Académique Documents
Professionnel Documents
Culture Documents
| Drop_priv
| enum('N','Y') |
|
| N
|
|
| Reload_priv
| enum('N','Y') |
|
| N
|
|
| Shutdown_priv | enum('N','Y') |
|
| N
|
|
| Process_priv
| enum('N','Y') |
|
| N
|
|
| File_priv
| enum('N','Y') |
|
| N
|
|
| Grant_priv
| enum('N','Y') |
|
| N
|
|
| References_priv | enum('N','Y') |
|
| N
|
|
| Index_priv
| enum('N','Y') |
|
| N
|
|
| Alter_priv
| enum('N','Y') |
|
| N
|
|
+-----------------+---------------+------+-----+---------+-------+
It is important to understand that the host and user together determine an indiv
idual permission for connecting. User Nosipho may have access from host A, and n
ot from host B. In fact, user Nosipho on host B may be an entirely different use
r.
A host may be either the hostname of the machine, or the IP, and may be, or incl
ude, a wildcard (the % sign), meaning any host. It should be rare to allow acces
s from any host. Web applications, for example, typically only allow access to t
he database server from the web server (or localhost for small setups, where the
y're on the same machine). The password is stored in an encrypted format using t
he PASSWORD() function. Let's look at a sample subset from the user table:
mysql> SELECT host,user FROM user;
+---------------+------+
| host
| user |
+---------------+------+
| localhost
| mysql|
| localhost
| mark |
| 192.168.5.42 | tiki |
| 192.168.5.% | mpho |
| 192.168.5.42 |
|
| %
| wiki |
+---------------+------+
In this example, the mysql and mark users can connect from localhost only, while
user tiki, and any other user, can connect from the IP 192.168.5.42. User mpho
can connect from any IP starting with 192.168.5 (as denoted by the wildcard wher
e the last digit would be). Finally, user wiki has access from any machine. This
does not necessarily mean they can do anything, just that they can connect.
To decide whether a user has access to perform a particular operation, MySQL aga
in checks the user table first. The remaining fields, all fairly clearly named,
come into play. Select_priv determines whether users can run SELECT queries, Ins
ert_priv INSERT queries, and so on.
Permission
Description
Select_priv
Insert_priv
Update_priv
Delete_priv
Create_priv
Drop_priv
Reload_priv
mple)
Shutdown_priv
Process_priv
File_priv
FILE)
Permission
Permission
Permission
Permission
Permission
Permission
Permission
to
to
to
to
to
to
to
Grant_priv
References_priv
Index_priv
Alter_priv
All are enumerated types, a Y value allowing the operation, and a N value possib
ly disallowing it. Only possibly, because the user table is the bluntest kind of
permission. A Y value in one of these fields always allows that operation to be
performed on all databases in the table. It is often good practice to set value
s to N in the user table, and then allow them for the appropriate database only,
as we'll see now. Another sample:
mysql> SELECT host,user,select_priv,insert_priv FROM user;
+-----------+------+-------------+-------------+
| host
| user | select_priv | insert_priv |
+-----------+------+-------------+-------------+
| %
| mark | Y
| N
|
| localhost | mpho | N
| N
|
+-----------+------+-------------+-------------+
Here user mark can always perform SELECT queries, while for the other operations
, MySQL will need to check the other tables first to see, starting with the db t
able.
The DB table
If the user table allows access, but disallows permission for a particular opera
tion, the next table to worry about is the db table. This sets permissions for s
pecific databases.
mysql> DESC db;
+-----------------+---------------+------+-----+---------+-------+
| Field
| Type
| Null | Key | Default | Extra |
+-----------------+---------------+------+-----+---------+-------+
| Host
| char(60)
|
| PRI |
|
|
| Db
| char(32)
|
| PRI |
|
|
| User
| char(16)
|
| PRI |
|
|
| Select_priv
| enum('N','Y') |
|
| N
|
|
| Insert_priv
| enum('N','Y') |
|
| N
|
|
| Update_priv
| enum('N','Y') |
|
| N
|
|
| Delete_priv
| enum('N','Y') |
|
| N
|
|
| Create_priv
| enum('N','Y') |
|
| N
|
|
| Drop_priv
| enum('N','Y') |
|
| N
|
|
| Grant_priv
| enum('N','Y') |
|
| N
|
|
| References_priv | enum('N','Y') |
|
| N
|
|
| Index_priv
| enum('N','Y') |
|
| N
|
|
| Alter_priv
| enum('N','Y') |
|
| N
|
|
+-----------------+---------------+------+-----+---------+-------+
Host and User appear in the same way in this table, but attached to a database,
not a password. The same host/user combination appears, with a password, in the
user table, which allows the user to connect, but if they do not have permission
to perform an operation, MySQL will check this table to see if they can perform
it on a particular database. A sample:
mysql> SELECT host,db,user,select_priv,insert_priv FROM db;
+-----------+----------+-------+-------------+-------------+
| host
| db
| user | select_priv | insert_priv |
+-----------+----------+-------+-------------+-------------+
| localhost | news
| mark | Y
| Y
|
---------+-------+
| Host
| char(60)
|
| PRI |
|
|
| Db
| char(60)
|
| PRI |
|
|
| User
| char(16)
|
| PRI |
|
|
| Table_name | char(60)
|
| PRI |
|
|
| Grantor
| char(77)
|
| MUL |
|
|
| Timestamp | timestamp(14)
| YES |
|
NULL
|
|
| Table_priv | set('Select','Insert','Update','Delete','Create', |
|
|
|
|
|
|'Drop','Grant','References','Index','Alter')
|
|
|
|
|
| Column_priv | set('Select','Insert','Update','References')
|
|
|
|
|
+-------------+---------------------------------------------------+------+-----+
---------+-------+
mysql> DESC columns_priv;
+-------------+----------------------------------------------+------+-----+--------+-------+
| Field
| Type
| Null | Key | Defa
ult | Extra |
+-------------+----------------------------------------------+------+-----+--------+-------+
| Host
| char(60)
|
| PRI |
|
|
| Db
| char(60)
|
| PRI |
|
|
| User
| char(16)
|
| PRI |
|
|
| Table_name | char(60)
|
| PRI |
|
|
| Column_name | char(60)
|
| PRI |
|
|
| Timestamp | timestamp(14)
| YES |
| NULL
|
|
| Column_priv | set('Select','Insert','Update','References') |
|
|
|
|
+-------------+----------------------------------------------+------+-----+--------+-------+
A brief recap of the process
The order of precedence of the tables is as follows:
user: User accounts, global privileges, and other non-privilege columns.
db: Database-level privileges.
host: Obsolete. MySQL install operations do not create this table as of MySQ
L 5.6.7.
tables_priv: Table-level privileges.
Description
ALL/ALL PRIVILEGES
All the basic permissions
ALTER
Permission to run ALTER statements
CREATE
Permission to CREATE tables or databases
CREATE TEMPORARY TABLES Permission to run CREATE TEMPORARY TABLE statements
DELETE
Permission to run DELETE statements
DROP
Permission to DROP tables or databases
EXECUTE
Permission to run stored procedures (in MySQL 5)
FILE
Permission to read and write files (e.g. LOAD DATA I
NFILE statements)
GRANT
Permission to GRANT available permissions to other u
sers
INDEX
Permission to create, change or drop indexes
INSERT
Permission to run INSERT statements
LOCK TABLES
Permission to LOCK tables which the user has SELECT
access to
PROCESS
Permission to view or kill MySQL processes
REFERENCES
Currently unused
RELOAD
Permission to reload the database (e.g. FLUSH statem
ents)
REPLICATION CLIENT
Permission to ask about replication
REPLICATION SLAVE
Permission to replicate from the server
SHOW DATABASES
Permission to see all databases
SELECT
Permission to run SELECT statements
SHUTDOWN
Permission to SHUTDOWN the MySQL server
SUPER
Permission to connect, even if the number of connect
ions is exceeded, and perform maintenance commands
UPDATE
Permission to run UPDATE statements
USAGE
Permission to connect and and perform basic commands
only
Description
*.*
*
dbname.*
dbname.tbname
All
All
All
The
Note that the record still appears in the table, so he can connect, but select_p
riv has been disabled.
mysql> REVOKE INSERT ON mysql.* FROM suretha@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT host,db,user,select_priv,insert_priv FROM db WHERE user='Suretha';
Empty set (0.00 sec)
mysql> SELECT host,user,password,select_priv,insert_priv FROM user WHERE user =
'Suretha';
+-----------+---------+------------------+-------------+-------------+
| host
| user
| password
| select_priv | insert_priv |
+-----------+---------+------------------+-------------+-------------+
| localhost | suretha | 30f59c271b923c47 | N
| N
|
+-----------+---------+------------------+-------------+-------------+
The record has been deleted from the db table, but still appears, with no permis
sions, in the user table.
Hopefully you're starting to find MySQL permissions flexible and easy to use. Al
though there is much more to explore, do not overuse the available options. You
will make management more complex, and affect performance. Good luck!