The privileges granted to a MySQL account determine which operations the account can perform. 授予MySQL帐户的权限决定了该帐户可以执行哪些操作。MySQL privileges differ in the contexts in which they apply and at different levels of operation:MySQL权限因其应用的上下文和不同的操作级别而异:
Administrative privileges enable users to manage operation of the MySQL server. 管理权限允许用户管理MySQL服务器的操作。These privileges are global because they are not specific to a particular database.这些权限是全局的,因为它们不是特定于特定数据库的。
Database privileges apply to a database and to all objects within it. 数据库权限应用于数据库及其内的所有对象。These privileges can be granted for specific databases, or globally so that they apply to all databases.可以为特定数据库授予这些权限,也可以全局授予这些权限,以便它们应用于所有数据库。
Privileges for database objects such as tables, indexes, views, and stored routines can be granted for specific objects within a database, for all objects of a given type within a database (for example, all tables in a database), or globally for all objects of a given type in all databases.可以为数据库中的特定对象、数据库中给定类型的所有对象(例如,数据库中的所有表)或所有数据库中给定类型的所有对象全局授予数据库对象(如表、索引、视图和存储例程)的权限。
Privileges also differ in terms of whether they are static (built in to the server) or dynamic (defined at runtime). 权限在静态(内置于服务器)还是动态(在运行时定义)方面也有所不同。Whether a privilege is static or dynamic affects its availability to be granted to user accounts and roles. 权限是静态的还是动态的会影响授予用户帐户和角色的可用性。For information about the differences between static and dynamic privileges, see Static Versus Dynamic Privileges.)有关静态权限和动态权限之间差异的信息,请参阅静态权限和动态权限。)
Information about account privileges is stored in the grant tables in the 有关帐户权限的信息存储在mysql system database. mysql系统数据库的授权表中。For a description of the structure and contents of these tables, see Section 6.2.3, “Grant Tables”. 有关这些表格的结构和内容的说明,请参阅第6.2.3节“授权表”。The MySQL server reads the contents of the grant tables into memory when it starts, and reloads them under the circumstances indicated in Section 6.2.13, “When Privilege Changes Take Effect”. MySQL服务器在启动时将授权表的内容读入内存,并在第6.2.13节“权限更改生效时”中指出的情况下重新加载它们。The server bases access-control decisions on the in-memory copies of the grant tables.服务器将访问控制决策建立在授权表的内存副本上。
Some MySQL releases introduce changes to the grant tables to add new privileges or features. 一些MySQL版本引入了对grant表的更改,以添加新的权限或特性。To make sure that you can take advantage of any new capabilities, update your grant tables to the current structure whenever you upgrade MySQL. 为了确保可以利用任何新功能,请在升级MySQL时将grant表更新为当前结构。See Section 2.11, “Upgrading MySQL”.请参阅第2.11节“升级MySQL”。
The following sections summarize the available privileges, provide more detailed descriptions of each privilege, and offer usage guidelines.以下各节总结了可用的权限,提供了每个权限的更详细描述,并提供了使用指南。
The following table shows the static privilege names used in 下表显示了GRANT and REVOKE statements, along with the column name associated with each privilege in the grant tables and the context in which the privilege applies.GRANT和REVOKE语句中使用的静态权限名称,以及与授权表中每个权限相关联的列名和应用权限的上下文。
Table 6.2 Permissible Static Privileges for GRANT and REVOKE表6.2 GRANT和REVOKE允许的静态权限
ALL [PRIVILEGES] | ||
|---|---|---|
ALTER | Alter_priv | |
ALTER ROUTINE | Alter_routine_priv | |
CREATE | Create_priv | |
CREATE ROLE | Create_role_priv | |
CREATE ROUTINE | Create_routine_priv | |
CREATE TABLESPACE | Create_tablespace_priv | |
CREATE TEMPORARY TABLES | Create_tmp_table_priv | |
CREATE USER | Create_user_priv | |
CREATE VIEW | Create_view_priv | |
DELETE | Delete_priv | |
DROP | Drop_priv | |
DROP ROLE | Drop_role_priv | |
EVENT | Event_priv | |
EXECUTE | Execute_priv | |
FILE | File_priv | |
GRANT OPTION | Grant_priv | |
INDEX | Index_priv | |
INSERT | Insert_priv | |
LOCK TABLES | Lock_tables_priv | |
PROCESS | Process_priv | |
PROXY | See proxies_priv table | |
REFERENCES | References_priv | |
RELOAD | Reload_priv | |
REPLICATION CLIENT | Repl_client_priv | |
REPLICATION SLAVE | Repl_slave_priv | |
SELECT | Select_priv | |
SHOW DATABASES | Show_db_priv | |
SHOW VIEW | Show_view_priv | |
SHUTDOWN | Shutdown_priv | |
SUPER | Super_priv | |
TRIGGER | Trigger_priv | |
UPDATE | Update_priv | |
USAGE | Synonym for “no privileges” |
The following table shows the dynamic privilege names used in 下表显示了GRANT and REVOKE statements, along with the context in which the privilege applies.GRANT和REVOKE语句中使用的动态权限名称,以及应用权限的上下文。
Table 6.3 Permissible Dynamic Privileges for GRANT and REVOKE表6.3&bnsp;GRANT和REVOKE允许的动态权限
APPLICATION_PASSWORD_ADMIN | |
AUDIT_ADMIN | |
BACKUP_ADMIN | |
BINLOG_ADMIN | |
BINLOG_ENCRYPTION_ADMIN | |
CLONE_ADMIN | |
CONNECTION_ADMIN | |
ENCRYPTION_KEY_ADMIN | |
FIREWALL_ADMIN | |
FIREWALL_EXEMPT | |
FIREWALL_USER | |
FLUSH_OPTIMIZER_COSTS | |
FLUSH_STATUS | |
FLUSH_TABLES | |
FLUSH_USER_RESOURCES | |
GROUP_REPLICATION_ADMIN | |
INNODB_REDO_LOG_ARCHIVE | |
NDB_STORED_USER | |
PERSIST_RO_VARIABLES_ADMIN | |
REPLICATION_APPLIER | PRIVILEGE_CHECKS_USER for a replication channelPRIVILEGE_CHECKS_USER |
REPLICATION_SLAVE_ADMIN | |
RESOURCE_GROUP_ADMIN | |
RESOURCE_GROUP_USER | |
ROLE_ADMIN | |
SESSION_VARIABLES_ADMIN | |
SET_USER_ID | |
SHOW_ROUTINE | |
SYSTEM_USER | |
SYSTEM_VARIABLES_ADMIN | |
TABLE_ENCRYPTION_ADMIN | |
VERSION_TOKEN_ADMIN | |
XA_RECOVER_ADMIN |
Static privileges are built in to the server, in contrast to dynamic privileges, which are defined at runtime. 静态权限内置于服务器中,而动态权限是在运行时定义的。The following list describes each static privilege available in MySQL.下面的列表描述了MySQL中可用的每个静态权限。
Particular SQL statements might have more specific privilege requirements than indicated here. 特定的SQL语句可能有比这里更具体的权限要求。If so, the description for the statement in question provides the details.如果是这样的话,有关声明的描述将提供详细信息。
These privilege specifiers are shorthand for “all privileges available at a given privilege level” (except 这些权限说明符是“给定权限级别上可用的所有权限”(GRANT OPTION). GRANT OPTION除外)的缩写。For example, granting 例如,在全局或表级别授予ALL at the global or table level grants all global privileges or all table-level privileges, respectively.ALL将分别授予所有全局权限或所有表级别权限。
Enables use of the 允许使用ALTER TABLE statement to change the structure of tables. ALTER TABLE语句更改表的结构。ALTER TABLE also requires the CREATE and INSERT privileges. ALTER TABLE还需要CREATE和INSERT权限。Renaming a table requires 重命名表需要对旧表执行ALTER and DROP on the old table, CREATE, and INSERT on the new table.ALTER和DROP操作,对新表执行CREATE和INSERT操作。
Enables use of statements that alter or drop stored routines (stored procedures and functions). 允许使用更改或删除存储例程(存储过程和函数)的语句。For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routine 对于在授予权限的范围内且用户不是名为例程DEFINER, also enables access to routine properties other than the routine definition.DEFINDER的用户的例程,还允许访问例程定义以外的例程属性。
Enables use of statements that create new databases and tables.允许使用创建新数据库和表的语句。
Enables use of the 允许使用CREATE ROLE statement. CREATE ROLE语句。(The (CREATE USER privilege also enables use of the CREATE ROLE statement.) CREATE USER权限也允许使用CREATE ROLE语句。)See Section 6.2.10, “Using Roles”.请参阅第6.2.10节“使用角色”。
The CREATE ROLE and DROP ROLE privileges are not as powerful as CREATE USER because they can be used only to create and drop accounts. CREATE ROLE和DROP ROLE权限不如CREATE USER强大,因为它们只能用于创建和删除帐户。They cannot be used as 它们不能像CREATE USER can be modify account attributes or rename accounts. CREATE USER那样可以修改帐户属性或重命名帐户。See User and Role Interchangeability.请参阅用户和角色互换性。
Enables use of statements that create stored routines (stored procedures and functions). 允许使用创建存储例程(存储过程和函数)的语句。For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routine 对于在授予权限的范围内且用户不是名为例程DEFINER, also enables access to routine properties other than the routine definition.DEFINDER的用户的例程,还允许访问例程定义以外的例程属性。
Enables use of statements that create, alter, or drop tablespaces and log file groups.允许使用创建、更改或删除表空间和日志文件组的语句。
Enables the creation of temporary tables using the 允许使用CREATE TEMPORARY TABLE statement.CREATE TEMPORATE TABLE语句创建临时表。
After a session has created a temporary table, the server performs no further privilege checks on the table. 会话创建临时表后,服务器不再对该表执行进一步的权限检查。The creating session can perform any operation on the table, such as 创建会话可以对表执行任何操作,例如DROP TABLE, INSERT, UPDATE, or SELECT. DROP TABLE、INSERT、UPDATE或SELECT。For more information, see Section 13.1.20.2, “CREATE TEMPORARY TABLE Statement”.有关更多信息,请参阅第13.1.20.2节“创建临时表语句”。
Enables use of the 允许使用ALTER USER, CREATE ROLE, CREATE USER, DROP ROLE, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES statements.ALTER USER、CREATE ROLE、CREATE USER、DROP ROLE、DROP USER、RENAME USER和REVOKE ALL PRIVILEGES语句。
Enables use of the 允许使用CREATE VIEW statement.CREATE VIEW语句。
Enables rows to be deleted from tables in a database.允许从数据库中的表中删除行。
Enables use of statements that drop (remove) existing databases, tables, and views. 允许使用删除(删除)现有数据库、表和视图的语句。The 在分区表上使用DROP privilege is required to use the ALTER TABLE ... DROP PARTITION statement on a partitioned table. ALTER TABLE ... DROP PARTITION语句需要DROP权限。The DROP privilege is also required for TRUNCATE TABLE.TRUNCATE TABLE也需要DROP权限。
Enables use of the 允许使用DROP ROLE statement. DROP ROLE语句。(The (CREATE USER privilege also enables use of the DROP ROLE statement.) CREATE USER权限还允许使用DROP ROLE语句。)See Section 6.2.10, “Using Roles”.请参阅第6.2.10节“使用角色”。
The CREATE ROLE and DROP ROLE privileges are not as powerful as CREATE USER because they can be used only to create and drop accounts. CREATE ROLE和DROP ROLE权限不如CREATE USER强大,因为它们只能用于创建和删除帐户。They cannot be used as 它们不能像CREATE USER can be modify account attributes or rename accounts. CREATE USER那样可以修改帐户属性或重命名帐户。See User and Role Interchangeability.请参阅用户和角色互换性。
Enables use of statements that create, alter, drop, or display events for the Event Scheduler.允许使用为事件计划程序创建、更改、删除或显示事件的语句。
Enables use of statements that execute stored routines (stored procedures and functions). 允许使用执行存储例程(存储过程和函数)的语句。For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routine 对于在授予权限的范围内且用户不是名为例程DEFINER, also enables access to routine properties other than the routine definition.DEFINDER的用户的例程,还允许访问例程定义以外的例程属性。
Affects the following operations and server behaviors:影响以下操作和服务器行为:
Enables reading and writing files on the server host using the 在服务器主机上启用读写文件,方法是使用LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. LOAD DATA语句和SELECT ... INTO OUTFILE语句以及LOAD_FILE()函数。A user who has the 具有FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. FILE权限的用户可以读取服务器主机上的任何文件,这些文件可以是全局可读的,也可以是MySQL服务器可读的。(This implies the user can read any file in any database directory, because the server can access any of those files.)(这意味着用户可以读取任何数据库目录中的任何文件,因为服务器可以访问这些文件中的任何一个。)
Enables creating new files in any directory where the MySQL server has write access. 允许在MySQL服务器具有写访问权限的任何目录中创建新文件。This includes the server's data directory containing the files that implement the privilege tables.这包括服务器的数据目录,其中包含实现权限表的文件。
Enables use of the 允许对DATA DIRECTORY or INDEX DIRECTORY table option for the CREATE TABLE statement.CREATE TABLE语句使用DATA DIRECTORY或INDEX DIRECTORY表选项。
As a security measure, the server does not overwrite existing files.作为安全措施,服务器不会覆盖现有文件。
To limit the location in which files can be read and written, set the 要限制文件的读写位置,请将secure_file_priv system variable to a specific directory. secure_file_priv系统变量设置为特定目录。See Section 5.1.8, “Server System Variables”.请参阅第5.1.8节“服务器系统变量”。
Enables you to grant to or revoke from other users those privileges that you yourself possess.允许您向其他用户授予或撤消您自己拥有的权限。
Enables use of statements that create or drop (remove) indexes. 允许使用创建或删除(删除)索引的语句。INDEX applies to existing tables. INDEX应用于现有表。If you have the 如果您具有表的CREATE privilege for a table, you can include index definitions in the CREATE TABLE statement.CREATE权限,则可以在CREATE TABLE语句中包含索引定义。
Enables rows to be inserted into tables in a database. 允许将行插入数据库中的表中。INSERT is also required for the ANALYZE TABLE, OPTIMIZE TABLE, and REPAIR TABLE table-maintenance statements.ANALYZE TABLE、OPTIMIZE TABLE和REPAIR TABLE维护语句,INSERT也是必需的。
Enables use of explicit 允许使用显式LOCK TABLES statements to lock tables for which you have the SELECT privilege. LOCK TABLES语句锁定您具有SELECT权限的表。This includes use of write locks, which prevents other sessions from reading the locked table.这包括使用写锁,防止其他会话读取锁定的表。
The PROCESS privilege controls access to information about threads executing within the server (that is, information about statements being executed by sessions). PRECESS权限控制对服务器内执行的线程信息(即会话执行的语句信息)的访问。Thread information available using the 可以使用SHOW PROCESSLIST statement, the mysqladmin processlist command, the INFORMATION_SCHEMA.PROCESSLIST table, and the Performance Schema processlist table is accessible as follows:SHOW PROCESSLIST语句、mysqladmin processlist命令、INFORMATION_SCHEMA.PROCESSLIST表和实施架构processlist表访问线程信息,如下所示:
With the 使用PROCESS privilege, a user has access to information about all threads, even those belonging to other users.PROCESS权限,用户可以访问有关所有线程的信息,甚至是属于其他用户的那些线程。
Without the 如果没有PROCESS privilege, nonanonymous users have access to information about their own threads but not threads for other users, and anonymous users have no access to thread information.PROCESS权限,非匿名用户可以访问关于自己线程的信息,但是不能访问其他用户的线程,匿名用户不能访问线程信息。
The Performance Schema 实施架构threads table also provides thread information, but table access uses a different privilege model. threads表也提供线程信息,但是表访问使用不同的权限模型。See Section 27.12.21.6, “The threads Table”.请参阅第27.12.21.6节“线程表”。
The PROCESS privilege also enables use of the SHOW ENGINE statement, access to the INFORMATION_SCHEMA InnoDB tables (tables with names that begin with INNODB_), and (as of MySQL 8.0.21) access to the INFORMATION_SCHEMA FILES table.PROCESS权限还允许使用SHOW ENGINE语句,访问INFORMATION_SCHEMA InnoDB表(名称以InnoDB_开头的表),以及(从MySQL 8.0.21开始)访问INFORMATION_SCHEMA FILES表。
Enables one user to impersonate or become known as another user. 允许一个用户模拟或成为另一个用户。See Section 6.2.18, “Proxy Users”.请参阅第6.2.18节“代理用户”。
Creation of a foreign key constraint requires the 创建外键约束需要父表的REFERENCES privilege for the parent table.REFERENCES权限。
The RELOAD enables the following operations:RELOAD启用以下操作:
Use of the FLUSH statement.FLUSH语句的使用。
Use of mysqladmin commands that are equivalent to 使用等同于FLUSH operations: flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, and reload.FLUSH(刷新)操作的mysqladmin命令:flush-hosts(刷新主机)、flush-logs(刷新日志)、flush-privileges(刷新权限)、flush-status(刷新状态)、flush-tables(刷新表)、flush-threads(刷新线程)、refresh(刷新)和reload(重新加载)。
The reload command tells the server to reload the grant tables into memory. reload命令告诉服务器将授权表重新加载到内存中。flush-privileges is a synonym for reload. flush-privileges是reload的同义词。The refresh command closes and reopens the log files and flushes all tables. refresh命令关闭并重新打开日志文件并刷新所有表。The other 其他flush- commands perform functions similar to xxxrefresh, but are more specific and may be preferable in some instances. flush-xxx命令执行类似于refresh的功能,但更具体,在某些情况下可能更可取。For example, if you want to flush just the log files, 例如,如果您只想刷新日志文件,那么flush-logs is a better choice than refresh.flush-logs是比refresh更好的选择。
Use of mysqldump options that perform various 使用FLUSH operations: --flush-logs and --master-data.mysqldump选项执行各种FLUSH操作:--flush-logs和--master-data。
Use of the 使用RESET MASTER and RESET REPLICA | SLAVE statements.RESET MASTER和RESET REPLICA | SLAVE语句。
Enables use of the 允许使用SHOW MASTER STATUS, SHOW REPLICA | SLAVE STATUS, and SHOW BINARY LOGS statements.SHOW MASTER STATUS、SHOW REPLICA | SLAVE STATUS和SHOW BINARY LOGS语句。
Enables the account to request updates that have been made to databases on the replication source server, using the 使帐户能够使用SHOW REPLICAS | SHOW SLAVE HOSTS, SHOW RELAYLOG EVENTS, and SHOW BINLOG EVENTS statements. SHOW REPLICAS | SHOW SLAVE HOSTS、SHOW RELAYLOG EVENTS和SHOW BINLOG EVENTS语句请求对复制源服务器上的数据库所做的更新。This privilege is also required to use the mysqlbinlog options 使用--read-from-remote-server (-R) and --read-from-remote-master. mysqlbinlog的选项--read-from-remote-server(R,从远程服务器读取)和--read-from-remote-master(从远程主机读取)也需要此权限。Grant this privilege to accounts that are used by replicas to connect to the current server as their replication source server.将此权限授予副本用于连接到当前服务器作为其复制源服务器的帐户。
Enables rows to be selected from tables in a database. 允许从数据库中的表中选择行。SELECT statements require the SELECT privilege only if they actually access tables. SELECT语句只有在实际访问表时才需要SELECT权限。Some 有些SELECT statements do not access tables and can be executed without permission for any database. SELECT语句不访问表,可以在没有任何数据库权限的情况下执行。For example, you can use 例如,可以使用SELECT as a simple calculator to evaluate expressions that make no reference to tables:SELECT作为简单的计算器来计算不引用表的表达式:
SELECT 1+1; SELECT PI()*2;
The 其他读取列值的语句也需要SELECT privilege is also needed for other statements that read column values. SELECT权限。For example, 例如,SELECT is needed for columns referenced on the right hand side of col_name=expr assignment in UPDATE statements or for columns named in the WHERE clause of DELETE or UPDATE statements.UPDATE语句中col_name=expr赋值右侧引用的列或DELETE或UPDATE语句的WHERE子句中的命名列需要SELECT权限。
The 与SELECT privilege is needed for tables or views used with EXPLAIN, including any underlying tables in view definitions.EXPLAIN一起使用的表或视图(包括视图定义中的任何基础表)需要SELECT权限。
Enables the account to see database names by issuing the 通过发出SHOW DATABASE statement. SHOW DATABASE语句,使帐户能够查看数据库名称。Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the 不具有此权限的帐户只能查看具有某些权限的数据库,如果服务器是使用--skip-show-database option.--skip-show-database选项启动的,则根本无法使用该语句。
Because any static global privilege is considered a privilege for all databases, any static global privilege enables a user to see all database names with 由于任何静态全局权限都被视为所有数据库的权限,因此任何静态全局权限都允许用户使用SHOW DATABASES or by examining the SCHEMATA table of INFORMATION_SCHEMA, except databases that have been restricted at the database level by partial revokes.SHOW DATABASES或通过检查SCHEMATA表中的INFORMATION_SCHEMA来查看所有数据库名称,但在数据库级别受到部分撤销限制的数据库除外。
Enables use of the 允许使用SHOW CREATE VIEW statement. SHOW CREATE VIEW语句。This privilege is also needed for views used with 与EXPLAIN.EXPLAIN一起使用的视图也需要此权限。
Enables use of the 允许使用SHUTDOWN and RESTART statements, the mysqladmin shutdown command, and the mysql_shutdown() C API function.SHUTDOWN和RESTART语句、mysqladmin shutdown命令和mysql_shutdown() C API函数。
SUPER is a powerful and far-reaching privilege and should not be granted lightly. SUPER是一种强大而深远的权限,不应轻视。If an account needs to perform only a subset of 如果一个帐户只需要执行SUPER operations, it may be possible to achieve the desired privilege set by instead granting one or more dynamic privileges, each of which confers more limited capabilities. SUPER操作的一个子集,则可以通过授予一个或多个动态权限来实现所需的权限集,每个动态权限都授予更有限的功能。See Dynamic Privilege Descriptions.请参阅动态权限描述。
SUPER is deprecated, and you should expect it to be removed in a future version of MySQL. SUPER已被弃用,您应该期望它在MySQL的未来版本中被删除。See Migrating Accounts from SUPER to Dynamic Privileges.请参阅将帐户从超级权限迁移到动态权限。
SUPER affects the following operations and server behaviors:SUPER影响以下操作和服务器行为:
Enables system variable changes at runtime:在运行时启用系统变量更改:
Enables server configuration changes to global system variables with 使用SET GLOBAL and SET PERSIST.SET GLOBAL和SET PERSIST对全局系统变量启用服务器配置更改。
The corresponding dynamic privilege is 相应的动态权限是SYSTEM_VARIABLES_ADMIN.SYSTEM_VARIABLES_ADMIN。
Enables setting restricted session system variables that require a special privilege.启用设置需要特殊权限的受限会话系统变量。
The corresponding dynamic privilege is 相应的动态权限是SESSION_VARIABLES_ADMIN.SESSION_VARIABLES_ADMIN。
See also Section 5.1.9.1, “System Variable Privileges”.另请参见第5.1.9.1节“系统变量权限”。
Enables changes to global transaction characteristics (see Section 13.3.7, “SET TRANSACTION Statement”).允许更改全局事务特性(请参阅第13.3.7节“设置事务语句”)。
The corresponding dynamic privilege is 相应的动态权限是SYSTEM_VARIABLES_ADMIN.SYSTEM_VARIABLES_ADMIN。
Enables the account to start and stop replication, including Group Replication.使帐户能够启动和停止复制,包括组复制。
The corresponding dynamic privilege is 相应的动态权限是REPLICATION_SLAVE_ADMIN for regular replication, GROUP_REPLICATION_ADMIN for Group Replication.REPLICATION_SLAVE_ADMIN(用于常规复制)和GROUP_REPLICATION_ADMIN(用于组复制)。
Enables use of the 支持使用CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23), CHANGE MASTER TO statement (before MySQL 8.0.23), and CHANGE REPLICATION FILTER statements.CHANGE REPLICATION SOURCE TO语句(从MySQL 8.0.23版开始)、CHANGE MASTER TO语句(在MySQL 8.0.23版之前)和CHANGE REPLICATION FILTER语句。
The corresponding dynamic privilege is 相应的动态权限是REPLICATION_SLAVE_ADMIN.REPLICATION_SLAVE_ADMIN。
Enables binary log control by means of the 通过PURGE BINARY LOGS and BINLOG statements.PURGE BINARY LOGS和BINLOG语句启用二进制日志控制。
The corresponding dynamic privilege is 相应的动态权限是BINLOG_ADMIN.BINLOG_ADMIN。
Enables setting the effective authorization ID when executing a view or stored program. 允许在执行视图或存储程序时设置有效的授权ID。A user with this privilege can specify any account in the 具有此权限的用户可以在视图或存储程序的DEFINER attribute of a view or stored program.DEFINER属性中指定任何帐户。
The corresponding dynamic privilege is 相应的动态权限为SET_USER_ID.SET_USER_ID。
Enables use of the 允许使用CREATE SERVER, ALTER SERVER, and DROP SERVER statements.CREATE SERVER、ALTER SERVER和DROP SERVER语句。
Enables use of the mysqladmin debug command.启用mysqladmin调试命令的使用。
Enables 启用InnoDB encryption key rotation.InnoDB加密密钥轮换。
The corresponding dynamic privilege is 相应的动态权限是ENCRYPTION_KEY_ADMIN.ENCRYPTION_KEY_ADMIN。
Enables execution of Version Tokens functions.启用版本令牌函数的执行。
The corresponding dynamic privilege is 相应的动态权限是VERSION_TOKEN_ADMIN.VERSION_TOKEN_ADMIN。
Enables granting and revoking roles, use of the 启用授予和撤消角色、使用WITH ADMIN OPTION clause of the GRANT statement, and nonempty <graphml> element content in the result from the ROLES_GRAPHML() function.GRANT语句的WITH ADMIN OPTION子句和ROLES_GRAPHML()函数结果中的非空<graphml>元素的内容。
The corresponding dynamic privilege is 相应的动态权限是ROLE_ADMIN.ROLE_ADMIN。
Enables control over client connections not permitted to non-启用对不允许非SUPER accounts:SUPER帐户的客户端连接的控制:
Enables use of the 允许使用KILL statement or mysqladmin kill command to kill threads belonging to other accounts. KILL语句或mysqladmin kill命令终止属于其他帐户的线程。(An account can always kill its own threads.)(帐户总是可以终止自己的线程。)
The server does not execute init_connect system variable content when SUPER clients connect.SUPER客户端连接时,服务器不执行init_connect系统变量内容。
The server accepts one connection from a 即使达到SUPER client even if the connection limit configured by the max_connections system variable is reached.max_connections系统变量配置的连接限制,服务器也会接受来自SUPER客户端的一个连接。
A server in offline mode (处于脱机模式(启用offline_mode enabled) does not terminate SUPER client connections at the next client request, and accepts new connections from SUPER clients.offline_mode)的服务器不会在下一个客户端请求时终止SUPER客户端连接,而是接受来自SUPER客户端的新连接。
Updates can be performed even when the 即使启用了read_only system variable is enabled. read_only系统变量,也可以执行更新。This applies to explicit table updates, and to use of account-management statements such as 这适用于显式表更新,以及使用帐户管理语句(如GRANT and REVOKE that update tables implicitly.GRANT和REVOKE)隐式更新表。
The corresponding dynamic privilege for the preceding connection-control operations is 前面的连接控制操作对应的动态权限是CONNECTION_ADMIN.CONNECTION_ADMIN。
You may also need the 如第25.7节“存储程序二进制日志记录”所述,如果启用了二进制日志记录,您可能还需要SUPER privilege to create or alter stored functions if binary logging is enabled, as described in Section 25.7, “Stored Program Binary Logging”.SUPER权限来创建或更改存储函数。
Enables trigger operations. 启用触发器操作。You must have this privilege for a table to create, drop, execute, or display triggers for that table.您必须拥有此权限才能使表创建、删除、执行或显示该表的触发器。
When a trigger is activated (by a user who has privileges to execute 当触发器被激活时(由有权为与触发器关联的表执行INSERT, UPDATE, or DELETE statements for the table associated with the trigger), trigger execution requires that the user who defined the trigger still have the TRIGGER privilege for the table.INSERT、UPDATE或DELETE语句的用户激活),触发器执行要求定义触发器的用户仍具有该表的触发器权限。
Enables rows to be updated in tables in a database.允许在数据库的表中更新行。
This privilege specifier stands for “no privileges.” 此权限说明符表示“无权限”。It is used at the global level with 在全局级别使用,利用GRANT to specify clauses such as WITH GRANT OPTION without naming specific account privileges in the privilege list. GRANT来指定诸如WITH GRANT OPTION之类的子句,而不在权限列表中命名特定的帐户权限。SHOW GRANTS displays USAGE to indicate that an account has no privileges at a privilege level.SHOW GRANTS显示USAGE,以指示帐户在某个权限级别上没有权限。
Dynamic privileges are defined at runtime, in contrast to static privileges, which are built in to the server. 动态权限是在运行时定义的,与服务器内置的静态权限不同。The following list describes each dynamic privilege available in MySQL.下面的列表描述了MySQL中可用的每个动态权限。
Most dynamic privileges are defined at server startup. Others are defined by a particular component or plugin, as indicated in the privilege descriptions. 大多数动态权限是在服务器启动时定义的。其他的由特定的组件或插件定义,如权限描述中所示。In such cases, the privilege is unavailable unless the component or plugin that defines it is enabled.在这种情况下,除非定义权限的组件或插件已启用,否则权限不可用。
Particular SQL statements might have more specific privilege requirements than indicated here. 特定的SQL语句可能有比这里更具体的权限要求。If so, the description for the statement in question provides the details.如果是这样的话,有关声明的描述将提供详细信息。
APPLICATION_PASSWORD_ADMIN (added in MySQL 8.0.14)
For dual-password capability, this privilege enables use of the 对于双密码功能,此权限允许对应用于您自己帐户的RETAIN CURRENT PASSWORD and DISCARD OLD PASSWORD clauses for ALTER USER and SET PASSWORD statements that apply to your own account. ALTER USER语句和SET PASSWORD语句使用RETAIN CURRENT PASSWORD和DISCARD OLD PASSWORD子句。This privilege is required to manipulate your own secondary password because most users require only one password.由于大多数用户只需要一个密码,因此需要此权限才能操作自己的辅助密码。
If an account is to be permitted to manipulate secondary passwords for all accounts, it should be granted the 如果允许某个帐户操作所有帐户的辅助密码,则应授予该帐户CREATE USER privilege rather than APPLICATION_PASSWORD_ADMIN.CREATE USER权限,而不是APPLICATION_PASSWORD_ADMIN权限。
For more information about use of dual passwords, see Section 6.2.15, “Password Management”.有关使用双重密码的更多信息,请参阅第6.2.15节“密码管理”。
Enables audit log configuration. 启用审核日志配置。This privilege is defined by the 此权限由audit_log plugin; see Section 6.4.5, “MySQL Enterprise Audit”.audit_log插件定义;请参阅第6.4.5节“MySQL企业审计”。
Enables execution of the 允许执行LOCK INSTANCE FOR BACKUP statement and access to the Performance Schema log_status table.LOCK INSTANCE FOR BACKUP语句,并允许访问实施架构log_status表。
Besides 除了BACKUP_ADMIN, the SELECT privilege on the log_status table is also needed for its access.BACKUP_ADMIN之外,还需要log_status表上的SELECT权限来访问它。
The 当执行从早期版本到MySQL 8.0的就地升级时,具有BACKUP_ADMIN privilege is automatically granted to users with the RELOAD privilege when performing an in-place upgrade to MySQL 8.0 from an earlier version.RELOAD权限的用户将自动被授予BACKUP_ADMIN权限。
Enables binary log control by means of the 通过PURGE BINARY LOGS and BINLOG statements.PURGE BINARY LOGS(清除二进制日志)和BINLOG语句启用二进制日志控制。
Enables setting the system variable 启用设置系统变量binlog_encryption, which activates or deactivates encryption for binary log files and relay log files. binlog_encryption,该变量激活或停用二进制日志文件和中继日志文件的加密。This ability is not provided by the BINLOG_ADMIN, SYSTEM_VARIABLES_ADMIN, or SESSION_VARIABLES_ADMIN privileges. BINLOG_ADMIN、SYSTEM_VARIABLES_ADMIN或SESSION_VARIABLES_ADMIN权限不提供此功能。The related system variable 相关的系统变量binlog_rotate_encryption_master_key_at_startup, which rotates the binary log master key automatically when the server is restarted, does not require this privilege.binlog_rotate_encryption_master_key_at_startup在服务器重新启动时自动旋转二进制日志主密钥,它不需要此权限。
Enables execution of the 启用CLONE statements. CLONE语句的执行。Includes 包括BACKUP_ADMIN and SHUTDOWN privileges.BACKUP_ADMIN权限和SHUTDOWN权限。
Enables use of the 允许使用KILL statement or mysqladmin kill command to kill threads belonging to other accounts. KILL语句或mysqladmin kill命令终止属于其他帐户的线程。(An account can always kill its own threads.)(帐户总是可以终止自己的线程。)
Enables setting system variables related to client connections, or circumventing restrictions related to client connections. 允许设置与客户端连接相关的系统变量,或绕过与客户端连接相关的限制。CONNECTION_ADMIN applies to the effects of these system variables:CONNECTION_ADMIN应用于这些系统变量的影响:
init_connect: The server does not execute :当init_connect system variable content when CONNECTION_ADMIN clients connect.CONNECTION_ADMIN客户连接时,服务器不执行init_connect系统变量内容。
max_connections: The server accepts one connection from a :即使已达到CONNECTION_ADMIN client even if the connection limit configured by the max_connections system variable is reached.max_connections系统变量配置的连接限制,服务器也接受来自CONNECTION_ADMIN客户端的一个连接。
offline_mode: A server in offline mode (:处于脱机模式(启用offline_mode enabled) does not terminate CONNECTION_ADMIN client connections at the next client request, and accepts new connections from CONNECTION_ADMIN clients.offline_mode)的服务器不会在下一个客户端请求时终止CONNECTION_ADMIN客户端连接,并接受来自CONNECTION_ADMIN客户端的新连接。
read_only: Updates can be performed even when the :即使启用read_only system variable is enabled. read_only系统变量,也可以执行更新。This applies to explicit table updates, and to use of account-management statements such as 这适用于显式表更新,以及使用帐户管理语句(如GRANT and REVOKE that update tables implicitly.GRANT和REVOKE)隐式更新表。
Enables 启用InnoDB encryption key rotation.InnoDB加密密钥轮换。
Enables a user to administer firewall rules for any user. 允许用户为任何用户管理防火墙规则。This privilege is defined by the 此权限由MYSQL_FIREWALL plugin; see Section 6.4.7, “MySQL Enterprise Firewall”.MYSQL_FIREWALL插件定义;请参阅第6.4.7节“MySQL企业防火墙”。
FIREWALL_EXEMPT (added in MySQL 8.0.27)
A user with this privilege is exempt from firewall restrictions. 具有此权限的用户不受防火墙限制。This privilege is defined by the 此权限由MYSQL_FIREWALL plugin; see Section 6.4.7, “MySQL Enterprise Firewall”.MYSQL_FIREWALL插件定义;请参阅第6.4.7节“MySQL企业防火墙”。
Enables users to update their own firewall rules. 允许用户更新自己的防火墙规则。This privilege is defined by the 此权限由MYSQL_FIREWALL plugin; see Section 6.4.7, “MySQL Enterprise Firewall”.MYSQL_FIREWALL插件定义;请参阅第6.4.7节“MySQL企业防火墙”。
FLUSH_OPTIMIZER_COSTS (added in MySQL 8.0.23)
Enables use of the 允许使用FLUSH OPTIMIZER_COSTS statement.FLUSH OPTIMIZER_COSTS语句。
FLUSH_STATUS (added in MySQL 8.0.23)
Enables use of the 允许使用FLUSH STATUS statement.FLUSH STATUS语句。
FLUSH_TABLES (added in MySQL 8.0.23)
Enables use of the 允许使用FLUSH TABLES statement.FLUSH TABLES语句。
FLUSH_USER_RESOURCES (added in MySQL 8.0.23)
Enables use of the 允许使用FLUSH USER_RESOURCES statement.FLUSH USER_RESOURCES语句。
Enables the account to start and stop Group Replication using the 使帐户能够使用START GROUP REPLICATION and STOP GROUP REPLICATION statements, to change the global setting for the group_replication_consistency system variable, and to use the group_replication_set_write_concurrency() and group_replication_set_communication_protocol() functions. START GROUP REPLICATION语句和STOP GROUP REPLICATION语句以启动组复制和停止组复制,更改group_replication_consistency系统变量的全局设置,并使用group_replication_set_write_concurrency()函数和group_replication_set_communication_protocol()函数。Grant this privilege to accounts that are used to administer servers that are members of a replication group.将此权限授予用于管理作为复制组成员的服务器的帐户。
Enables the account to activate and deactivate redo log archiving.使帐户能够激活和停用重做日志存档。
Enables use of the 允许使用ALTER INSTANCE {ENABLE|DISABLE} INNODB REDO_LOG statement to enable or disable redo logging. ALTER INSTANCE{ENABLE | DISABLE} INNODB REDO_LOG语句来启用或禁用重做日志。Introduced in MySQL 8.0.21.在MySQL 8.0.21版中引入。
See Disabling Redo Logging.请参见 禁用重做日志记录。
Enables the user or role and its privileges to be shared and synchronized between all 允许用户或角色及其权限在所有启用NDB-enabled MySQL servers as soon as they join a given NDB Cluster. NDB的MySQL服务器加入给定NDB集群后立即在它们之间共享和同步。This privilege is available only if the 此权限仅在启用NDB storage engine is enabled.NDB存储引擎时可用。
Any changes to or revocations of privileges made for the given user or role are synchronized immediately with all connected MySQL servers (SQL nodes). 对给定用户或角色的权限所做的任何更改或撤销都会立即与所有连接的MySQL服务器(SQL节点)同步。You should be aware that there is no guarantee that multiple statements affecting privileges originating from different SQL nodes are executed on all SQL nodes in the same order. 您应该知道,不能保证多个影响来自不同SQL节点的权限的语句以相同的顺序在所有SQL节点上执行。For this reason, it is highly recommended that all user administration be done from a single designated SQL node.因此,强烈建议从单个指定的SQL节点执行所有用户管理。
NDB_STORED_USER is a global privilege and must be granted or revoked using ON *.*. NDB_STORED_USER是全局权限,必须使用ON *.*授予或撤销。Trying to set any other scope for this privilege results in an error. 尝试为此权限设置任何其他作用域将导致错误。This privilege can be given to most application and administrative users, but it cannot be granted to system reserved accounts such as 此权限可以授予大多数应用程序和管理用户,但不能授予mysql.session@localhost or mysql.infoschema@localhost.mysql.session@localhost或mysql.infoschema@localhost等系统保留帐户。
A user that has been granted the 被授予NDB_STORED_USER privilege is stored in NDB (and thus shared by all SQL nodes), as is a role with this privilege. NDB_STORED_USER特权的用户存储在NDB中(因此由所有SQL节点共享),具有此特权的角色也是如此。A user that is merely granted a role that has 仅被授予了具有NDB_STORED_USER is not stored in NDB; each NDB stored user must be granted the privilege explicitly.NDB_STORED_USER的角色的用户不存储在NDB中;每个NDB存储用户都必须被显式地授予特权。
For more detailed information about how this works in 有关如何在NDB, see Section 23.5.12, “Distributed MySQL Privileges with NDB_STORED_USER”.NDB中工作的更多详细信息,请参阅第23.5.12节“使用NDB存储用户的分布式MySQL权限”。
The 从NDB 8.0.18开始,可以使用NDB_STORED_USER privilege is available beginning with NDB 8.0.18.NDB_STORED_USER权限。
For users who also have 对于同时具有SYSTEM_VARIABLES_ADMIN, PERSIST_RO_VARIABLES_ADMIN enables use of SET PERSIST_ONLY to persist global system variables to the mysqld-auto.cnf option file in the data directory. SYSTEM_VARIABLES_ADMIN的用户,PERSIST_RO_VARIABLES_ADMIN允许使用SET PERSIST_ONLY将全局系统变量持久化到数据目录中的mysqld-auto.cnf选项文件。This statement is similar to 此语句类似于SET PERSIST but does not modify the runtime global system variable value. SET PERSIST,但不修改运行时全局系统变量值。This makes 这使得SET PERSIST_ONLY suitable for configuring read-only system variables that can be set only at server startup.SET PERSIST_ONLY适用于配置只读系统变量,这些变量只能在服务器启动时设置。
See also Section 5.1.9.1, “System Variable Privileges”.另请参阅第5.1.9.1节“系统变量权限”。
Enables the account to act as the 允许帐户充当复制通道的PRIVILEGE_CHECKS_USER for a replication channel, and to execute BINLOG statements in mysqlbinlog output. PRIVILEGE_CHECKS_USER,并在mysqlbinlog输出中执行BINLOG语句。Grant this privilege to accounts that are assigned using 将此权限授予使用CHANGE REPLICATION SOURCE TO (from MySQL 8.0.23) or CHANGE MASTER TO (before MySQL 8.0.23) to provide a security context for replication channels, and to handle replication errors on those channels. CHANGE REPLICATION SOURCE TO(从MySQL 8.0.23)或CHANGE MASTER TO(在MySQL 8.0.23之前)分配的帐户,以便为复制通道提供安全上下文,并处理这些通道上的复制错误。As well as the 除了REPLICATION_APPLIER privilege, you must also give the account the required privileges to execute the transactions received by the replication channel or contained in the mysqlbinlog output, for example to update the affected tables. REPLICATION_APPLIER特权外,还必须为帐户提供执行复制通道接收的事务或mysqlbinlog输出中包含的事务所需的权限,例如更新受影响的表。For more information, see Section 17.3.3, “Replication Privilege Checks”.有关更多信息,请参阅第17.3.3节“复制权限检查”。
Enables the account to connect to the replication source server, start and stop replication using the 使帐户能够连接到复制源服务器,使用START REPLICA | SLAVE and STOP REPLICA | SLAVE statements, and use the CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23) and the CHANGE REPLICATION FILTER statements. TART REPLICA | SLAVE语句和STOP REPLICA | SLAVE语句启动和停止复制,并使用CHANGE REPLICATION SOURCE TO语句(从MySQL 8.0.23开始)或CHANGE MASTER TO语句(在MySQL 8.0.23之前)和CHANGE REPLICATION FILTER语句。Grant this privilege to accounts that are used by replicas to connect to the current server as their replication source server. 将此权限授予副本用于连接到当前服务器作为其复制源服务器的帐户。This privilege does not apply to Group Replication; use 此权限不适用于组复制;组复制请使用GROUP_REPLICATION_ADMIN for that.GROUP_REPLICATION_ADMIN。
Enables resource group management, consisting of creating, altering, and dropping resource groups, and assignment of threads and statements to resource groups. 启用资源组管理,包括创建、更改和删除资源组,以及将线程和语句分配给资源组。A user with this privilege can perform any operation relating to resource groups.具有此权限的用户可以执行与资源组相关的任何操作。
Enables assigning threads and statements to resource groups. 允许将线程和语句分配给资源组。A user with this privilege can use the 具有此权限的用户可以使用SET RESOURCE GROUP statement and the RESOURCE_GROUP optimizer hint.SET RESOURCE GROUP语句和RESOURCE_GROUP优化器提示。
Enables granting and revoking roles, use of the 启用授予和撤消角色、使用WITH ADMIN OPTION clause of the GRANT statement, and nonempty <graphml> element content in the result from the ROLES_GRAPHML() function. GRANT语句的WITH ADMIN OPTION子句和来自ROLES_GRAPHML()函数的结果中的非空<graphml>元素内容。Required to set the value of the 必须设置mandatory_roles system variable.mandatory_roles系统变量的值。
Enables connections to the network interface that permits only administrative connections (see Section 5.1.12.1, “Connection Interfaces”).启用到仅允许管理连接的网络接口的连接(请参阅第5.1.12.1节“连接接口”)。
SESSION_VARIABLES_ADMIN (added in MySQL 8.0.14)
For most system variables, setting the session value requires no special privileges and can be done by any user to affect the current session. 对于大多数系统变量,设置会话值不需要任何特权,任何用户都可以这样做来影响当前会话。For some system variables, setting the session value can have effects outside the current session and thus is a restricted operation. 对于某些系统变量,设置会话值可能会在当前会话之外产生影响,因此是一个受限操作。For these, the 对这种情形,SESSION_VARIABLES_ADMIN privilege enables the user to set the session value.SESSION_VARIABLES_ADMIN权限允许用户设置会话值。
If a system variable is restricted and requires a special privilege to set the session value, the variable description indicates that restriction. 如果系统变量受到限制,并且需要特殊权限来设置会话值,则变量描述将指示该限制。Examples include 示例包括binlog_format, sql_log_bin, and sql_log_off.binlog_format、sql_log_bin和sql_log_off。
Prior to MySQL 8.0.14 when 在MySQL 8.0.14之前,当添加SESSION_VARIABLES_ADMIN was added, restricted session system variables can be set only by users who have the SYSTEM_VARIABLES_ADMIN or SUPER privilege.SESSION_VARIABLES_ADMIN时,只有拥有system_VARIABLES_ADMIN或SUPER权限的用户才能设置受限会话系统变量。
The SESSION_VARIABLES_ADMIN privilege is a subset of the SYSTEM_VARIABLES_ADMIN and SUPER privileges. SESSION_VARIABLES_ADMIN权限是SYSTEM_VARIABLES_ADMIN权限和SUPER权限的子集。A user who has either of those privileges is also permitted to set restricted session variables and effectively has 拥有这些权限之一的用户也可以设置受限会话变量,并通过暗示有效地拥有SESSION_VARIABLES_ADMIN by implication and need not be granted SESSION_VARIABLES_ADMIN explicitly.SESSION_VARIABLES_ADMIN,而不需要显式地授予SESSION_VARIABLES_ADMIN。
See also Section 5.1.9.1, “System Variable Privileges”.另请参见第5.1.9.1节“系统变量权限”。
Enables setting the effective authorization ID when executing a view or stored program. 允许在执行视图或存储程序时设置有效的授权ID。A user with this privilege can specify any account as the 具有此权限的用户可以将任何帐户指定为视图或存储程序的DEFINER attribute of a view or stored program.DEFINER属性。
As of MySQL 8.0.22, 从MySQL 8.0.22开始,SET_USER_ID also enables overriding security checks designed to prevent operations that (perhaps inadvertently) cause stored objects to become orphaned or that cause adoption of stored objects that are currently orphaned. SET_USER_ID还支持覆盖安全检查,以防止(可能是无意中)导致存储对象成为孤立对象或导致采用当前孤立的存储对象的操作。For details, see Orphan Stored Objects.有关详细信息,请参阅孤立存储对象。
SHOW_ROUTINE (added in MySQL 8.0.20)
Enables a user to access definitions and properties of all stored routines (stored procedures and functions), even those for which the user is not named as the routine 允许用户访问所有存储例程(存储过程和函数)的定义和属性,即使用户未被命名为例程DEFINER. DEFINDER。This access includes:此访问包括:
The contents of the INFORMATION_SCHEMA.ROUTINES table.INFORMATION_SCHEMA.ROUTINES表的内容。
The SHOW CREATE FUNCTION and SHOW CREATE PROCEDURE statements.SHOW CREATE FUNCTION语句和SHOW CREATE PROCEDURE语句。
The SHOW FUNCTION CODE and SHOW PROCEDURE CODE statements.SHOW FUNCTION CODE语句和SHOW PROCEDURE CODE语句。
The SHOW FUNCTION STATUS and SHOW PROCEDURE STATUS statements.SHOW FUNCTION STATUS语句和SHOW PROCEDURE STATUS语句。
Prior to MySQL 8.0.20, for a user to access definitions of routines the user did not define, the user must have the global 在MySQL 8.0.20之前,用户要访问用户未定义的例程的定义,必须具有全局SELECT privilege, which is very broad. SELECT权限,这是非常广泛的。As of 8.0.20, 从8.0.20开始,SHOW_ROUTINE may be granted instead as a privilege with a more restricted scope that permits access to routine definitions. SHOW_ROUTINE可以被授予权限,权限范围更为有限,允许访问例程定义。(That is, an administrator can rescind global (也就是说,管理员可以取消不需要全局SELECT from users that do not otherwise require it and grant SHOW_ROUTINE instead.) SELECT的用户的全局SELECT,改成授予SHOW_ROUTINE。)This enables an account to back up stored routines without requiring a broad privilege.这使帐户能够备份存储的例程,而不需要广泛的权限。
SYSTEM_USER (added in MySQL 8.0.16)
The SYSTEM_USER privilege distinguishes system users from regular users:SYSTEM_USER权限将系统用户与常规用户区分开来:
A user with the 具有SYSTEM_USER privilege is a system user.SYSTEM_USER权限的用户是系统用户。
A user without the 没有SYSTEM_USER privilege is a regular user.SYSTEM_USER权限的用户是普通用户。
The SYSTEM_USER privilege has an effect on the accounts to which a given user can apply its other privileges, as well as whether the user is protected from other accounts:SYSTEM_USER权限会影响给定用户可以应用其其他权限的帐户,以及该用户是否受到其他帐户的保护:
A system user can modify both system and regular accounts. 系统用户可以修改系统帐户和常规帐户。That is, a user who has the appropriate privileges to perform a given operation on regular accounts is enabled by possession of 也就是说,拥有对常规帐户执行给定操作的适当权限的用户通过拥有SYSTEM_USER to also perform the operation on system accounts. SYSTEM_USER来启用对系统帐户也执行该操作。A system account can be modified only by system users with appropriate privileges, not by regular users.系统帐户只能由具有适当权限的系统用户修改,而不能由普通用户修改。
A regular user with appropriate privileges can modify regular accounts, but not system accounts. 具有适当权限的常规用户可以修改常规帐户,但不能修改系统帐户。A regular account can be modified by both system and regular users with appropriate privileges.系统和具有适当权限的常规用户都可以修改常规帐户。
For more information, see Section 6.2.11, “Account Categories”.有关更多信息,请参阅第6.2.11节“账户类别”。
The protection against modification by regular accounts that is afforded to system accounts by the SYSTEM_USER privilege does not apply to regular accounts that have privileges on the mysql system schema and thus can directly modify the grant tables in that schema. SYSTEM_USER权限为系统帐户提供的防止常规帐户修改的保护不适用于对mysql系统架构具有权限的常规帐户,因此可以直接修改该架构中的授权表。For full protection, do not grant 为获得完全保护,请不要向常规帐户授予mysql schema privileges to regular accounts. mysql模式权限。See Protecting System Accounts Against Manipulation by Regular Accounts.请参阅保护系统帐户不受常规帐户的操纵。
Affects the following operations and server behaviors:影响以下操作和服务器行为:
Enables system variable changes at runtime:在运行时启用系统变量更改:
Enables server configuration changes to global system variables with 使用SET GLOBAL and SET PERSIST.SET GLOBAL和SET PERSIST对全局系统变量启用服务器配置更改。
Enables server configuration changes to global system variables with 如果用户还具有SET PERSIST_ONLY, if the user also has PERSIST_RO_VARIABLES_ADMIN.PERSIST_RO_VARIABLES_ADMIN,则通过SET PERSIST_ONLY启用对全局系统变量的服务器配置更改。
Enables setting restricted session system variables that require a special privilege. 启用设置需要特殊权限的受限会话系统变量。In effect, 实际上,SYSTEM_VARIABLES_ADMIN implies SESSION_VARIABLES_ADMIN without explicitly granting SESSION_VARIABLES_ADMIN.SYSTEM_VARIABLES_ADMIN意味着SESSION_VARIABLES_ADMIN,而没有显式地授予SESSION_VARIABLES_ADMIN。
See also Section 5.1.9.1, “System Variable Privileges”.另请参阅第5.1.9.1节“系统变量权限”。
Enables changes to global transaction characteristics (see Section 13.3.7, “SET TRANSACTION Statement”).允许更改全局事务特性(请参阅第13.3.7节“设置事务语句”)。
TABLE_ENCRYPTION_ADMIN (added in MySQL 8.0.16)
Enables a user to override default encryption settings when 启用table_encryption_privilege_check is enabled; see Defining an Encryption Default for Schemas and General Tablespaces.table_encryption_privilege_check时,允许用户覆盖默认加密设置;请参见为架构和常规表空间定义加密默认值。
Enables execution of Version Tokens functions. 启用版本令牌函数的执行。This privilege is defined by the 此权限由version_tokens plugin; see Section 5.6.6, “Version Tokens”.version_tokens插件定义;请参阅第5.6.6节,“版本令牌”。
Enables execution of the 允许执行XA RECOVER statement; see Section 13.3.8.1, “XA Transaction SQL Statements”.XA RECOVER语句;请参阅第13.3.8.1节“XA事务SQL语句”。
Prior to MySQL 8.0, any user could execute the XA RECOVER statement to discover the XID values for outstanding prepared XA transactions, possibly leading to commit or rollback of an XA transaction by a user other than the one who started it. In MySQL 8.0, XA RECOVER is permitted only to users who have the XA_RECOVER_ADMIN privilege, which is expected to be granted only to administrative users who have need for it. This might be the case, for example, for administrators of an XA application if it has crashed and it is necessary to find outstanding transactions started by the application so they can be rolled back. This privilege requirement prevents users from discovering the XID values for outstanding prepared XA transactions other than their own. It does not affect normal commit or rollback of an XA transaction because the user who started it knows its XID.
It is a good idea to grant to an account only those privileges that it needs. 只授予帐户所需的特权是个好主意。You should exercise particular caution in granting the 授予FILE and administrative privileges:FILE和管理权限时应特别小心:
FILE can be abused to read into a database table any files that the MySQL server can read on the server host. FILE可能被滥用,以便将MySQL服务器可以在服务器主机上读取的任何文件读入数据库表。This includes all world-readable files and files in the server's data directory. 这包括所有世界可读文件和服务器数据目录中的文件。The table can then be accessed using 然后可以使用SELECT to transfer its contents to the client host.SELECT访问该表,将其内容传输到客户机主机。
GRANT OPTION enables users to give their privileges to other users. Two users that have different privileges and with the GRANT OPTION privilege are able to combine privileges.
ALTER may be used to subvert the privilege system by renaming tables.
SHUTDOWN can be abused to deny service to other users entirely by terminating the server.
PROCESS can be used to view the plain text of currently executing statements, including statements that set or change passwords.
SUPER can be used to terminate other sessions or change how the server operates.
Privileges granted for the mysql system database itself can be used to change passwords and other access privilege information:
Passwords are stored encrypted, so a malicious user cannot simply read them to know the plain text password. However, a user with write access to the mysql.user system table authentication_string column can change an account's password, and then connect to the MySQL server using that account.
INSERT or UPDATE granted for the mysql system database enable a user to add privileges or modify existing privileges, respectively.
DROP for the mysql system database enables a user to remote privilege tables, or even the database itself.
MySQL supports static and dynamic privileges:MySQL支持静态和动态权限:
Static privileges are built in to the server. 静态权限内置于服务器中。They are always available to be granted to user accounts and cannot be unregistered.它们始终可以被授予用户帐户,并且不能注销。
Dynamic privileges can be registered and unregistered at runtime. 动态权限可以在运行时注册和注销。This affects their availability: A dynamic privilege that has not been registered cannot be granted.这会影响它们的可用性:无法授予尚未注册的动态权限。
For example, the 例如,SELECT and INSERT privileges are static and always available, whereas a dynamic privilege becomes available only if the component that implements it has been enabled.SELECT和INSERT特权是静态的并且总是可用的,而动态特权只有在实现它的组件被启用时才可用。
The remainder of this section describes how dynamic privileges work in MySQL. 本节的其余部分将介绍动态权限在MySQL中的工作方式。The discussion uses the term “components” but applies equally to plugins.讨论中使用了“组件”一词,但同样适用于插件。
Server administrators should be aware of which server components define dynamic privileges. 服务器管理员应该知道哪些服务器组件定义了动态权限。For MySQL distributions, documentation of components that define dynamic privileges describes those privileges.对于MySQL发行版,定义动态权限的组件文档描述了这些权限。
Third-party components may also define dynamic privileges; an administrator should understand those privileges and not install components that might conflict or compromise server operation. 第三方组件也可以定义动态特权;管理员应该了解这些权限,而不是安装可能冲突或危及服务器操作的组件。For example, one component conflicts with another if both define a privilege with the same name. 例如,如果一个组件和另一个组件都定义了同名的特权,那么这两个组件就会发生冲突。Component developers can reduce the likelihood of this occurrence by choosing privilege names having a prefix based on the component name.组件开发人员可以通过基于组件名称选择具有前缀的特权名称来降低发生这种情况的可能性。
The server maintains the set of registered dynamic privileges internally in memory. 服务器在内存内部维护已注册的动态权限集。Unregistration occurs at server shutdown.服务器关闭时发生注销。
Normally, a component that defines dynamic privileges registers them when it is installed, during its initialization sequence. 通常,定义动态权限的组件在其初始化序列中安装时会注册这些权限。When uninstalled, a component does not unregister its registered dynamic privileges. 卸载时,组件不会注销其已注册的动态权限。(This is current practice, not a requirement. That is, components could, but do not, unregister at any time privileges they register.)(这是现行做法,不是要求。也就是说,组件可以(但不可以)随时注销它们注册的权限。)
No warning or error occurs for attempts to register an already registered dynamic privilege. 尝试注册已注册的动态权限时不会出现警告或错误。Consider the following sequence of statements:考虑以下陈述顺序:
INSTALL COMPONENT 'my_component'; UNINSTALL COMPONENT 'my_component'; INSTALL COMPONENT 'my_component';
The first INSTALL COMPONENT statement registers any privileges defined by component my_component, but UNINSTALL COMPONENT does not unregister them. For the second INSTALL COMPONENT statement, the component privileges it registers are found to be already registered, but no warnings or errors occur.
Dynamic privileges apply only at the global level. 动态权限仅适用于全局级别。The server stores information about current assignments of dynamic privileges to user accounts in the 服务器在mysql.global_grants system table:mysql.global_grants系统表中存储有关当前为用户帐户分配动态权限的信息:
The server automatically registers privileges named in global_grants during server startup (unless the --skip-grant-tables option is given).
The GRANT and REVOKE statements modify the contents of global_grants.
Dynamic privilege assignments listed in global_grants are persistent. They are not removed at server shutdown.
Example: The following statement grants to user u1 the privileges required to control replication (including Group Replication) on a replica, and to modify system variables:
GRANT REPLICATION_SLAVE_ADMIN, GROUP_REPLICATION_ADMIN, BINLOG_ADMIN ON *.* TO 'u1'@'localhost';
Granted dynamic privileges appear in the output from the SHOW GRANTS statement and the INFORMATION_SCHEMA USER_PRIVILEGES table.
For GRANT and REVOKE at the global level, any named privileges not recognized as static are checked against the current set of registered dynamic privileges and granted if found. Otherwise, an error occurs to indicate an unknown privilege identifier.
For GRANT and REVOKE the meaning of ALL [PRIVILEGES] at the global level includes all static global privileges, as well as all currently registered dynamic privileges:
GRANT ALL at the global level grants all static global privileges and all currently registered dynamic privileges. A dynamic privilege registered subsequent to execution of the GRANT statement is not granted retroactively to any account.
REVOKE ALL at the global level revokes all granted static global privileges and all granted dynamic privileges.REVOKE ALL撤销所有授予的静态全局权限和所有授予的动态权限。
The FLUSH PRIVILEGES statement reads the global_grants table for dynamic privilege assignments and registers any unregistered privileges found there.FLUSH PRIVILEGES语句读取global_grants表中的动态权限分配,并注册在其中找到的所有未注册权限。
For descriptions of the dynamic privileges provided by MySQL Server and components included in MySQL distributions, see Section 6.2.2, “Privileges Provided by MySQL”.有关MySQL Server提供的动态权限和MySQL发行版中包含的组件的描述,请参阅第6.2.2节“MySQL提供的权限”。
In MySQL 8.0, many operations that previously required the SUPER privilege are also associated with a dynamic privilege of more limited scope. (For descriptions of these privileges, see Section 6.2.2, “Privileges Provided by MySQL”.) Each such operation can be permitted to an account by granting the associated dynamic privilege rather than SUPER. This change improves security by enabling DBAs to avoid granting SUPER and tailor user privileges more closely to the operations permitted. SUPER is now deprecated; expect it to be removed in a future version of MySQL.
When removal of SUPER occurs, operations that formerly required SUPER fail unless accounts granted SUPER are migrated to the appropriate dynamic privileges. Use the following instructions to accomplish that goal so that accounts are ready prior to SUPER removal:
Execute this query to identify accounts that are granted SUPER:
SELECT GRANTEE FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE PRIVILEGE_TYPE = 'SUPER';
For each account identified by the preceding query, determine the operations for which it needs SUPER. Then grant the dynamic privileges corresponding to those operations, and revoke SUPER.
For example, if 'u1'@'localhost' requires SUPER for binary log purging and system variable modification, these statements make the required changes to the account:
GRANT BINLOG_ADMIN, SYSTEM_VARIABLES_ADMIN ON *.* TO 'u1'@'localhost'; REVOKE SUPER ON *.* FROM 'u1'@'localhost';
After you have modified all applicable accounts, the 修改所有适用的帐户后,第一步中的INFORMATION_SCHEMA query in the first step should produce an empty result set.INFORMATION_SCHEMA查询将生成一个空结果集。