成功。
([email protected])[sample2]> update smp set name=‘bbb‘;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0
            验证update  id列,可以预见的失败:
([email protected])[sample2]> update smp set id=2;
ERROR 1143 (42000): UPDATE command denied to user ‘test1‘@‘localhost‘ for column ‘id‘ in table ‘smp‘

3# 权限的查询:
4个方式,一个是show grants,另一个是跑sql查询字典表,DBA可以查询mysql.columns_priv, 普通用户可以查询information_schema.COLUMN_PRIVILEGES。两者有细微的差别,但主要列一样,第四种方式是查询mysql.tables_priv。

#1,直接show grants
([email protected])[mysql]> show grants for test1;
+------------------------------------------------------------------------------------------------------+
| Grants for [email protected]%                                                                                   |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘test1‘@‘%‘ IDENTIFIED BY PASSWORD ‘*CFA887C680E792C2DCF622D56FB809E3F8BE63CC‘ |
| GRANT SELECT ON `sample2`.* TO ‘test1‘@‘%‘                                                           |
| GRANT ALL PRIVILEGES ON `sample`.* TO ‘test1‘@‘%‘ WITH GRANT OPTION                                  |
| GRANT SELECT ON `mysql`.`user` TO ‘test1‘@‘%‘                                                        |
| GRANT UPDATE (name) ON `sample2`.`smp` TO ‘test1‘@‘%‘                                                |
| GRANT ALL PRIVILEGES ON `sample`.`smp` TO ‘test1‘@‘%‘                                                |
+------------------------------------------------------------------------------------------------------+
6 rows in set (0.00 sec)

#2,查询mysql.columns_priv;
([email protected])[mysql]> select * from mysql.columns_priv;
+------+---------+-------+------------+-------------+---------------------+-------------+
| Host | Db      | User  | Table_name | Column_name | Timestamp           | Column_priv |
+------+---------+-------+------------+-------------+---------------------+-------------+
| %    | sample2 | test1 | smp        | name        | 0000-00-00 00:00:00 | Update      |
+------+---------+-------+------------+-------------+---------------------+-------------+
1 row in set (0.00 sec)

#3,查询information_schema.COLUMN_PRIVILEGES
([email protected])[mysql]> select * from information_schema.COLUMN_PRIVILEGES;
+-------------+---------------+--------------+------------+-------------+----------------+--------------+
| GRANTEE     | TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | COLUMN_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
+-------------+---------------+--------------+------------+-------------+----------------+--------------+
| ‘test1‘@‘%‘ | def           | sample2      | smp        | name        | UPDATE         | NO           |
+-------------+---------------+--------------+------------+-------------+----------------+--------------+
1 row in set (0.00 sec)

#4,查询mysql.tables_priv
([email protected])[mysql]> select * from mysql.tables_priv where db=‘sample2‘;
+------+---------+-------+------------+----------------+---------------------+------------+-------------+
| Host | Db      | User  | Table_name | Grantor        | Timestamp           | Table_priv | Column_priv |
+------+---------+-------+------------+----------------+---------------------+------------+-------------+
| %    | sample2 | test1 | smp        | [email protected] | 0000-00-00 00:00:00 |            | Update      |
+------+---------+-------+------------+----------------+---------------------+------------+-------------+
1 row in set (0.00 sec)

程序权限管理

            MySQL的程序(process/routine)
            一个全局权限:CREATE ROUTINE,在user,db表中体现
            三个对象级权限,主要分为procedure和function两个对象类型。对于程序而言他们的权限种类有
            1,EXECUTE #执行权限
            2,ALTER ROUTINE #修改权限
            3,GRANT  #授予权限

            相关的字典表:
([email protected])[mysql]> desc procs_priv;
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------+
| Field        | Type                                   | Null | Key | Default           | Extra                       |
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------+
| Host         | char(60)                               | NO   | PRI |                   |                             |
| Db           | char(64)                               | NO   | PRI |                   |                             |
| User         | char(16)                               | NO   | PRI |                   |                             |
| Routine_name | char(64)                               | NO   | PRI |                   |                             |
| Routine_type | enum(‘FUNCTION‘,‘PROCEDURE‘)           | NO   | PRI | NULL              |                             |
| Grantor      | char(77)                               | NO   | MUL |                   |                             |
| Proc_priv    | set(‘Execute‘,‘Alter Routine‘,‘Grant‘) | NO   |     |                   |                             |
| Timestamp    | timestamp                              | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------+
8 rows in set (0.00 sec)

以上是关于MySQL列权限和程序权限管理的主要内容,如果未能解决你的问题,请参考以下文章

MySQL用户和权限管理

MySQL 之用户和权限管理

MySQL 之用户和权限管理

MySQL系列——MySQL用户和权限管理

MySQL用户管理

mysql用户管理