After the server accepts a connection, it enters Stage 2 of access control. For each request that you issue through the connection, the server determines what operation you want to perform, then checks whether your privileges are sufficient. 在服务器接受连接后,它进入访问控制的第二阶段。对于通过连接发出的每个请求,服务器都会确定要执行的操作,然后检查您的权限是否足够。This is where the privilege columns in the grant tables come into play. 这就是授权表中的特权列发挥作用的地方。These privileges can come from any of the 这些特权可以来自任何user, global_grants, db, tables_priv, columns_priv, or procs_priv tables. user、global_grants、db、tables_priv、columns_priv或procs_priv表。(You may find it helpful to refer to Section 6.2.3, “Grant Tables”, which lists the columns present in each grant table.)(您可能会发现参考第6.2.3节,“拨款表”会有所帮助,该节列出了每个拨款表中存在的列。)
The user and global_grants tables grant global privileges. user和global_grants表授予全局权限。The rows in these tables for a given account indicate the account privileges that apply on a global basis no matter what the default database is. 这些表中给定帐户的行表示在全局基础上应用的帐户权限,无论默认数据库是什么。For example, if the 例如,如果user table grants you the DELETE privilege, you can delete rows from any table in any database on the server host. user表授予您DELETE权限,则可以从服务器主机上任何数据库中的任何表中删除行。It is wise to grant privileges in the 明智的做法是只向需要权限的人(如数据库管理员)授予user table only to people who need them, such as database administrators. user表中的权限。For other users, leave all privileges in the 对于其他用户,将user table set to 'N' and grant privileges at more specific levels only (for particular databases, tables, columns, or routines). user表中的所有权限设置为'N',并仅在更具体的级别授予权限(对于特定的数据库、表、列或例程)。It is also possible to grant database privileges globally but use partial revokes to restrict them from being exercised on specific databases (see Section 6.2.12, “Privilege Restriction Using Partial Revokes”).也可以全局授予数据库权限,但使用部分撤销来限制它们在特定数据库上的行使(参阅第6.2.12节,“使用部分撤销的权限限制”)。
The db table grants database-specific privileges. Values in the scope columns of this table can take the following forms:db表授予数据库特定的权限。此表范围列中的值可以采用以下形式:
A blank 空白User value matches the anonymous user. A nonblank value matches literally; there are no wildcards in user names.User值与匿名用户匹配。非空值按字面意思匹配;用户名中没有通配符。
The wildcard characters 通配符% and _ can be used in the Host and Db columns. %和_可用于Host和Db列。These have the same meaning as for pattern-matching operations performed with the 这些与使用LIKE operator. LIKE运算符执行的模式匹配操作具有相同的含义。If you want to use either character literally when granting privileges, you must escape it with a backslash. 如果你想在授予特权时直接使用其中任何一个字符,你必须用反斜杠转义它。For example, to include the underscore character (例如,要将下划线字符(_) as part of a database name, specify it as \_ in the GRANT statement._)作为数据库名称的一部分,请在GRANT语句中将其指定为\_。
A '%' or blank Host value means “any host.”'%'或空白Host值表示“任何主机”
A '%' or blank Db value means “any database.”'%'或空白Db值表示“任何数据库”
The server reads the 服务器将db table into memory and sorts it at the same time that it reads the user table. db表读入内存,并在读取user表的同时对其进行排序。The server sorts the 服务器根据db table based on the Host, Db, and User scope columns. Host、Db和User作用域列对db表进行排序。As with the 与user table, sorting puts the most-specific values first and least-specific values last, and when the server looks for matching rows, it uses the first match that it finds.user表一样,排序将最具体的值放在第一位,最不具体的值排在最后,当服务器查找匹配的行时,它使用找到的第一个匹配项。
The tables_priv, columns_priv, and procs_priv tables grant table-specific, column-specific, and routine-specific privileges. tables_priv、columns_priv和procs_priv表授予特定于表、特定于列和特定于例程的权限。Values in the scope columns of these tables can take the following forms:这些表的作用域列中的值可以采用以下形式:
The wildcard characters 通配符% and _ can be used in the Host column. %和_可以在Host列中使用。These have the same meaning as for pattern-matching operations performed with the 这些与使用LIKE operator.LIKE运算符执行的模式匹配操作具有相同的含义。
A '%' or blank Host value means “any host.”'%'或空白Host值表示“任何主机”
The Db, Table_name, Column_name, and Routine_name columns cannot contain wildcards or be blank.Db、Table_name、Column_name和Routing_name列不能包含通配符或为空。
The server sorts the 服务器根据tables_priv, columns_priv, and procs_priv tables based on the Host, Db, and User columns. Host、Db和User列对tables_priv、columns_priv和procs_priv表进行排序。This is similar to 这类似于db table sorting, but simpler because only the Host column can contain wildcards.db表排序,但更简单,因为只有Host列可以包含通配符。
The server uses the sorted tables to verify each request that it receives. 服务器使用排序后的表来验证它收到的每个请求。For requests that require administrative privileges such as 对于需要管理权限(如SHUTDOWN or RELOAD, the server checks only the user and global_privilege tables because those are the only tables that specify administrative privileges. SHUTDOWN或RELOAD)的请求,服务器只检查user和global_privilege表,因为这些表是唯一指定管理权限的表。The server grants access if a row for the account in those tables permits the requested operation and denies access otherwise. 如果这些表中帐户的行允许所请求的操作,则服务器授予访问权限,否则拒绝访问。For example, if you want to execute mysqladmin shutdown but your 例如,如果您想执行mysqladmin shutdown,但您的user table row does not grant the SHUTDOWN privilege to you, the server denies access without even checking the db table. user表行没有授予您SHUTDOWN权限,则服务器会拒绝访问,甚至不会检查db表。(The latter table contains no (后一个表不包含Shutdown_priv column, so there is no need to check it.)Shutdown_priv列,因此不需要检查它。)
For database-related requests (对于与数据库相关的请求(INSERT, UPDATE, and so on), the server first checks the user's global privileges in the user table row (less any privilege restrictions imposed by partial revokes). INSERT、UPDATE等),服务器首先在user表行中检查用户的全局权限(减去部分撤销所施加的任何权限限制)。If the row permits the requested operation, access is granted. 如果该行允许所请求的操作,则授予访问权限。If the global privileges in the 如果user table are insufficient, the server determines the user's database-specific privileges from the db table:user表中的全局权限不足,服务器将从db表中确定用户的数据库特定权限:
The server looks in the 服务器在db table for a match on the Host, Db, and User columns.db表中查找Host、Db和User列的匹配项。
The Host and User columns are matched to the connecting user's host name and MySQL user name.Host和User列与连接用户的主机名和MySQL用户名相匹配。
The Db column is matched to the database that the user wants to access.Db列与用户想要访问的数据库相匹配。
If there is no row for the 如果没有Host and User, access is denied.Host和User的行,则拒绝访问。
After determining the database-specific privileges granted by the 在确定db table rows, the server adds them to the global privileges granted by the user table. db表行授予的数据库特定权限后,服务器将它们添加到user表授予的全局权限中。If the result permits the requested operation, access is granted. 如果结果允许所请求的操作,则授予访问权限。Otherwise, the server successively checks the user's table and column privileges in the 否则,服务器会依次检查用户在tables_priv and columns_priv tables, adds those to the user's privileges, and permits or denies access based on the result. tables_priv和columns_priv表中的表和列权限,将其添加到用户的权限中,并根据结果允许或拒绝访问。For stored-routine operations, the server uses the 对于存储的例程操作,服务器使用procs_priv table rather than tables_priv and columns_priv.procs_priv表,而不是tables_priv和columns_priv。
Expressed in boolean terms, the preceding description of how a user's privileges are calculated may be summarized like this:用布尔值表示,前面关于如何计算用户权限的描述可以总结如下:
global privileges OR database privileges OR table privileges OR column privileges OR routine privileges
It may not be apparent why, if the global privileges are initially found to be insufficient for the requested operation, the server adds those privileges to the database, table, and column privileges later. 如果最初发现全局权限不足以执行请求的操作,服务器稍后会将这些权限添加到数据库、表和列权限中,这可能不清楚。The reason is that a request might require more than one type of privilege. 原因是一个请求可能需要多种权限。For example, if you execute an 例如,如果执行INSERT INTO ... SELECT statement, you need both the INSERT and the SELECT privileges. INSERT INTO ... SELECT语句,您需要INSERT和SELECT权限。Your privileges might be such that the 您的权限可能是这样的:user table row grants one privilege global and the db table row grants the other specifically for the relevant database. user表行授予一个全局权限,db表行专门为相关数据库授予另一个权限。In this case, you have the necessary privileges to perform the request, but the server cannot tell that from either your global or database privileges alone. It must make an access-control decision based on the combined privileges.在这种情况下,您拥有执行请求所需的权限,但服务器无法仅从您的全局或数据库权限中分辨出来。它必须根据组合权限做出访问控制决策。