当客户端连贯 MySQL 服务器时,必须提供无效的身份认证,例如用户名和明码。当用户执行任何数据库操作时,服务器将会验证用户是否具备相应的权限,例如查问表须要 SELECT 权限,删除对象须要 DROP 权限。
为了不便用户权限的治理,MySQL 8.0 提供了角色的性能。角色(Role)是一组权限的汇合。
本篇咱们探讨 MySQL 中的账户和权限的治理。
5.1 治理用户
5.1.1 创立用户
MySQL 应用 CREATE USER 语句创立用户,根本语法如下:
CREATE USER [IF NOT EXISTS] account_name
IDENTIFIED BY 'password';其中,account_name 是账户名称;账户名称分为两个局部:用户名(user_name)和主机名(host_name),应用 % 连贯。IDENTIFIED BY 用于指定用户的明码。IF NOT EXISTS 用于防止创立重名账户时产生错误信息。
以下语句创立一个新的用户 dev01,它能够从本机登录(localhost):
mysql> CREATE USER dev01@localhost IDENTIFIED BY 'Dev01@mysql';
Query OK, 0 rows affected (0.21 sec)MySQL 中的账户由用户名和主机名独特决定,主机 office.example.com 上的 dev01 和主机 home.example.com 上的 dev01 是两个账户。如果不指定主机名,示意用户能够从任何主机登录:
user_name
user_name@%% 是通配符,示意任何字符串;另外,_ 示意任意单个字符。
如果用户名或主机名中蕴含特殊字符,例如空格或者 –,须要应用引号别离援用这两局部内容:
'user-name'@'host-name'除了单引号之外,也能够应用反引号(`)或者双引号(”)。
MySQL 中的账户信息存储在零碎数据库 mysql 的 user 表中:
mysql> select host, user from mysql.user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | dev01 |
| localhost | mysql.infoschema |
| localhost | mysql.session |
| localhost | mysql.sys |
| localhost | root |
+-----------+------------------+
5 rows in set (0.00 sec)除了 dev01@localhost 之外,其余 4 个用户都是初始化创立的零碎用户。
除了根本语法之外,创立用户时还能够指定更多选项:
resource_option: {
MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}resource_option 用于限度该用户对系统资源的应用:
- MAX_QUERIES_PER_HOUR,每小时容许执行的查问次数。默认为 0,示意没有限度;
- MAX_UPDATES_PER_HOUR,每小时容许执行的更新次数。默认为 0,示意没有限度;
- MAX_CONNECTIONS_PER_HOUR,每小时容许执行的连贯次数。默认为 0,示意没有限度;
- MAX_USER_CONNECTIONS,该用户并发连贯的数量。默认为 0,示意没有限度;此时用户的并发连接数由零碎变量 max_user_connections 决定。
以下语句创立一个新的账户 dev02,容许从任何主机登录。同时限度该用户每小时最多执行 1000 次查问和 100 次更新:
mysql> CREATE USER 'dev02'@'%'
-> WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 100;
Query OK, 0 rows affected (0.01 sec)留神第二行的 -> 是客户端的提示符,不是输出的内容。查问零碎用户表能够显示以上设置:
mysql> select host, user, max_questions, max_updates from mysql.user;
+-----------+------------------+---------------+-------------+
| host | user | max_questions | max_updates |
+-----------+------------------+---------------+-------------+
| % | dev02 | 1000 | 100 |
| localhost | dev01 | 0 | 0 |
| localhost | mysql.infoschema | 0 | 0 |
| localhost | mysql.session | 0 | 0 |
| localhost | mysql.sys | 0 | 0 |
| localhost | root | 0 | 0 |
+-----------+------------------+---------------+-------------+
6 rows in set (0.00 sec)以下是明码治理选项:
password_option: {PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
| PASSWORD HISTORY {DEFAULT | N}
| PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
| PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}明码治理选项能够用于设置明码的过期策略、重用策略和批改明码时的验证:
- PASSWORD EXPIRE,将明码立刻设置为过期;PASSWORD EXPIRE DEFAULT,应用全局的明码过期策略,由零碎变量 default_password_lifetime 决定;PASSWORD EXPIRE NEVER,明码永不过期;PASSWORD EXPIRE INTERVAL N DAY 明码每隔 N 天过期;
- PASSWORD HISTORY DEFAULT,应用全局的明码重用策略,由零碎变量 password_history 决定;PASSWORD HISTORY N,新密码与最近 N 次明码不能反复;
- PASSWORD REUSE INTERVAL DEFAULT,应用全局的明码重用策略(依照工夫距离指定),由零碎变量 password_reuse_interval 决定;PASSWORD REUSE INTERVAL N DAY,新密码与最近 N 天内的明码不能反复;
- PASSWORD REQUIRE CURRENT,用户批改明码时须要输出以后明码;PASSWORD REQUIRE CURRENT OPTIONAL,用户批改明码时不须要输出以后明码;PASSWORD REQUIRE CURRENT DEFAULT,应用全局策略,由零碎变量 password_require_current 决定。
账户的明码选项同样能够通过 mysql.user 表查看:
mysql> select host,user,
-> password_expired, password_last_changed,
-> password_lifetime, password_reuse_history,
-> password_reuse_time, password_require_current
-> from mysql.user;
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
| host | user | password_expired | password_last_changed | password_lifetime | password_reuse_history | password_reuse_time | password_require_current |
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
| % | dev02 | N | 2019-09-23 15:02:47 | NULL | NULL | NULL | NULL |
| localhost | dev01 | N | 2019-09-23 14:23:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.infoschema | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.session | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.sys | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | root | N | 2019-08-28 10:07:44 | NULL | NULL | NULL | NULL |
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
6 rows in set (0.00 sec)以下是账户锁定选项:
lock_option: {
ACCOUNT LOCK
| ACCOUNT UNLOCK
}该选项用于指定是否锁定账户,锁定的账户无奈应用;默认为 ACCOUNT UNLOCK,不锁定账户。
5.1.2 批改用户
ALTER USER 语句能够批改用户的属性,批改用户的选项和创立用户雷同。
首先是批改用户的明码。以下语句用于批改用户 dev01 的明码:
mysql> ALTER USER dev01@localhost IDENTIFIED BY 'Dev01@2019';
Query OK, 0 rows affected (0.25 sec)MySQL 提供了 RENAME USER 语句,用于批改用户名:
mysql> RENAME USER dev02 TO dev03;
Query OK, 0 rows affected (0.26 sec)用户 dev02 被重命名为 dev03。
RENAME USER 语句主动将旧用户的权限授予新用户,然而不会主动解决旧用户上的对象依赖。例如,某个存储过程的定义者为旧的用户名,并且应用定义者权限运行时,将会产生谬误。
另一个常见的用户批改操作就是锁定账户和解锁账户:
mysql> ALTER USER dev01@localhost ACCOUNT LOCK;
Query OK, 0 rows affected (0.13 sec)用户 dev01 被锁定,此时无奈应用该用户进行连贯:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u dev01 -p
Enter password: **********
ERROR 3118 (HY000): Access denied for user 'dev01'@'localhost'. Account is locked.零碎变量 Locked_connects 用于记录锁定账户尝试登录的次数:
mysql> SHOW GLOBAL STATUS LIKE 'Locked_connects';
+-----------------+-------+
| Variable_name | Value |
+-----------------+-------+
| Locked_connects | 1 |
+-----------------+-------+
1 row in set (0.00 sec)最初咱们将 dev01 进行解锁:
mysql> ALTER USER dev01@localhost ACCOUNT UNLOCK;
Query OK, 0 rows affected (0.10 sec)5.1.3 删除用户
DROP USER 语句用于删除一个用户。以下语句将会删除用 dev03:
mysql> DROP USER dev03;
Query OK, 0 rows affected (0.14 sec)如果被删除的用户曾经连贯到 MySQL 服务器,用户能够继续执行操作;然而无奈建设新的连贯。
5.2 管理权限
新创建的用户默认只有 USAGE 权限,只能连贯数据库,而没有任何操作权限。应用 SHOW GRANTS 命令能够查看用户的权限:
mysql> SHOW GRANTS FOR dev01@localhost;
+-------------------------------------------+
| Grants for dev01@localhost |
+-------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
+-------------------------------------------+
1 row in set (0.00 sec)应用 GRANT 语句能够为用户授予权限。
5.2.1 授予权限
GRANT 语句根本语法如下:
GRANT privilege, ...
ON privilege_level
TO account_name;GRANT 语句反对一次授予多个权限,应用逗号进行分隔。
privilege_level 指定权限的作用级别,包含:
-
全局权限 ,作用于 MySQL 服务器中的所有数据库。全局权限应用
*.*示意,例如,以下语句授予 dev01@localhost 用户查问所有数据库中的所有表的权限:mysql> GRANT SELECT -> ON *.* -> TO dev01@localhost; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR dev01@localhost; +--------------------------------------------+ | Grants for dev01@localhost | +--------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | +--------------------------------------------+ 1 row in set (0.00 sec)全局权限存储在 mysql.user 表中。
-
数据库权限 ,作用于指定数据库中的所有对象。数据库权限应用
db_name.*示意,例如,以下语句授予 dev01@localhost 用户查询数据库 world 中的所有表的权限:mysql> GRANT ALL -> ON world.* -> TO dev01@localhost; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR dev01@localhost; +----------------------------------------------------------+ | Grants for dev01@localhost | +----------------------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | | GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` | +----------------------------------------------------------+ 2 rows in set (0.00 sec)数据库权限存储在 mysql.db 表中。
-
表权限 ,作用于指定表的所有列。数据库权限应用
db_name.table_name示意;如果不指定 db_name,应用默认数据库;如果没有默认数据库,将会返回谬误。例如,以下语句授予 dev01@localhost 用户数据库 world 中 country 表的增删改查权限:mysql> GRANT SELECT, INSERT, UPDATE, DELETE -> ON world.country -> TO dev01@localhost; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR dev01@localhost; +----------------------------------------------------------------------------------+ | Grants for dev01@localhost | +----------------------------------------------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | | GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` | | GRANT SELECT, INSERT, UPDATE, DELETE ON `world`.`country` TO `dev01`@`localhost` | +----------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)表权限存储在 mysql.tables_priv 表中。
- 列权限,作用于指定表的指定列。每个列权限都须要指定具体的列名。例如,以下语句授予 dev01@localhost 用户在 world.country 表中 code 和 name 字段的查问权限,以及 population 字段的批改权限:
mysql> GRANT SELECT(code, name), UPDATE(population) -> ON world.country -> TO dev01@localhost; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR dev01@localhost; +----------------------------------------------------------------------------------------------------------------------------------+ | Grants for dev01@localhost | +----------------------------------------------------------------------------------------------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | | GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` | | GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` | +----------------------------------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)列权限存储在 mysql.columns_priv 表中。
- 存储例程权限,作用于存储例程(函数和过程)。存储例程权限能够基于全局、数据库或者单个例程进行指定。以下语句授予 dev01@localhost 用户在数据库 world.country 中创立存储例程的权限:
mysql> GRANT CREATE ROUTINE -> ON world.* -> TO dev01@localhost; Query OK, 0 rows affected (0.02 sec) mysql> SHOW GRANTS FOR dev01@localhost; +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for dev01@localhost | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, ALTER ROUTINE, EVENT, TRIGGER ON `world`.* TO `dev01`@`localhost` | | GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)存储例程权限存储在 mysql.procs_priv 表中。
- 代理用户权限,容许用户作为其余用户的代理。代理用户领有被代理用户的所有权限。以下语句将 dev01@localhost 用户设置为 root 用的代理:
mysql> GRANT PROXY -> ON root -> TO dev01@localhost; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR dev01@localhost; +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for dev01@localhost | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT SELECT ON *.* TO `dev01`@`localhost` | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, ALTER ROUTINE, EVENT, TRIGGER ON `world`.* TO `dev01`@`localhost` | | GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` | | GRANT PROXY ON 'root'@'%' TO 'dev01'@'localhost' | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 4 rows in set (0.00 sec)代理用户权限存储在 mysql.proxies_priv 表中。
5.2.2 撤销权限
REVOKE 语句执行与 GRANT 语句相同的操作,撤销授予用户的权限。
REVOKE privilegee, ..
ON privilege_level
FROM account_name;撤销权限的参数与授予权限时相似,以下语句撤销用户 dev01@localhost 所有的权限:
mysql> REVOKE ALL, GRANT OPTION
-> FROM dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+--------------------------------------------------+
| Grants for dev01@localhost |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
| GRANT PROXY ON 'root'@'%' TO 'dev01'@'localhost' |
+--------------------------------------------------+
2 rows in set (0.00 sec)代理用户权限须要独自撤销:
mysql> REVOKE PROXY
-> ON root
-> FROM dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+-------------------------------------------+
| Grants for dev01@localhost |
+-------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
+-------------------------------------------+
1 row in set (0.00 sec)用户 dev01@localhost 又复原了初始的权限。
对于全局级别的权限,REVOKE 的成果在用户下次登录时失效;对于数据库级别的权限,REVOKE 的成果在执行 USE 命令后失效;对于表级或者字段级别的权限,REVOKE 的成果随后的查问立刻失效。
5.3 治理角色
当用户越来越多时,权限的治理也越来越简单;而实际上,许多用户须要雷同或相似的权限。为此,MySQL 8.0 引入了一个新的个性:角色(Role)。角色是一组权限的汇合。
与账户相似,角色也能够授予权限;然而角色不能用于登录数据库。通过角色为用户受权的步骤如下:
- 创立一个角色;
- 为角色受权权限;
- 为用户指定角色。
5.3.1 创立角色
假如咱们的利用须要应用 world 数据库。开发人员须要该数据库的齐全拜访权限,测试人员须要表的读写权限,业务剖析人员须要查问数据的权限。
首先,应用 CREATE ROLE 语句创立 3 个角色:
mysql> CREATE ROLE devp_role, read_role, write_role;
Query OK, 0 rows affected (0.02 sec)角色名称和账户名称相似,也能够蕴含 role_name 和 host_name 两局部,应用 @ 连贯。
此时如果查问用户表:
mysql> SELECT host,user,authentication_string FROM mysql.user;
+-----------+------------------+------------------------------------------------------------------------+
| host | user | authentication_string |
+-----------+------------------+------------------------------------------------------------------------+
| % | devp_role | |
| % | read_role | |
| % | write_role | |
| localhost | dev01 | $A$005$lw58QcU;QI|L`ktULChFhIVFxy5dsYrYmEhJkJqko4mezqefUFyT0zgyE2 |
| localhost | mysql.infoschema | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | mysql.session | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | mysql.sys | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | root | $A$005$kDqbW(q*0Uev;TyKgUe56D9KXiFzPtrSGVxKjvM23CYN5pgE9dLrO0eT8 |
+-----------+------------------+------------------------------------------------------------------------+
8 rows in set (0.00 sec)能够看出,角色实际上也是一个用户,然而没有明码。
5.3.2 为角色受权
为角色受权和用户受权相似,也是应用 GRANT 语句。咱们别离为下面的 3 个角色调配权限:
mysql> GRANT ALL ON world.* TO devp_role;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT SELECT ON world.* TO read_role;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT INSERT, UPDATE, DELETE ON world.* TO write_role;
Query OK, 0 rows affected (0.01 sec)查看角色的权限和查问用户的权限相似:
mysql> SHOW GRANTS FOR devp_role;
+------------------------------------------------------+
| Grants for devp_role@% |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO `devp_role`@`%` |
| GRANT ALL PRIVILEGES ON `world`.* TO `devp_role`@`%` |
+------------------------------------------------------+
2 rows in set (0.00 sec)5.3.2 为用户指定角色
接下来咱们创立几个用户,而后为他们别离指定角色。
mysql> CREATE USER devp1 IDENTIFIED BY 'Devp1@2019';
Query OK, 0 rows affected (0.01 sec)
mysql> CREATE USER read1 IDENTIFIED BY 'Read1@2019';
Query OK, 0 rows affected (0.01 sec)
mysql> CREATE USER test1 IDENTIFIED BY 'Test1@2019';
Query OK, 0 rows affected (0.04 sec)为用户指定角色和授予权限相似,也是应用 GRANT 语句:
mysql> GRANT devp_role TO devp1;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT read_role TO read1;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT read_role, write_role TO test1;
Query OK, 0 rows affected (0.01 sec)再次查问用户的权限:
mysql> SHOW GRANTS FOR devp1;
+--------------------------------------+
| Grants for devp1@% |
+--------------------------------------+
| GRANT USAGE ON *.* TO `devp1`@`%` |
| GRANT `devp_role`@`%` TO `devp1`@`%` |
+--------------------------------------+
2 rows in set (0.00 sec)如果想要晓得用户通过角色取得的具体权限,能够应用 USING 选项:
mysql> SHOW GRANTS FOR devp1 USING devp_role;
+--------------------------------------------------+
| Grants for devp1@% |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO `devp1`@`%` |
| GRANT ALL PRIVILEGES ON `world`.* TO `devp1`@`%` |
| GRANT `devp_role`@`%` TO `devp1`@`%` |
+--------------------------------------------------+
3 rows in set (0.00 sec)另外,也能够通过将一个用户授予另一个用户,实现权限的复制:
mysql> GRANT read1 TO test1;
Query OK, 0 rows affected (0.09 sec)用户是具备登录权限的角色,角色是不能登录的用户。
5.3.4 设置默认角色
应用 devp1 连贯数据库:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u devp1 -p
Enter password: **********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.17 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use world;
ERROR 1044 (42000): Access denied for user 'devp1'@'%' to database 'world'咱们曾经为用户 devp1 授予了 devp_role 角色,该角色领有数据库 world 上的所有权限;谬误的起因在于该角色没有主动激活。应用 CURRENT_ROLE() 函数查看以后启动的角色:
mysql> SELECT current_role();
+----------------+
| current_role() |
+----------------+
| NONE |
+----------------+
1 row in set (0.00 sec)结果显示没有任何角色。SET DEFAULT ROLE命令能够设置用户默认的流动角色:
mysql> SET DEFAULT ROLE ALL
-> TO devp1;
Query OK, 0 rows affected (0.01 sec)再次应用 devp1 连贯数据库后,将会激活该用户所有的角色:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u devp1 -p
Enter password: **********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.17 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT current_role();
+-----------------+
| current_role() |
+-----------------+
| `devp_role`@`%` |
+-----------------+
1 row in set (0.00 sec)
mysql> use world;
Database changed
mysql> select * from city limit 1;
+----+-------+-------------+----------+------------+
| ID | Name | CountryCode | District | Population |
+----+-------+-------------+----------+------------+
| 1 | Kabul | AFG | Kabol | 1780000 |
+----+-------+-------------+----------+------------+
1 row in set (0.00 sec)另一种形式就是应用 SET ROLE 命令设置以后会话的流动角色:
SET ROLE NONE;
SET ROLE ALL;
SET ROLE DEFAULT;以上语句别离示意不设置任何角色、设置所有角色以及设置默认的角色。
5.3.5 撤销角色的权限
撤销角色的权限与撤销用户的权限相似,撤销角色的权限同时会影响到具备该角色的用户。
以下语句撤销角色 write_role 的 DELETE 权限:
mysql> REVOKE DELETE
-> ON world.*
-> FROM write_role;
Query OK, 0 rows affected (0.14 sec)此时,用户 test1 上的相应权限也被撤销。
5.3.6 删除角色
DROP ROLE语句能够删除角色:
DROP ROLE role_name, ...;删除角色的同时会撤销为用户指定的角色。以下语句将会删除角色 read_role 和 write_role:
mysql> DROP ROLE read_role, write_role;
Query OK, 0 rows affected (0.10 sec)MySQL 8.0 官网文档:访问控制和账户治理。