在创建用户的时候我们通常采用grant命令完成,并同时赋予相应的权限,例如我们创建一个名为test的用户,g并赋予其对数据库foo下所有表格select,delete,drop,create权限:
grant select,delete,drop,create on foo.* to test@localhost identified by 'test';
随后通过网上了解到的用户权限查看方式,有两种
1. mysql> show grants for test@localhost;
2. mysql> select * from user where user='test' \G
首先我们试着采用:
mysql> show grants for test@localhost;
+---------------------------------------------------------------------+
| Grants for test@localhost |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test'@'localhost' |
| GRANT SELECT, DELETE, CREATE, DROP ON `foo`.* TO 'test'@'localhost' |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)
结果上很容易理解,结果与我们的预期一致。
然后我们再试试另一种方式:
mysql> select * from user where user='test' \G
查看,输出结果如下:
*************************** 1. row ***************************
Host: localhost
User: test
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
password_expired: N
password_last_changed: 2016-11-30 13:10:01
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
| 如果在\G后加了一个分号结束语句该语句,那么将会在执行结果的最后有no query specified这个一个错误。\G 后不需要加分号。 |
那么问题来了,为什么两种查看用户权限的方式给出的结果不一样?而且在创建用户时明明赋予了select,delete,drop,create
权限但是第二种方法给出的结果中相应项都被标注为‘N'?是不是用grant命令给用户赋予权限失败了呢?应该以哪个结果为准呢?
究其原因是:select * from user where user='test' \G;给出的是全局的权限,而不是针对某个DB或者SCHEMA得权限。赋权
语句是grant select,delete,drop,create on foo.* to test@localhost identified by 'test';也就是针对foo这个数据库赋权。那么
自然会得出权限为‘N’的结果。那所创建 的用户是否具有我预期指定的对数据库foo的操作权限呢?
我们再新建另一个用户test2,这次我们只给该用户赋予create权限
mysql> grant create on foo.* to test2@localhost identified by 'test2';
使用mysql> select * from user where user='test2' \G 查看权限时所有权限妥妥的都是N.
我们先后使用test和test2登录mysql服务器。
1.test
root@deamon-H55M-S2:/etc/init.d# mysql -u test -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A Database changed
mysql> show tables;
+---------------+
| Tables_in_foo |
+---------------+
| children |
| runoob_tbl |
| tcount_tbl |
+---------------+
3 rows in set (0.00 sec) mysql> select childno from children;
+---------+
| childno |
+---------+
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
+---------+
8 rows in set (0.00 sec) 2.test2
oot@deamon-H55M-S2:/etc/init.d# mysql -u test2 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.7.16-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A Database changed
mysql> select childno from children;
ERROR 1142 (42000): SELECT command denied to user 'test2'@'localhost' for table 'children'
mysql>
从结果中可以看出test select操作成功了,但是test2的select操作被拒绝了,这跟我们未给test2用户赋予select权限相符。
结论:
mysql> select * from user where user='test' \G方式查看的是全局权限,结果中的N不代表我们的赋权失败了。如果将创建语句改为
grant create on *.* to test2@localhost identified by 'test';那么结果就会都是’Y‘了。
两种查看用户权限的方式都没有错误,只是所代表的权限意义略有不同。show grants for test@localhost;方式能给我们更准确权限情况。
附文章深入学习MySQL授权表一篇:http://tech.it168.com/a2010/0114/837/000000837456.shtml