From 99f2f9a269dba6147f937f6b45bf411a1158ec41 Mon Sep 17 00:00:00 2001 From: imtbkcat Date: Tue, 30 Jun 2020 12:19:49 +0800 Subject: [PATCH 01/12] update privilege management --- privilege-management.md | 93 ++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 38 deletions(-) diff --git a/privilege-management.md b/privilege-management.md index e3b84c3a5940a..b3d574c665557 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -82,27 +82,7 @@ mysql> SELECT user,host,password FROM mysql.user WHERE user='idontexist'; 1 row in set (0.00 sec) ``` -> **Note:** -> -> Granting privileges to a database or table does not check if the database or table exists. - -```sql -mysql> SELECT * FROM test.xxxx; -ERROR 1146 (42S02): Table 'test.xxxx' doesn't exist - -mysql> GRANT ALL PRIVILEGES ON test.xxxx TO xxxx; -Query OK, 0 rows affected (0.00 sec) - -mysql> SELECT user,host FROM mysql.tables_priv WHERE user='xxxx'; -+------|------+ -| user | host | -+------|------+ -| xxxx | % | -+------|------+ -1 row in set (0.00 sec) -``` - -You can use fuzzy matching to grant privileges to databases and tables. +You can use fuzzy matching to grant privileges to databases. ```sql mysql> GRANT ALL PRIVILEGES ON `te%`.* TO genius; @@ -172,28 +152,35 @@ You can use the `SHOW GRANTS` statement to see what privileges are granted to a ```sql SHOW GRANTS; -- show grants for the current user + ++-------------------------------------------------------------+ +| Grants for User | ++-------------------------------------------------------------+ +| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION | ++-------------------------------------------------------------+ SHOW GRANTS FOR 'root'@'%'; -- show grants for a specific user ``` -To be more precise, you can check the privilege information in the `Grant` table. For example, you can use the following steps to check if the `test@%` user has the `Insert` privilege on `db1.t`: - -1. Check if `test@%` has global `Insert` privilege: +For example, create a user `rw_user@192.168.%` and grant it with write privilege on `test.write_table` and global read privilege. - ```sql - SELECT Insert_priv FROM mysql.user WHERE user='test' AND host='%'; - ``` - -2. If not, check if `test@%` has database-level `Insert` privilege at `db1`: - - ```sql - SELECT Insert_priv FROM mysql.db WHERE user='test' AND host='%'; - ``` +```sql +CREATE USER `rw_user`@`192.168.%`; +GRANT SELECT ON *.* TO `rw_user`@`192.168.%`; +GRANT INSERT, UPDATE ON `test`.`write_table` TO `rw_user`@`192.168.%`; +``` -3. If the result is still empty, check whether `test@%` has table-level `Insert` privilege at `db1.t`: +Show grants for this user. - ```sql - SELECT table_priv FROM mysql.tables_priv WHERE user='test' AND host='%' AND db='db1'; - ``` +```sql +SHOW GRANTS FOR `rw_user`@`192.168.%`; + ++------------------------------------------------------------------+ +| Grants for rw_user@192.168.% | ++------------------------------------------------------------------+ +| GRANT Select ON *.* TO 'rw_user'@'192.168.%' | +| GRANT Insert,Update ON test.write_table TO 'rw_user'@'192.168.%' | ++------------------------------------------------------------------+ +``` ## Privileges required for TiDB operations @@ -212,6 +199,8 @@ You can check privileges of TiDB users in the `INFORMATION_SCHEMA.USER_PRIVILEGE | Insert | `InsertPriv` | Inserts data to a table | | Update | `UpdatePriv` | Updates the table data | | Delete | `DeletePriv` | Deleted the table data | +| Reload | `ReloadPriv` | Executes the `FLUSH` statement | +| Config | `ConfigPriv` | Dynamicly reload configuration | | Trigger | `TriggerPriv` | / | | Process | `ProcessPriv` | Displays the running task | | Execute | `ExecutePriv` | Executes the `EXECUTE` statement | @@ -268,6 +257,10 @@ Requires the `INDEX` privilege for the table. Requires the `DROP` privilege for the table. +### LOAD DATA + +Requires the `INSERT` privilege for the table. + ### TRUNCATE TABLE Requires the `DROP` privilege for the table. @@ -286,6 +279,8 @@ Requires the `INSERT` and `SELECT` privileges for the table. `SHOW CREATE VIEW` requires the `SHOW VIEW` privilege. +`SHOW GRANTS` requires the `SELECT` privilege to the `mysql` database. If the target user is current user, `SHOW GRANTS` dosen't require any privilege. + ### CREATE ROLE/USER `CREATE ROLE` requires the `CREATE ROLE` privilege. @@ -306,9 +301,31 @@ Requires the `CREATE USER` privilege. Requires the `GRANT` privilege with the privileges granted by `GRANT`. +Requires additional `CREATE USER` privilege when create user implicitly. + +`GRANT ROLE` requires `SUPER` privilege. + ### REVOKE -Requires the `SUPER` privilege. +Requires the `GRANT` privilege and those privileges targeted by `REVOKE` statement. + +`REVOKE ROLE` requires `SUPER` privilege. + +### SET GLOBAL + +Requires `SUPER` privielges. + +### ADMIN + +Requires `SUPER` privielges. + +### SET DEFAULT ROLE + +Requires `SUPER` privielges. + +### KILL + +Requires `SUPER` privielges when killing other user connections. ## Implementation of the privilege system From fdbc14ceb45769c22c3d0a5f23264f6ed01441d3 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:11 +0800 Subject: [PATCH 02/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index b3d574c665557..aaa97b0f38197 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -82,7 +82,7 @@ mysql> SELECT user,host,password FROM mysql.user WHERE user='idontexist'; 1 row in set (0.00 sec) ``` -You can use fuzzy matching to grant privileges to databases. +You can use fuzzy matching in `GRANT` to grant privileges to databases. ```sql mysql> GRANT ALL PRIVILEGES ON `te%`.* TO genius; From aa5859b98dd3fffa48a8956a9ca277a9c6768a25 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:18 +0800 Subject: [PATCH 03/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index aaa97b0f38197..24270bc4a261b 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -161,7 +161,7 @@ SHOW GRANTS; -- show grants for the current user SHOW GRANTS FOR 'root'@'%'; -- show grants for a specific user ``` -For example, create a user `rw_user@192.168.%` and grant it with write privilege on `test.write_table` and global read privilege. +For example, create a user `rw_user@192.168.%` and grant the user with write privilege on the `test.write_table` table and global read privilege. ```sql CREATE USER `rw_user`@`192.168.%`; From 50d49728a8b1ed425c4a24736ef927ec3690107e Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:28 +0800 Subject: [PATCH 04/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 24270bc4a261b..779269df181ba 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -169,7 +169,7 @@ GRANT SELECT ON *.* TO `rw_user`@`192.168.%`; GRANT INSERT, UPDATE ON `test`.`write_table` TO `rw_user`@`192.168.%`; ``` -Show grants for this user. +Show granted privileges of the `rw_user@192.168.%` user: ```sql SHOW GRANTS FOR `rw_user`@`192.168.%`; From b3206594b3e32913fb8bf5fc394630e090453ee3 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:36 +0800 Subject: [PATCH 05/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 779269df181ba..26258d74524d5 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -200,7 +200,7 @@ You can check privileges of TiDB users in the `INFORMATION_SCHEMA.USER_PRIVILEGE | Update | `UpdatePriv` | Updates the table data | | Delete | `DeletePriv` | Deleted the table data | | Reload | `ReloadPriv` | Executes the `FLUSH` statement | -| Config | `ConfigPriv` | Dynamicly reload configuration | +| Config | `ConfigPriv` | Dynamically reloads configuration | | Trigger | `TriggerPriv` | / | | Process | `ProcessPriv` | Displays the running task | | Execute | `ExecutePriv` | Executes the `EXECUTE` statement | From 5187f8aff1c5bd817be4d9800bc3cc0aafaf0930 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:43 +0800 Subject: [PATCH 06/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 26258d74524d5..e982ca7aff6a6 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -301,7 +301,7 @@ Requires the `CREATE USER` privilege. Requires the `GRANT` privilege with the privileges granted by `GRANT`. -Requires additional `CREATE USER` privilege when create user implicitly. +Requires additional `CREATE USER` privilege to create a user implicitly. `GRANT ROLE` requires `SUPER` privilege. From d1738b70423b8209ae8209248b6f89a8ead298ef Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:39:51 +0800 Subject: [PATCH 07/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index e982ca7aff6a6..fde99ba17b2bb 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -307,7 +307,7 @@ Requires additional `CREATE USER` privilege to create a user implicitly. ### REVOKE -Requires the `GRANT` privilege and those privileges targeted by `REVOKE` statement. +Requires the `GRANT` privilege and those privileges targeted by the `REVOKE` statement. `REVOKE ROLE` requires `SUPER` privilege. From df380ce509e26a5b8ac60044d37231961e8a42ca Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:40:01 +0800 Subject: [PATCH 08/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index fde99ba17b2bb..6cf254cd3a385 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -313,7 +313,7 @@ Requires the `GRANT` privilege and those privileges targeted by the `REVOKE` sta ### SET GLOBAL -Requires `SUPER` privielges. +Requires `SUPER` privilege to set global variables. ### ADMIN From 6585de0232274c8e8bed47c7479377e8bd4550b5 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:41:39 +0800 Subject: [PATCH 09/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 6cf254cd3a385..67a4a5024db91 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -317,7 +317,7 @@ Requires `SUPER` privilege to set global variables. ### ADMIN -Requires `SUPER` privielges. +Requires `SUPER` privilege. ### SET DEFAULT ROLE From 8aa8e7472a91d8a954c7e3764dd66c23edfbcb9c Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:41:49 +0800 Subject: [PATCH 10/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 67a4a5024db91..be0896c739534 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -321,7 +321,7 @@ Requires `SUPER` privilege. ### SET DEFAULT ROLE -Requires `SUPER` privielges. +Requires `SUPER` privilege. ### KILL From 05c0ef4c300c030c1e0eb331903b5dea20719da6 Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:42:00 +0800 Subject: [PATCH 11/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index be0896c739534..104cf0ff50a64 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -325,7 +325,7 @@ Requires `SUPER` privilege. ### KILL -Requires `SUPER` privielges when killing other user connections. +Requires `SUPER` privilege to kill other user sessions. ## Implementation of the privilege system From 2f388cebf6336ee4bf150f3bb7db16b53086dc4b Mon Sep 17 00:00:00 2001 From: Lingyu Song Date: Mon, 6 Jul 2020 14:42:13 +0800 Subject: [PATCH 12/12] Update privilege-management.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- privilege-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privilege-management.md b/privilege-management.md index 104cf0ff50a64..6bbe8976ae1cb 100644 --- a/privilege-management.md +++ b/privilege-management.md @@ -279,7 +279,7 @@ Requires the `INSERT` and `SELECT` privileges for the table. `SHOW CREATE VIEW` requires the `SHOW VIEW` privilege. -`SHOW GRANTS` requires the `SELECT` privilege to the `mysql` database. If the target user is current user, `SHOW GRANTS` dosen't require any privilege. +`SHOW GRANTS` requires the `SELECT` privilege to the `mysql` database. If the target user is current user, `SHOW GRANTS` does not require any privilege. ### CREATE ROLE/USER