diff --git a/sql-statements/sql-statement-create-user.md b/sql-statements/sql-statement-create-user.md index c61c6c8cd518d..ac3d83f8ace1b 100644 --- a/sql-statements/sql-statement-create-user.md +++ b/sql-statements/sql-statement-create-user.md @@ -37,17 +37,42 @@ This statement creates a new user, specified with a password. In the MySQL privi ## Examples +Create a user with the `newuserpassword` password. + ```sql mysql> CREATE USER 'newuser' IDENTIFIED BY 'newuserpassword'; Query OK, 1 row affected (0.04 sec) +``` +Create a user who can only log in to `192.168.1.1`. + +```sql mysql> CREATE USER 'newuser2'@'192.168.1.1' IDENTIFIED BY 'newuserpassword'; Query OK, 1 row affected (0.02 sec) ``` +Create a user who is enforced to log in using TLS connection. + +```sql +CREATE USER 'newuser3'@'%' REQUIRE SSL IDENTIFIED BY 'newuserpassword'; +Query OK, 1 row affected (0.02 sec) +``` + +Create a user who is required to use X.509 certificate at login. + +```sql +CREATE USER 'newuser4'@'%' REQUIRE ISSUER '/C=US/ST=California/L=San Francisco/O=PingCAP' IDENTIFIED BY 'newuserpassword'; +Query OK, 1 row affected (0.02 sec) +``` + ## MySQL compatibility -* Several of the `CREATE` options are not yet supported by TiDB, and will be parsed but ignored. +The following `CREATE USER` options are not yet supported by TiDB, and will be parsed but ignored: + +* TiDB does not support `WITH MAX_QUERIES_PER_HOUR`, `WITH MAX_UPDATES_PER_HOUR`, and `WITH MAX_USER_CONNECTIONS` options. +* TiDB does not support the `DEFAULT ROLE` option. +* TiDB does not support `PASSWORD EXPIRE`, `PASSWORD HISTORY` or other options related to password. +* TiDB does not support the `ACCOUNT LOCK` and `ACCOUNT UNLOCK` options. ## See also diff --git a/sql-statements/sql-statement-drop-user.md b/sql-statements/sql-statement-drop-user.md index 35ec7abc7ca57..9757a73a7c843 100644 --- a/sql-statements/sql-statement-drop-user.md +++ b/sql-statements/sql-statement-drop-user.md @@ -8,6 +8,7 @@ aliases: ['/docs/stable/reference/sql/statements/drop-user/'] # DROP USER This statement removes a user from the TiDB system database. The optional keyword `IF EXISTS` can be used to silence an error if the user does not exist. +This statement requires the `CREATE USER` privilege. ## Synopsis @@ -25,10 +26,10 @@ This statement removes a user from the TiDB system database. The optional keywor mysql> DROP USER idontexist; ERROR 1396 (HY000): Operation DROP USER failed for idontexist@% -mysql> DROP USER IF EXISTS idontexist; +mysql> DROP USER IF EXISTS 'idontexist'; Query OK, 0 rows affected (0.01 sec) -mysql> CREATE USER newuser IDENTIFIED BY 'mypassword'; +mysql> CREATE USER 'newuser' IDENTIFIED BY 'mypassword'; Query OK, 1 row affected (0.02 sec) mysql> GRANT ALL ON test.* TO 'newuser'; @@ -54,10 +55,10 @@ mysql> SHOW GRANTS FOR 'newuser'; +-------------------------------------+ 1 row in set (0.00 sec) -mysql> DROP USER newuser; +mysql> DROP USER 'newuser'; Query OK, 0 rows affected (0.14 sec) -mysql> SHOW GRANTS FOR newuser; +mysql> SHOW GRANTS FOR 'newuser'; ERROR 1141 (42000): There is no such grant defined for user 'newuser' on host '%' ``` diff --git a/sql-statements/sql-statement-flush-privileges.md b/sql-statements/sql-statement-flush-privileges.md index 26d61ddac78c1..f86644bda6384 100644 --- a/sql-statements/sql-statement-flush-privileges.md +++ b/sql-statements/sql-statement-flush-privileges.md @@ -8,6 +8,7 @@ aliases: ['/docs/stable/reference/sql/statements/flush-privileges/'] # FLUSH PRIVILEGES This statement triggers TiDB to reload the in-memory copy of privileges from the privilege tables. You should execute `FLUSH PRIVILEGES` after making manual edits to tables such as `mysql.user`. Executing this statement is not required after using privilege statements such as `GRANT` or `REVOKE`. +Executing this statement requires the `RELOAD` privilege. ## Synopsis diff --git a/sql-statements/sql-statement-grant-privileges.md b/sql-statements/sql-statement-grant-privileges.md index 489ec8548352c..2d018150ecafe 100644 --- a/sql-statements/sql-statement-grant-privileges.md +++ b/sql-statements/sql-statement-grant-privileges.md @@ -8,6 +8,7 @@ aliases: ['/docs/stable/reference/sql/statements/grant-privileges/'] # `GRANT ` This statement allocates privileges to a pre-existing user in TiDB. The privilege system in TiDB follows MySQL, where credentials are assigned based on a database/table pattern. +Executing this statement requires the `GRANT OPTION` privilege and all privileges you allocate. ## Synopsis @@ -42,7 +43,7 @@ This statement allocates privileges to a pre-existing user in TiDB. The privileg ## Examples ```sql -mysql> CREATE USER newuser IDENTIFIED BY 'mypassword'; +mysql> CREATE USER 'newuser' IDENTIFIED BY 'mypassword'; Query OK, 1 row affected (0.02 sec) mysql> GRANT ALL ON test.* TO 'newuser'; diff --git a/sql-statements/sql-statement-revoke-privileges.md b/sql-statements/sql-statement-revoke-privileges.md index 3c0acd996df25..154efd10c017b 100644 --- a/sql-statements/sql-statement-revoke-privileges.md +++ b/sql-statements/sql-statement-revoke-privileges.md @@ -8,6 +8,7 @@ aliases: ['/docs/stable/reference/sql/statements/revoke-privileges/'] # `REVOKE ` This statement removes privileges from an existing user. +Executing this statement requires the `GRANT OPTION` privilege and all privileges you revoke. ## Synopsis @@ -42,7 +43,7 @@ This statement removes privileges from an existing user. ## Examples ```sql -mysql> CREATE USER newuser IDENTIFIED BY 'mypassword'; +mysql> CREATE USER 'newuser' IDENTIFIED BY 'mypassword'; Query OK, 1 row affected (0.02 sec) mysql> GRANT ALL ON test.* TO 'newuser'; @@ -68,10 +69,10 @@ mysql> SHOW GRANTS FOR 'newuser'; +-------------------------------------+ 1 row in set (0.00 sec) -mysql> DROP USER newuser; +mysql> DROP USER 'newuser'; Query OK, 0 rows affected (0.14 sec) -mysql> SHOW GRANTS FOR newuser; +mysql> SHOW GRANTS FOR 'newuser'; ERROR 1141 (42000): There is no such grant defined for user 'newuser' on host '%' ``` diff --git a/sql-statements/sql-statement-set-password.md b/sql-statements/sql-statement-set-password.md index c74e5b97de58c..3fc7bed5fc49d 100644 --- a/sql-statements/sql-statement-set-password.md +++ b/sql-statements/sql-statement-set-password.md @@ -24,7 +24,7 @@ Query OK, 0 rows affected (0.01 sec) mysql> CREATE USER 'newuser' IDENTIFIED BY 'test'; Query OK, 1 row affected (0.00 sec) -mysql> SHOW CREATE USER newuser; +mysql> SHOW CREATE USER 'newuser'; +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for newuser@% | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -35,7 +35,7 @@ mysql> SHOW CREATE USER newuser; mysql> SET PASSWORD FOR newuser = 'test'; Query OK, 0 rows affected (0.01 sec) -mysql> SHOW CREATE USER newuser; +mysql> SHOW CREATE USER 'newuser'; +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for newuser@% | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -46,7 +46,7 @@ mysql> SHOW CREATE USER newuser; mysql> SET PASSWORD FOR newuser = PASSWORD('test'); -- deprecated syntax from earlier MySQL releases Query OK, 0 rows affected (0.00 sec) -mysql> SHOW CREATE USER newuser; +mysql> SHOW CREATE USER 'newuser'; +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for newuser@% | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+