diff --git a/TOC.md b/TOC.md index 7175ea99160a6..23421ce26b82d 100644 --- a/TOC.md +++ b/TOC.md @@ -213,6 +213,7 @@ - [`SELECT`](/sql-statements/sql-statement-select.md) - [`SET [NAMES|CHARACTER SET]`](/sql-statements/sql-statement-set-names.md) - [`SET PASSWORD`](/sql-statements/sql-statement-set-password.md) + + [`SET ROLE`](/sql-statements/sql-statement-set-role.md) - [`SET TRANSACTION`](/sql-statements/sql-statement-set-transaction.md) - [`SET [GLOBAL|SESSION] `](/sql-statements/sql-statement-set-variable.md) - [`SHOW ANALYZE STATUS`](/sql-statements/sql-statement-show-analyze-status.md) diff --git a/media/sqlgram/SetDefaultRoleOpt.png b/media/sqlgram/SetDefaultRoleOpt.png new file mode 100644 index 0000000000000..02cb81cb85dec Binary files /dev/null and b/media/sqlgram/SetDefaultRoleOpt.png differ diff --git a/media/sqlgram/SetRoleOpt.png b/media/sqlgram/SetRoleOpt.png new file mode 100644 index 0000000000000..96fd1e018e27e Binary files /dev/null and b/media/sqlgram/SetRoleOpt.png differ diff --git a/media/sqlgram/SetRoleStmt.png b/media/sqlgram/SetRoleStmt.png new file mode 100644 index 0000000000000..a2ddc85338583 Binary files /dev/null and b/media/sqlgram/SetRoleStmt.png differ diff --git a/sql-statements/sql-statement-set-role.md b/sql-statements/sql-statement-set-role.md new file mode 100644 index 0000000000000..c3ab6f79fb44a --- /dev/null +++ b/sql-statements/sql-statement-set-role.md @@ -0,0 +1,113 @@ +--- +title: SET ROLE | TiDB SQL Statement Reference +summary: An overview of the usage of SET ROLE for the TiDB database. +category: reference +--- + +# SET ROLE + +The `SET ROLE` statement is used to enable roles in the current session. After enabling roles, users can use the privileges of the role(s). + +## Synopsis + +**SetRoleStmt:** + +![SetRoleStmt](/media/sqlgram/SetRoleStmt.png) + +**SetRoleOpt:** + +![SetRoleOpt](/media/sqlgram/SetRoleOpt.png) + +**SetDefaultRoleOpt:** + +![SetDefaultRoleOpt](/media/sqlgram/SetDefaultRoleOpt.png) + +## Examples + +Create a user `'u1'@'%'` and three roles: `'r1'@'%'`, `'r2'@'%'` and `'r3'@'%'`. +Grant these roles to `'u1'@'%'` and set `'r1'@'%'` as the defualt role of `'u1'@'%'`. + +{{< copyable "sql" >}} + +```sql +CREATE USER 'u1'@'%'; +CREATE ROLE 'r1', 'r2', 'r3'; +GRANT 'r1', 'r2', 'r3' TO 'u1'@'%'; +SET DEFAULT ROLE 'r1' TO 'u1'@'%'; +``` + +Log in as `'u1'@'%'` and execute the following `SET ROLE` statement to enable all roles. + +{{< copyable "sql" >}} + +```sql +SET ROLE ALL; +SELECT CURRENT_ROLE(); +``` + +``` ++----------------------------+ +| CURRENT_ROLE() | ++----------------------------+ +| `r1`@`%`,`r2`@`%`,`r3`@`%` | ++----------------------------+ +1 row in set (0.000 sec) +``` + +Execute the following `SET ROLE` statement to enable `'r2'` and `'r3'`. + +{{< copyable "sql" >}} + +```sql +SET ROLE 'r2', 'r3'; +SELECT CURRENT_ROLE(); +``` + +``` ++-------------------+ +| CURRENT_ROLE() | ++-------------------+ +| `r2`@`%`,`r3`@`%` | ++-------------------+ +1 row in set (0.000 sec) +``` + +Execute the following `SET ROLE` statement to enable the default role(s). + +{{< copyable "sql" >}} + +```sql +SET ROLE DEFAULT; +SELECT CURRENT_ROLE(); +``` + +``` ++----------------+ +| CURRENT_ROLE() | ++----------------+ +| `r1`@`%` | ++----------------+ +1 row in set (0.000 sec) +``` + +Execute the following `SET ROLE` statement to cancel all enabled role(s). + +{{< copyable "sql" >}} + +```sql +SET ROLE NONE; +SELECT CURRENT_ROLE(); +``` + +``` ++----------------+ +| CURRENT_ROLE() | ++----------------+ +| | ++----------------+ +1 row in set (0.000 sec) +``` + +## See also + +* [Role-Based Access Control](/role-based-access-control.md)