As of MySQL 8.0.16, MySQL incorporates the concept of user account categories, based on the 从MySQL 8.0.16开始,MySQL基于SYSTEM_USER privilege.SYSTEM_USER权限引入了用户帐户类别的概念。
MySQL incorporates the concept of user account categories, with system and regular users distinguished according to whether they have the MySQL引入了用户帐户类别的概念,根据是否具有SYSTEM_USER privilege:SYSTEM_USER权限来区分系统用户和常规用户:
A user with the 具有SYSTEM_USER privilege is a system user.SYSTEM_USER权限的用户是系统用户。
A user without the 没有SYSTEM_USER privilege is a regular user.SYSTEM_USER权限的用户是普通用户。
The SYSTEM_USER privilege has an effect on the accounts to which a given user can apply its other privileges, as well as whether the user is protected from other accounts:SYSTEM_USER权限对给定用户可以应用其其他权限的帐户以及用户是否受到其他帐户的保护有影响:
A system user can modify both system and regular accounts. 系统用户可以修改系统帐户和常规帐户。That is, a user who has the appropriate privileges to perform a given operation on regular accounts is enabled by possession of 也就是说,拥有SYSTEM_USER to also perform the operation on system accounts. SYSTEM_USER的用户具有在常规帐户上执行给定操作的适当权限,也可以在系统帐户上执行该操作。A system account can be modified only by system users with appropriate privileges, not by regular users.系统帐户只能由具有适当权限的系统用户修改,普通用户不能修改。
A regular user with appropriate privileges can modify regular accounts, but not system accounts. 具有适当权限的普通用户可以修改普通帐户,但不能修改系统帐户。A regular account can be modified by both system and regular users with appropriate privileges.具有适当权限的系统用户和普通用户都可以修改普通帐户。
If a user has the appropriate privileges to perform a given operation on regular accounts, 如果用户具有在常规帐户上执行给定操作的适当权限,则SYSTEM_USER enables the user to also perform the operation on system accounts. SYSTEM_USER允许用户也在系统帐户上执行该操作。SYSTEM_USER does not imply any other privilege, so the ability to perform a given account operation remains predicated on possession of any other required privileges. SYSTEM_USER并不意味着任何其他特权,因此执行给定帐户操作的能力仍然取决于是否拥有任何其他所需的特权。For example, if a user can grant the 例如,如果用户可以向常规帐户授予SELECT and UPDATE privileges to regular accounts, then with SYSTEM_USER the user can also grant SELECT and UPDATE to system accounts.SELECT和UPDATE权限,那么使用SYSTEM_USER,用户还可以向系统帐户授予SELECT与UPDATE权限。
The distinction between system and regular accounts enables better control over certain account administration issues by protecting accounts that have the 系统帐户和常规帐户之间的区别通过保护具有SYSTEM_USER privilege from accounts that do not have the privilege. SYSTEM_USER权限的帐户免受没有该权限的帐户的影响,可以更好地控制某些帐户管理问题。For example, the 例如,CREATE USER privilege enables not only creation of new accounts, but modification and removal of existing accounts. CREATE USER权限不仅可以创建新帐户,还可以修改和删除现有帐户。Without the system user concept, a user who has the 如果没有系统用户概念,具有CREATE USER privilege can modify or drop any existing account, including the root account. CREATE USER权限的用户可以修改或删除任何现有帐户,包括root帐户。The concept of system user enables restricting modifications to the 系统用户的概念允许限制对root account (itself a system account) so they can be made only by system users. root帐户(本身就是系统帐户)的修改,因此只能由系统用户进行修改。Regular users with the 具有CREATE USER privilege can still modify or drop existing accounts, but only regular accounts.CREATE USER权限的普通用户仍然可以修改或删除现有帐户,但只能修改或删除普通帐户。
The SYSTEM_USER privilege affects these operations:SYSTEM_USER权限影响以下操作:
Account manipulation.账户操纵。
Account manipulation includes creating and dropping accounts, granting and revoking privileges, changing account authentication characteristics such as credentials or authentication plugin, and changing other account characteristics such as password expiration policy.帐户操作包括创建和删除帐户、授予和撤销特权、更改帐户身份验证特性(如凭据或身份验证插件)以及更改其他帐户特性(如密码过期策略)。
The 使用帐户管理语句(如SYSTEM_USER privilege is required to manipulate system accounts using account-management statements such as CREATE USER and GRANT. CREATE USER和GRANT)操纵系统帐户需要SYSTEM_USER权限。To prevent an account from modifying system accounts this way, make it a regular account by not granting it the 为了防止帐户以这种方式修改系统帐户,请不授予其SYSTEM_USER privilege. SYSTEM_USER权限,使其成为常规帐户。(However, to fully protect system accounts against regular accounts, you must also withhold modification privileges for the (但是,为了完全保护系统帐户免受常规帐户的攻击,您还必须保留常规帐户对mysql system schema from regular accounts. mysql系统模式的修改权限。See Protecting System Accounts Against Manipulation by Regular Accounts.)请参阅保护系统帐户免受常规帐户的操纵。)
Killing current sessions and statements executing within them.杀死当前会话和在其中执行的语句。
To kill a session or statement that is executing with the 要终止使用SYSTEM_USER privilege, your own session must have the SYSTEM_USER privilege, in addition to any other required privilege (CONNECTION_ADMIN or the deprecated SUPER privilege).SYSTEM_USER权限执行的会话或语句,除了任何其他必需的权限(CONNECTION_ADMIN或已弃用的SUPER权限)外,您自己的会话还必须具有SYSTEM_USER特权。
Prior to MySQL 8.0.16, 在MySQL 8.0.16之前,CONNECTION_ADMIN privilege (or the deprecated SUPER privilege) is sufficient to kill any session or statement.CONNECTION_ADMIN特权(或已弃用的SUPER特权)足以杀死任何会话或语句。
Setting the 为存储的对象设置DEFINER attribute for stored objects.DEFINER属性。
To set the 要将存储对象的DEFINER attribute for a stored object to an account that has the SYSTEM_USER privilege, you must have the SYSTEM_USER privilege, in addition to any other required privilege (SET_USER_ID or the deprecated SUPER privilege).DEFINER属性设置为具有SYSTEM_USER权限的帐户,除了任何其他必需的权限(SET_USER_ID或已弃用的SUPER权限)外,您还必须具有SYSTEM_USER权限。
Prior to MySQL 8.0.16, the 在MySQL 8.0.16之前,SET_USER_ID privilege (or the deprecated SUPER privilege) is sufficient to specify any DEFINER value for stored objects.SET_USER_ID特权(或已弃用的SUPER特权)足以为存储对象指定任何DEFINER值。
Specifying mandatory roles.指定强制角色。
A role that has the 具有SYSTEM_USER privilege cannot be listed in the value of the mandatory_roles system variable.SYSTEM_USER权限的角色不能列在mandatory_roles系统变量的值中。
Prior to MySQL 8.0.16, any role can be listed in 在MySQL 8.0.16之前,任何角色都可以列在mandatory_roles.mandatory_roles中。
Sessions executing within the server are distinguished as system or regular sessions, similar to the distinction between system and regular users:在服务器内执行的会话被区分为系统会话或常规会话,类似于系统用户和常规用户之间的区别:
A session that possesses the 拥有SYSTEM_USER privilege is a system session.SYSTEM_USER权限的会话是系统会话。
A session that does not possess the 不具有SYSTEM_USER privilege is a regular session.SYSTEM_USER权限的会话是常规会话。
A regular session is able to perform only operations permitted to regular users. A system session is additionally able to perform operations permitted only to system users.常规会话只能执行常规用户允许的操作。系统会话还能够执行仅允许系统用户执行的操作。
The privileges possessed by a session are those granted directly to its underlying account, plus those granted to all roles currently active within the session. 会话所拥有的特权是直接授予其基础帐户的特权,以及授予会话中当前活动的所有角色的特权。Thus, a session may be a system session because its account has been granted the 因此,会话可能是系统会话,因为其帐户直接被授予了SYSTEM_USER privilege directly, or because the session has activated a role that has the SYSTEM_USER privilege. SYSTEM_USER权限,或者因为会话激活了具有SYSTEM_USER特权的角色。Roles granted to an account that are not active within the session do not affect session privileges.授予会话中未处于活动状态的帐户的角色不会影响会话权限。
Because activating and deactivating roles can change the privileges possessed by sessions, a session may change from a regular session to a system session or vice versa. 因为激活和停用角色会改变会话所拥有的特权,所以会话可能会从常规会话更改为系统会话,反之亦然。If a session activates or deactivates a role that has the 如果会话激活或停用具有SYSTEM_USER privilege, the appropriate change between regular and system session takes place immediately, for that session only:SYSTEM_USER权限的角色,则仅对该会话立即在常规会话和系统会话之间进行适当的更改:
If a regular session activates a role with the 如果常规会话激活了具有SYSTEM_USER privilege, the session becomes a system session.SYSTEM_USER权限的角色,则该会话将成为系统会话。
If a system session deactivates a role with the 如果系统会话停用了具有SYSTEM_USER privilege, the session becomes a regular session, unless some other role with the SYSTEM_USER privilege remains active.SYSTEM_USER权限的角色,则该会话将成为常规会话,除非具有SYSTEM_USER权限的其他角色保持活动状态。
These operations have no effect on existing sessions:这些操作对现有会话没有影响:
If the 如果向帐户授予或撤销SYSTEM_USER privilege is granted to or revoked from an account, existing sessions for the account do not change between regular and system sessions. SYSTEM_USER权限,则该帐户的现有会话在常规会话和系统会话之间不会改变。The grant or revoke operation affects only sessions for subsequent connections by the account.授予或撤销操作仅影响帐户后续连接的会话。
Statements executed by a stored object invoked within a session execute with the system or regular status of the parent session, even if the object 即使对象DEFINER attribute names a system account.DEFINER属性指定了系统帐户,会话中调用的存储对象执行的语句也会与父会话的系统或常规状态一起执行。
Because role activation affects only sessions and not accounts, granting a role that has the 由于角色激活仅影响会话而不影响帐户,因此将具有SYSTEM_USER privilege to a regular account does not protect that account against regular users. SYSTEM_USER权限的角色授予常规帐户并不能保护该帐户免受常规用户的攻击。The role protects only sessions for the account in which the role has been activated, and protects the session only against being killed by regular sessions.该角色仅保护已激活该角色的帐户的会话,并且仅保护会话不被常规会话杀死。
Account manipulation includes creating and dropping accounts, granting and revoking privileges, changing account authentication characteristics such as credentials or authentication plugin, and changing other account characteristics such as password expiration policy.帐户操作包括创建和删除帐户、授予和撤销特权、更改帐户身份验证特性(如凭据或身份验证插件)以及更改其他帐户特性(如密码过期策略)。
Account manipulation can be done two ways:账户操作有两种方式:
By using account-management statements such as 通过使用帐户管理语句,如CREATE USER and GRANT. This is the preferred method.CREATE USER和GRANT。这是首选方法。
By direct grant-table modification using statements such as 通过使用INSERT and UPDATE. INSERT和UPDATE等语句直接修改授权表。This method is discouraged but possible for users with the appropriate privileges on the 不建议使用此方法,但对于在包含授权表的mysql system schema that contains the grant tables.mysql系统模式上具有适当权限的用户来说是可能的。
To fully protect system accounts against modification by a given account, make it a regular account and do not grant it modification privileges for the 为了完全保护系统帐户免受给定帐户的修改,请将其设置为常规帐户,不要授予其mysql schema:mysql模式的修改权限:
The 使用帐户管理语句操纵系统帐户需要SYSTEM_USER privilege is required to manipulate system accounts using account-management statements. SYSTEM_USER权限。To prevent an account from modifying system accounts this way, make it a regular account by not granting 要防止帐户以这种方式修改系统帐户,请通过不向其授予SYSTEM_USER to it. SYSTEM_USER使其成为常规帐户。This includes not granting 这包括不向授予该帐户的任何角色授予SYSTEM_USER to any roles granted to the account.SYSTEM_USER。
Privileges for the mysql schema enable manipulation of system accounts through direct modification of the grant tables, even if the modifying account is a regular account. mysql模式的权限允许通过直接修改授权表来操纵系统帐户,即使修改帐户是常规帐户。To restrict unauthorized direct modification of system accounts by a regular account, do not grant modification privileges for the 要限制常规帐户对系统帐户的未经授权的直接修改,请不要将mysql schema to the account (or any roles granted to the account). mysql模式的修改权限授予该帐户(或授予该帐户的任何角色)。If a regular account must have global privileges that apply to all schemas, 如果常规帐户必须具有适用于所有模式的全局权限,则可以使用部分撤销施加的权限限制来阻止mysql schema modifications can be prevented using privilege restrictions imposed using partial revokes. mysql模式修改。See Section 6.2.12, “Privilege Restriction Using Partial Revokes”.请参阅第6.2.12节,“使用部分撤销的特权限制”。
Unlike withholding the 与保留SYSTEM_USER privilege, which prevents an account from modifying system accounts but not regular accounts, withholding mysql schema privileges prevents an account from modifying system accounts as well as regular accounts. SYSTEM_USER权限(阻止帐户修改系统帐户而不是常规帐户)不同,保留mysql模式权限可以阻止帐户修改常规帐户和系统帐户。This should not be an issue because, as mentioned, direct grant-table modification is discouraged.这应该不是问题,因为如上所述,不鼓励直接修改授权表。
Suppose that you want to create a user 假设你想创建一个用户u1 who has all privileges on all schemas, except that u1 should be a regular user without the ability to modify system accounts. u1,他对所有模式都有所有权限,除了u1应该是一个没有修改系统帐户能力的普通用户。Assuming that the 假设partial_revokes system variable is enabled, configure u1 as follows:partial_revokes系统变量已启用,请按如下方式配置u1:
CREATE USER u1 IDENTIFIED BY 'password';
GRANT ALL ON *.* TO u1 WITH GRANT OPTION;
-- GRANT ALL includes SYSTEM_USER, so at this point
-- u1 can manipulate system or regular accounts
REVOKE SYSTEM_USER ON *.* FROM u1;
-- Revoking SYSTEM_USER makes u1 a regular user;
-- now u1 can use account-management statements
-- to manipulate only regular accounts
REVOKE ALL ON mysql.* FROM u1;
-- This partial revoke prevents u1 from directly
-- modifying grant tables to manipulate accounts
To prevent all 为了防止帐户访问所有mysql system schema access by an account, revoke all its privileges on the mysql schema, as just shown. mysql系统模式,请撤销其对mysql模式的所有权限,如图所示。It is also possible to permit partial 也可以允许部分mysql schema access, such as read-only access. mysql模式访问,例如只读访问。The following example creates an account that has 以下示例创建了一个帐户,该帐户对所有模式具有全局SELECT, INSERT, UPDATE, and DELETE privileges globally for all schemas, but only SELECT for the mysql schema:SELECT、INSERT、UPDATE和DELETE权限,但对mysql模式仅具有SELECT权限:
CREATE USER u2 IDENTIFIED BY 'password';
GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO u2;
REVOKE INSERT, UPDATE, DELETE ON mysql.* FROM u2;
Another possibility is to revoke all 另一种可能是撤销所有mysql schema privileges but grant access to specific mysql tables or columns. This can be done even with a partial revoke on mysql. mysql模式权限,但授予对特定mysql表或列的访问权限。即使在mysql上进行部分撤销,也可以做到这一点。The following statements enable read-only access to 以下语句允许对u1 within the mysql schema, but only for the db table and the Host and User columns of the user table:mysql模式中的u1进行只读访问,但仅限于db表以及user表的Host和User列:
CREATE USER u3 IDENTIFIED BY 'password';
GRANT ALL ON *.* TO u3;
REVOKE ALL ON mysql.* FROM u3;
GRANT SELECT ON mysql.db TO u3;
GRANT SELECT(Host,User) ON mysql.user TO u3;