GRANTpriv_type[(column_list)] [,priv_type[(column_list)]] ... ON [object_type]priv_levelTOuser_or_role[,user_or_role] ... [WITH GRANT OPTION] [ASuser[WITH ROLE DEFAULT | NONE | ALL | ALL EXCEPTrole[,role] ... |role[,role] ... ] ] } GRANT PROXY ONuser_or_roleTOuser_or_role[,user_or_role] ... [WITH GRANT OPTION] GRANTrole[,role] ... TOuser_or_role[,user_or_role] ... [WITH ADMIN OPTION]object_type: { TABLE | FUNCTION | PROCEDURE }priv_level: { * | *.* |db_name.* |db_name.tbl_name|tbl_name|db_name.routine_name}user_or_role: {user(see Section 6.2.4, “Specifying Account Names”) |role(see Section 6.2.5, “Specifying Role Names”) }
The GRANT statement assigns privileges and roles to MySQL user accounts and roles. GRANT语句向MySQL角色和帐户分配权限。There are several aspects to the GRANT statement, described under the following topics:GRANT语句包括以下几个方面:
The GRANT statement enables system administrators to grant privileges and roles, which can be granted to user accounts and roles. GRANT语句使系统管理员能够向用户帐户和角色授予权限和角色。These syntax restrictions apply:这些语法限制适用于:
GRANT cannot mix granting both privileges and roles in the same statement. 不能在同一语句中同时授予权限和角色。A given 给定的GRANT statement must grant either privileges or roles.GRANT语句必须授予权限或角色。
The ON clause distinguishes whether the statement grants privileges or roles:ON子句区分语句是否授予权限或角色:
With 使用ON, the statement grants privileges.ON时,该语句授予权限。
Without 如果不使用ON, the statement grants roles.ON,该语句将授予角色。
It is permitted to assign both privileges and roles to an account, but you must use separate 允许将权限和角色分配给帐户,但必须使用单独的GRANT statements, each with syntax appropriate to what is to be granted.GRANT语句,每个语句的语法与要授予的内容相适应。
For more information about roles, see Section 6.2.10, “Using Roles”.有关角色的更多信息,请参阅第6.2.10节,“使用角色”。
To grant a privilege with 要使用GRANT, you must have the GRANT OPTION privilege, and you must have the privileges that you are granting. GRANT授予权限,您必须具有GRANT OPTION权限,并且必须具有正在授予的权限。(Alternatively, if you have the (或者,如果您拥有UPDATE privilege for the grant tables in the mysql system schema, you can grant any account any privilege.) mysql系统架构中grant表的UPDATE权限,则可以向任何帐户授予任何权限。)When the 启用read_only system variable is enabled, GRANT additionally requires the CONNECTION_ADMIN privilege (or the deprecated SUPER privilege).read_only系统变量时,GRANT还需要CONNECTION_ADMIN权限(或不推荐使用的超级权限)。
GRANT either succeeds for all named users and roles or rolls back and has no effect if any error occurs. 对所有命名用户和角色都成功,或者回滚,如果发生任何错误,则不起作用。The statement is written to the binary log only if it succeeds for all named users and roles.只有在所有命名用户和角色都成功时,该语句才会写入二进制日志。
The REVOKE statement is related to GRANT and enables administrators to remove account privileges. REVOKE语句与GRANT相关,允许管理员删除帐户权限。See Section 13.7.1.8, “REVOKE Statement”.请参阅第13.7.1.8节,“REVOKE语句”。
Each account name uses the format described in Section 6.2.4, “Specifying Account Names”. 每个账户名称使用第6.2.4节,“指定账户名称”中描述的格式。Each role name uses the format described in Section 6.2.5, “Specifying Role Names”. 每个角色名称使用第6.2.5节,“指定角色名称”中描述的格式。For example:例如:
GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost'; GRANT SELECT ON world.* TO 'role3';
The host name part of the account or role name, if omitted, defaults to 帐户或角色名称的主机名部分(如果省略)默认为'%'.'%'。
Normally, a database administrator first uses 通常,数据库管理员首先使用CREATE USER to create an account and define its nonprivilege characteristics such as its password, whether it uses secure connections, and limits on access to server resources, then uses GRANT to define its privileges. CREATE USER创建帐户并定义其非权限特征,如密码、是否使用安全连接以及对服务器资源访问的限制,然后使用GRANT定义其权限。ALTER USER may be used to change the nonprivilege characteristics of existing accounts. For example:ALTER USER可用于更改现有帐户的非权限特征。例如:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';
ALTER USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;
From the mysql program, 在mysql程序中,成功执行时GRANT responds with Query OK, 0 rows affected when executed successfully. GRANT用Query OK, 0 rows affected响应。To determine what privileges result from the operation, use 要确定操作产生的权限,请使用SHOW GRANTS. SHOW GRANTS。See Section 13.7.7.21, “SHOW GRANTS Statement”.请参阅第13.7.7.21节,“SHOW GRANT语句”。
Under some circumstances, 在某些情况下,GRANT may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. GRANT可能会记录在服务器日志中,或者在客户端的历史文件中,例如~/.mysql_history,这意味着任何有权读取该信息的人都可以读取明文密码。For information about the conditions under which this occurs for the server logs and how to control it, see Section 6.1.2.3, “Passwords and Logging”. 有关服务器日志发生这种情况的条件以及如何控制它的信息,请参阅第6.1.2.3节,“密码和日志”。For similar information about client-side logging, see Section 4.5.1.3, “mysql Client Logging”.有关客户端日志记录的类似信息,请参阅第4.5.1.3节,“mysql客户端日志记录”。
GRANT supports host names up to 255 characters long (60 characters prior to MySQL 8.0.17). 支持最多255个字符的主机名(MySQL 8.0.17之前的60个字符)。User names can be up to 32 characters. Database, table, column, and routine names can be up to 64 characters.用户名最多可包含32个字符。数据库、表、列和例程名称最多可包含64个字符。
Do not attempt to change the permissible length for user names by altering the 不要试图通过更改mysql.user system table. mysql.user系统表来更改用户名的允许长度。Doing so results in unpredictable behavior which may even make it impossible for users to log in to the MySQL server. 这样做会导致不可预测的行为,甚至可能导致用户无法登录MySQL服务器。Never alter the structure of tables in the 除非通过第2.11节,“升级mysql”中描述的过程,否则不得以任何方式更改mysql系统模式中的表结构。mysql system schema in any manner except by means of the procedure described in Section 2.11, “Upgrading MySQL”.
Several objects within GRANT statements are subject to quoting, although quoting is optional in many cases: Account, role, database, table, column, and routine names. GRANT语句中的几个对象都要使用引号,尽管引号在很多情况下是可选的:帐户、角色、数据库、表、列和例程名称。For example, if a 例如,如果帐户名中的user_name or host_name value in an account name is legal as an unquoted identifier, you need not quote it. user_name或host_name值作为未加引号的标识符是合法的,则无需加引号。However, quotation marks are necessary to specify a 但是,必须使用引号来指定包含特殊字符(例如user_name string containing special characters (such as -), or a host_name string containing special characters or wildcard characters such as % (for example, 'test-user'@'%.com'). -)的user_name字符串,或包含特殊字符或通配符%(例如'test-user'@'%.com')的host_name字符串。Quote the user name and host name separately.分别引用用户名和主机名。
To specify quoted values:要指定引用的值,请执行以下操作:
Quote database, table, column, and routine names as identifiers.引用数据库、表、列和例程名称作为标识符。
Quote user names and host names as identifiers or as strings.将用户名和主机名作为标识符或字符串引用。
Quote passwords as strings.将密码引用为字符串。
For string-quoting and identifier-quoting guidelines, see Section 9.1.1, “String Literals”, and Section 9.2, “Schema Object Names”.有关字符串引用和标识符引用指南,请参阅第9.1.1节,“字符串文字”和第9.2节,“架构对象名称”。
The 在授予数据库级别权限的_ and % wildcards are permitted when specifying database names in GRANT statements that grant privileges at the database level (GRANT ... ON ). db_name.*GRANT语句(GRANT ... ON db_name.*)中指定数据库名称时,允许使用_和%通配符。This means, for example, that to use a 这意味着,例如,要将_ character as part of a database name, specify it using the \ escape character as \_ in the GRANT statement, to prevent the user from being able to access additional databases matching the wildcard pattern (for example, GRANT ... ON `foo\_bar`.* TO ...)._字符用作数据库名称的一部分,请在GRANT语句中使用\转义字符指定它,例如\_,以防止用户访问与通配符模式匹配的其他数据库(例如,GRANT ... ON `foo\_bar`.* TO ...)。
In privilege assignments, MySQL interprets occurrences of unescaped 在权限分配中,MySQL将数据库名称中出现的未替换的_ and % SQL wildcard characters in database names as literal characters under these circumstances:_和%SQL通配符解释为以下情况下的文字字符:
When a database name is not used to grant privileges at the database level, but as a qualifier for granting privileges to some other object such as a table or routine (for example, 当数据库名称不用于在数据库级别授予权限,而是用作向其他对象(如表或例程)授予权限的限定符时(例如,在GRANT ... ON ).db_name.tbl_nameGRANT ... ON db_name.tbl_name)。
Enabling 启用partial_revokes causes MySQL to interpret unescaped _ and % wildcard characters in database names as literal characters, just as if they had been escaped as \_ and \%. partial_revokes会导致MySQL将数据库名称中未替换的_和%通配符解释为文字字符,就像它们被转义为\_和\%。Because this changes how MySQL interprets privileges, it may be advisable to avoid unescaped wildcard characters in privilege assignments for installations where 因为这会改变MySQL解释权限的方式,所以对于可能启用partial_revokes may be enabled. partial_revokes的安装,建议在权限分配中避免使用未替换的通配符。For more information, see Section 6.2.12, “Privilege Restriction Using Partial Revokes”.有关更多信息,请参阅第6.2.12节,“使用部分撤销的权限限制”。
A user value in a GRANT statement indicates a MySQL account to which the statement applies. GRANT语句中的user值表示该语句所应用的MySQL帐户。To accommodate granting rights to users from arbitrary hosts, MySQL supports specifying the 为了向来自任意主机的用户授予权限,MySQL支持以user value in the form '.user_name'@'host_name''user_name'@'host_name'的形式指定user值。
You can specify wildcards in the host name. 可以在主机名中指定通配符。For example, 例如,' applies to user_name'@'%.example.com'user_name for any host in the example.com domain, and ' applies to user_name'@'198.51.100.%'user_name for any host in the 198.51.100 class C subnet.'user_name'@'%examplecom'适用于example.com域中任何主机的user_name,而'user_name'@'198.51.100.%适用于198.51.100 C类子网中任何主机的用户名。
The simple form 简单形式的' is a synonym for user_name''.user_name'@'%''user_name'是'user_name'@'%'的同义词。
MySQL does not support wildcards in user names. MySQL不支持用户名中的通配符。To refer to an anonymous user, specify an account with an empty user name with the 要引用匿名用户,请使用GRANT statement:GRANT语句指定用户名为空的帐户:
GRANT ALL ON test.* TO ''@'localhost' ...;
In this case, any user who connects from the local host with the correct password for the anonymous user is permitted access, with the privileges associated with the anonymous-user account.在这种情况下,任何使用匿名用户的正确密码从本地主机连接的用户都可以使用与匿名用户帐户相关联的权限进行访问。
For additional information about user name and host name values in account names, see Section 6.2.4, “Specifying Account Names”.有关帐户名中用户名和主机名值的更多信息,请参阅第6.2.4节,“指定帐户名”。
If you permit local anonymous users to connect to the MySQL server, you should also grant privileges to all local users as 如果您允许本地匿名用户连接到MySQL服务器,您还应该以'. user_name'@'localhost''user_name'@'localhost'的身份向所有本地用户授予权限。Otherwise, the anonymous user account for 否则,当命名用户试图从本地计算机登录MySQL服务器时,将使用localhost in the mysql.user system table is used when named users try to log in to the MySQL server from the local machine. mysql.user系统表中localhost的匿名用户帐户。For details, see Section 6.2.6, “Access Control, Stage 1: Connection Verification”.有关详细信息,请参阅第6.2.6节,“访问控制,第1阶段:连接验证”。
To determine whether this issue applies to you, execute the following query, which lists any anonymous users:要确定此问题是否适用于您,请执行以下查询,其中列出了所有匿名用户:
SELECT Host, User FROM mysql.user WHERE User='';
To avoid the problem just described, delete the local anonymous user account using this statement:要避免上述问题,请使用以下语句删除本地匿名用户帐户:
DROP USER ''@'localhost';
The following tables summarize the permissible static and dynamic 下表总结了可为priv_type privilege types that can be specified for the GRANT and REVOKE statements, and the levels at which each privilege can be granted. GRANT和REVOKE语句指定的允许静态和动态priv_type权限类型,以及可授予每个权限的级别。For additional information about each privilege, see Section 6.2.2, “Privileges Provided by MySQL”. 有关每个权限的更多信息,请参阅第6.2.2节,“MySQL提供的权限”。For information about the differences between static and dynamic privileges, see Static Versus Dynamic Privileges.有关静态权限和动态权限之间差异的信息,请参阅静态权限和动态权限。
Table 13.11 Permissible Static Privileges for GRANT and REVOKE允许GRANT和REVOKE的静态权限
ALL [PRIVILEGES] | GRANT OPTION and PROXY.GRANT OPTION和PROXY之外的所有权限。 |
ALTER | ALTER TABLE. Levels: Global, database, table.ALTER TABLE的使用。级别:全局、数据库、表。 |
ALTER ROUTINE | |
CREATE | |
CREATE ROLE | |
CREATE ROUTINE | |
CREATE TABLESPACE | |
CREATE TEMPORARY TABLES | CREATE TEMPORARY TABLE. Levels: Global, database.CREATE TEMPORARY TABLE。级别:全局、数据库。 |
CREATE USER | CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES. CREATE USER、DROP USER、RENAME USER和REVOKE ALL PRIVILEGES。 |
CREATE VIEW | |
DELETE | DELETE. Level: Global, database, table.DELETE。级别:全局、数据库、表。 |
DROP | |
DROP ROLE | |
EVENT | |
EXECUTE | |
FILE | |
GRANT OPTION | |
INDEX | |
INSERT | INSERT. INSERT的使用。 |
LOCK TABLES | LOCK TABLES on tables for which you have the SELECT privilege. SELECT权限的表上启用LOCK TABLES。 |
PROCESS | SHOW PROCESSLIST. SHOW PROCESSLIST查看所有进程。 |
PROXY | |
REFERENCES | |
RELOAD | FLUSH operations. FLUSH操作的使用。 |
REPLICATION CLIENT | |
REPLICATION SLAVE | |
SELECT | SELECT. Levels: Global, database, table, column.SELECT的使用。级别:全局、数据库、表、列。 |
SHOW DATABASES | SHOW DATABASES to show all databases. SHOW DATABASES以显示所有数据库。 |
SHOW VIEW | SHOW CREATE VIEW. SHOW CREATE VIEW的使用。 |
SHUTDOWN | mysqladmin shutdown的使用。 |
SUPER | CHANGE REPLICATION SOURCE TO, CHANGE MASTER TO, KILL, PURGE BINARY LOGS, SET GLOBAL, and mysqladmin debug command. CHANGE REPLICATION SOURCE TO、CHANGE MASTER TO、KILL、PURGE BINARY LOGS、SET GLOBAL和mysqladmin debug命令。 |
TRIGGER | |
UPDATE | UPDATE. Levels: Global, database, table, column.UPDATE的使用。级别:全局、数据库、表、列。 |
USAGE |
Table 13.12 Permissible Dynamic Privileges for GRANT and REVOKE允许GRANT和REVOKE的动态权限
APPLICATION_PASSWORD_ADMIN | |
AUDIT_ADMIN | |
BACKUP_ADMIN | |
BINLOG_ADMIN | |
BINLOG_ENCRYPTION_ADMIN | |
CLONE_ADMIN | |
CONNECTION_ADMIN | |
ENCRYPTION_KEY_ADMIN | InnoDB key rotation. Level: Global.InnoDB键旋转。级别:全局。 |
FIREWALL_ADMIN | |
FIREWALL_EXEMPT | |
FIREWALL_USER | |
FLUSH_OPTIMIZER_COSTS | |
FLUSH_STATUS | |
FLUSH_TABLES | |
FLUSH_USER_RESOURCES | |
GROUP_REPLICATION_ADMIN | |
INNODB_REDO_LOG_ENABLE | |
INNODB_REDO_LOG_ARCHIVE | |
NDB_STORED_USER | |
PERSIST_RO_VARIABLES_ADMIN | |
REPLICATION_APPLIER | PRIVILEGE_CHECKS_USER for a replication channel. Level: Global.PRIVILEGE_CHECKS_USER的复制通道。级别:全局。 |
REPLICATION_SLAVE_ADMIN | |
RESOURCE_GROUP_ADMIN | |
RESOURCE_GROUP_USER | |
ROLE_ADMIN | WITH ADMIN OPTION. Level: Global.WITH ADMIN OPTION。级别:全局。 |
SESSION_VARIABLES_ADMIN | |
SET_USER_ID | DEFINER values. Level: Global.DEFINER值。级别:全局。 |
SHOW_ROUTINE | |
SYSTEM_USER | |
SYSTEM_VARIABLES_ADMIN | |
TABLE_ENCRYPTION_ADMIN | |
VERSION_TOKEN_ADMIN | |
XA_RECOVER_ADMIN | XA RECOVER execution. Level: Global.XA RECOVER执行。级别:全局。 |
A trigger is associated with a table. 触发器与表相关联。To create or drop a trigger, you must have the 要创建或删除触发器,必须具有表的TRIGGER privilege for the table, not the trigger.TRIGGER权限,而不是触发器。
In 在GRANT statements, the ALL [PRIVILEGES] or PROXY privilege must be named by itself and cannot be specified along with other privileges. GRANT语句中,ALL[PRIVILEGES]或PROXY权限必须单独命名,不能与其他权限一起指定。ALL [PRIVILEGES] stands for all privileges available for the level at which privileges are to be granted except for the GRANT OPTION and PROXY privileges.ALL[PRIVILEGES]代表除GRANT OPTION和PROXY权限外,授予权限级别的所有可用权限。
MySQL account information is stored in the tables of the MySQL帐户信息存储在mysql system schema. mysql系统模式的表中。For additional details, consult Section 6.2, “Access Control and Account Management”, which discusses the 有关更多详细信息,请参阅第6.2节,“访问控制和帐户管理”,其中详细讨论了mysql system schema and the access control system extensively.mysql系统模式和访问控制系统。
If the grant tables hold privilege rows that contain mixed-case database or table names and the 如果grant表包含包含大小写混合的数据库或表名的权限行,并且lower_case_table_names system variable is set to a nonzero value, REVOKE cannot be used to revoke these privileges. lower_case_table_names系统变量设置为非零值,则REVOKE不能用于撤销这些权限。It is necessary in such cases to manipulate the grant tables directly. 在这种情况下,有必要直接操纵拨款表。((GRANT does not create such rows when lower_case_table_names is set, but such rows might have been created prior to setting that variable. GRANT在设置lower_case_table_names时不会创建此类行,但此类行可能是在设置该变量之前创建的。)。The lower_case_table_names setting can only be configured at server startup.)lower_case_table_names设置只能在服务器启动时配置。)
Privileges can be granted at several levels, depending on the syntax used for the 根据ON clause. ON子句使用的语法,可以在多个级别授予权限。For 对于REVOKE, the same ON syntax specifies which privileges to remove.REVOKE,相同的ON语法指定要删除的权限。
For the global, database, table, and routine levels, 对于全局、数据库、表和例程级别,GRANT ALL assigns only the privileges that exist at the level you are granting. GRANT ALL仅分配您正在授予的级别上存在的权限。For example, 例如,GRANT ALL ON is a database-level statement, so it does not grant any global-only privileges such as db_name.*FILE. GRANT ALL ON db_name.*是数据库级别的语句,因此它不授予任何仅限全局的权限,例如FILE。Granting 授予ALL does not assign the GRANT OPTION or PROXY privilege.ALL不会分配GRANT OPTION或PROXY权限。
The 当以下对象是表、存储函数或存储过程时,如果存在object_type clause, if present, should be specified as TABLE, FUNCTION, or PROCEDURE when the following object is a table, a stored function, or a stored procedure.object_type子句,则应将其指定为TABLE、FUNCTION或PROCEDURE。
The privileges that a user holds for a database, table, column, or routine are formed additively as the logical 用户对数据库、表、列或例程所拥有的权限,在每个权限级别(包括全局级别)上作为帐户权限的逻辑OR of the account privileges at each of the privilege levels, including the global level. OR相加而形成。It is not possible to deny a privilege granted at a higher level by absence of that privilege at a lower level. 不可能因为在较低级别没有权限而拒绝在较高级别授予的权限。For example, this statement grants the 例如,此语句全局授予SELECT and INSERT privileges globally:SELECT和INSERT权限:
GRANT SELECT, INSERT ON *.* TO u1;
The globally granted privileges apply to all databases, tables, and columns, even though not granted at any of those lower levels.全局授予的权限适用于所有数据库、表和列,即使在这些较低级别中没有授予。
As of MySQL 8.0.16, it is possible to explicitly deny a privilege granted at the global level by revoking it for particular databases, if the 从MySQL 8.0.16开始,如果启用了partial_revokes system variable is enabled:partial_revokes系统变量,则可以通过撤销特定数据库的权限来明确拒绝在全局级别授予的权限:
GRANT SELECT, INSERT, UPDATE ON *.* TO u1; REVOKE INSERT, UPDATE ON db1.* FROM u1;
The result of the preceding statements is that 前面语句的结果是SELECT applies globally to all tables, whereas INSERT and UPDATE apply globally except to tables in db1. SELECT全局应用于所有表,而INSERT和UPDATE全局应用于db1中的表除外。Account access to 对db1 is read only.db1的帐户访问是只读的。
Details of the privilege-checking procedure are presented in Section 6.2.7, “Access Control, Stage 2: Request Verification”.权限检查程序的详细信息见第6.2.7节,“访问控制,第2阶段:请求验证”。
If you are using table, column, or routine privileges for even one user, the server examines table, column, and routine privileges for all users and this slows down MySQL a bit. 如果您对一个用户使用表、列或例程权限,服务器会检查所有用户的表、列和例程权限,这会使MySQL的速度降低一点。Similarly, if you limit the number of queries, updates, or connections for any users, the server must monitor these values.同样,如果限制任何用户的查询、更新或连接数量,服务器必须监视这些值。
MySQL enables you to grant privileges on databases or tables that do not exist. MySQL允许您对不存在的数据库或表授予权限。For tables, the privileges to be granted must include the 对于表,要授予的权限必须包括CREATE privilege. CREATE权限。This behavior is by design, and is intended to enable the database administrator to prepare user accounts and privileges for databases or tables that are to be created at a later time.这种行为是经过设计的,旨在使数据库管理员能够为以后创建的数据库或表准备用户帐户和权限。
MySQL does not automatically revoke any privileges when you drop a database or table当您删除数据库或表时,MySQL不会自动撤销任何权限. However, if you drop a routine, any routine-level privileges granted for that routine are revoked.但是,如果删除某个例程,则为该例程授予的任何例程级别权限都将被撤销。
Global privileges are administrative or apply to all databases on a given server. 全局权限是管理权限,或应用于给定服务器上的所有数据库。To assign global privileges, use 要分配全局权限,请作用ON *.* syntax:ON *.*语法:
GRANT ALL ON *.* TO 'someuser'@'somehost'; GRANT SELECT, INSERT ON *.* TO 'someuser'@'somehost';
The CREATE TABLESPACE, CREATE USER, FILE, PROCESS, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, SHUTDOWN, and SUPER static privileges are administrative and can only be granted globally.CREATE TABLESPACE、CREATE USER、FILE、PROCESS、RELOAD、REPLICATION CLIENT、REPLICATION SLAVE、SHOW DATABASES、SHUTDOWN和SUPER静态权限是管理权限,只能全局授予。
Dynamic privileges are all global and can only be granted globally.动态权限都是全局权限,只能全局授予。
Other privileges can be granted globally or at more specific levels.其他权限可以全局授予,也可以在更具体的级别授予。
The effect of 在全局级别授予的GRANT OPTION granted at the global level differs for static and dynamic privileges:GRANT OPTION对静态和动态权限的影响不同:
GRANT OPTION granted for any static global privilege applies to all static global privileges.授予任何静态全局权限适用于所有静态全局权限。
GRANT OPTION granted for any dynamic privilege applies only to that dynamic privilege.为任何动态权限授予的权限仅适用于该动态权限。
GRANT ALL at the global level grants all static global privileges and all currently registered dynamic privileges. GRANT ALL在全局级别授予所有静态全局权限和所有当前注册的动态权限。A dynamic privilege registered subsequent to execution of the 在执行GRANT statement is not granted retroactively to any account.GRANT语句后注册的动态权限不会追溯到任何帐户。
MySQL stores global privileges in the MySQL在mysql.user system table.mysql.user系统表中存储全局权限。
Database privileges apply to all objects in a given database. 数据库权限应用于给定数据库中的所有对象。To assign database-level privileges, use 要分配数据库级权限,请使用ON syntax:db_name.*ON db_name.*语法:
GRANT ALL ON mydb.* TO 'someuser'@'somehost'; GRANT SELECT, INSERT ON mydb.* TO 'someuser'@'somehost';
If you use 如果使用ON * syntax (rather than ON *.*), privileges are assigned at the database level for the default database. ON *语法(而不是ON *.*),则会在数据库级别为默认数据库分配权限。An error occurs if there is no default database.如果没有默认数据库,则会发生错误。
The 可以在数据库级别指定CREATE, DROP, EVENT, GRANT OPTION, LOCK TABLES, and REFERENCES privileges can be specified at the database level. CREATE、DROP、EVENT、GRANT OPTION、LOCK TABLE和REFERENCES权限。Table or routine privileges also can be specified at the database level, in which case they apply to all tables or routines in the database.表或例程权限也可以在数据库级别指定,在这种情况下,它们适用于数据库中的所有表或例程。
MySQL stores database privileges in the MySQL在mysql.db system table.mysql.db系统表中存储数据库权限。
Table privileges apply to all columns in a given table. 表权限适用于给定表中的所有列。To assign table-level privileges, use 要分配表级权限,请使用ON syntax:db_name.tbl_nameON db_name.tbl_name语法:
GRANT ALL ON mydb.mytbl TO 'someuser'@'somehost'; GRANT SELECT, INSERT ON mydb.mytbl TO 'someuser'@'somehost';
If you specify 如果指定tbl_name rather than db_name.tbl_name, the statement applies to tbl_name in the default database. tbl_name而不是db_name.tbl_name,则该语句应用于默认数据库中的tbl_name。An error occurs if there is no default database.如果没有默认数据库,则会发生错误。
The permissible priv_type values at the table level are ALTER, CREATE VIEW, CREATE, DELETE, DROP, GRANT OPTION, INDEX, INSERT, REFERENCES, SELECT, SHOW VIEW, TRIGGER, and UPDATE.
Table-level privileges apply to base tables and views. 表级权限适用于基本表和视图。They do not apply to tables created with 它们不适用于使用CREATE TEMPORARY TABLE, even if the table names match. CREATE TEMPORARY TABLE创建的表,即使表名匹配。For information about 有关TEMPORARY table privileges, see Section 13.1.20.2, “CREATE TEMPORARY TABLE Statement”.TEMPORARY表权限的信息,请参阅第13.1.20.2节,“CREATE TEMPORARY TABLE语句”。
MySQL stores table privileges in the MySQL在mysql.tables_priv system table.mysql.tables_priv系统表中存储表权限。
Column privileges apply to single columns in a given table. 列权限应用于给定表中的单个列。Each privilege to be granted at the column level must be followed by the column or columns, enclosed within parentheses.在列级别授予的每个权限后面必须跟有一列或多列,并用括号括起来。
GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytbl TO 'someuser'@'somehost';
The permissible priv_type values for a column (that is, when you use a column_list clause) are INSERT, REFERENCES, SELECT, and UPDATE.
MySQL stores column privileges in the MySQL在mysql.columns_priv system table.mysql.columns_priv系统表中存储列权限。
The ALTER ROUTINE, CREATE ROUTINE, EXECUTE, and GRANT OPTION privileges apply to stored routines (procedures and functions). They can be granted at the global and database levels. 它们可以在全球和数据库级别授予。Except for 除了CREATE ROUTINE, these privileges can be granted at the routine level for individual routines.CREATE ROUTINE之外,可以在例程级别为单个例程授予这些权限。
GRANT CREATE ROUTINE ON mydb.* TO 'someuser'@'somehost'; GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'someuser'@'somehost';
The permissible 例程级别允许的priv_type values at the routine level are ALTER ROUTINE, EXECUTE, and GRANT OPTION. priv_type值是ALTER ROUTINE、EXECUTE和GRANT OPTION。CREATE ROUTINE is not a routine-level privilege because you must have the privilege at the global or database level to create a routine in the first place.CREATE ROUTINE不是例程级别的权限,因为您首先必须拥有全局或数据库级别的权限才能创建例程。
MySQL stores routine-level privileges in the MySQL在mysql.procs_priv system table.mysql.procs_priv系统表中存储常规级别的权限。
The PROXY privilege enables one user to be a proxy for another. PROXY权限允许一个用户成为另一个用户的代理。The proxy user impersonates or takes the identity of the proxied user; that is, it assumes the privileges of the proxied user.代理用户模仿或获取代理用户的身份;也就是说,它具有代理用户的权限。
GRANT PROXY ON 'localuser'@'localhost' TO 'externaluser'@'somehost';
When PROXY is granted, it must be the only privilege named in the GRANT statement, and the only permitted WITH option is WITH GRANT OPTION.
Proxying requires that the proxy user authenticate through a plugin that returns the name of the proxied user to the server when the proxy user connects, and that the proxy user have the 代理需要代理用户通过插件进行身份验证,该插件在代理用户连接时将代理用户的名称返回给服务器,并且代理用户拥有代理用户的PROXY privilege for the proxied user. PROXY权限。For details and examples, see Section 6.2.18, “Proxy Users”.有关详细信息和示例,请参阅第6.2.18节,“代理用户”。
MySQL stores proxy privileges in the MySQL将代理权限存储在mysql.proxies_priv system table.mysql.proxies_priv系统表中。
GRANT syntax without an ON clause grants roles rather than individual privileges. GRANT语法(不带ON子句)授予角色而不是个人权限。A role is a named collection of privileges; see Section 6.2.10, “Using Roles”. 角色是一个命名的权限集合;参见第6.2.10节,“使用角色”。For example:例如:
GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost';
Each role to be granted must exist, as well as each user account or role to which it is to be granted. 要授予的每个角色以及要授予的每个用户帐户或角色都必须存在。As of MySQL 8.0.16, roles cannot be granted to anonymous users.从MySQL 8.0.16开始,角色不能授予匿名用户。
Granting a role does not automatically cause the role to be active. 授予角色不会自动导致该角色处于活动状态。For information about role activation and inactivation, see Activating Roles.有关角色激活和停用的信息,请参阅激活角色。
These privileges are required to grant roles:授予角色需要以下权限:
If you have the ROLE_ADMIN privilege (or the deprecated SUPER privilege), you can grant or revoke any role to users or roles.
If you were granted a role with a 如果您被授予一个包含GRANT statement that includes the WITH ADMIN OPTION clause, you become able to grant that role to other users or roles, or revoke it from other users or roles, as long as the role is active at such time as you subsequently grant or revoke it. WITH ADMIN OPTION子句的GRANT语句的角色,则您可以将该角色授予其他用户或角色,或从其他用户或角色撤销该角色,只要该角色在您随后授予或撤销该角色时处于活动状态。This includes the ability to use 这包括WITH ADMIN OPTION itself.WITH ADMIN OPTION本身一起使用的功能。
To grant a role that has the SYSTEM_USER privilege, you must have the SYSTEM_USER privilege.
It is possible to create circular references with 可以使用GRANT. GRANT创建循环引用。For example:例如:
CREATE USER 'u1', 'u2'; CREATE ROLE 'r1', 'r2'; GRANT 'u1' TO 'u1'; -- simple loop: u1 => u1 GRANT 'r1' TO 'r1'; -- simple loop: r1 => r1 GRANT 'r2' TO 'u2'; GRANT 'u2' TO 'r2'; -- mixed user/role loop: u2 => r2 => u2
Circular grant references are permitted but add no new privileges or roles to the grantee because a user or role already has its privileges and roles.允许循环授予引用,但不向被授予者添加新的权限或角色,因为用户或角色已具有其权限和角色。
As of MySQL 8.0.16, 从MySQL 8.0.16开始,GRANT has an AS clause that specifies additional information about the privilege context to use for statement execution. user [WITH ROLE]GRANT有一个As user [WITH ROLE]子句,它指定了有关用于语句执行的特权上下文的附加信息。This syntax is visible at the SQL level, although its primary purpose is to enable uniform replication across all nodes of grantor privilege restrictions imposed by partial revokes, by causing those restrictions to appear in the binary log. 这种语法在SQL级别是可见的,尽管它的主要目的是通过在二进制日志中显示由部分撤销施加的授予者权限限制,从而在所有Node之间实现一致性复制。For information about partial revokes, see Section 6.2.12, “Privilege Restriction Using Partial Revokes”.有关部分撤销的信息,请参阅第6.2.12节,“使用部分撤销的权限限制”。
When the 当指定AS clause is specified, statement execution takes into account any privilege restrictions associated with the named user, including all roles specified by userWITH ROLE, if present. AS user子句时,语句执行会考虑与命名用户关联的任何特权限制,包括WITH ROLE指定的所有角色(如果存在)。The result is that the privileges actually granted by the statement may be reduced relative to those specified.结果是,与指定的权限相比,语句实际授予的权限可能会减少。
These conditions apply to the 这些条件适用于AS clause:userAS user子句:
AS has an effect only when the named user has privilege restrictions (which implies that the partial_revokes system variable is enabled).AS仅在命名partial_revokes系统变量)。
If 如果指定了WITH ROLE is given, all roles named must be granted to the named user.WITH ROLE,则必须将所有命名角色授予命名user。
The named 命名user should be a MySQL account specified as ', user_name'@'host_name'CURRENT_USER, or CURRENT_USER(). user应该是指定为'user_name'@'host_name'、CURRENT_USER或CURRENT_USER()的MySQL帐户。The current user may be named together with 当前用户可以用WITH ROLE for the case that the executing user wants GRANT to execute with a set of roles applied that may differ from the roles active within the current session.WITH ROLE一起命名,以防执行用户希望GRANT执行一组应用的角色,这些角色可能不同于当前会话中活动的角色。
AS cannot be used to gain privileges not possessed by the user who executes the GRANT statement. AS不能用于获得执行GRANT语句的用户未拥有的权限。The executing user must have at least the privileges to be granted, but the 执行用户必须至少具有要授予的权限,但AS clause can only restrict the privileges granted, not escalate them.AS子句只能限制授予的权限,而不能将其升级。
With respect to the privileges to be granted, 关于要授予的权限,AS cannot specify a user/role combination that has more privileges (fewer restrictions) than the user who executes the GRANT statement. AS不能指定比执行GRANT语句的用户拥有更多权限(更少限制)的用户/角色组合。The 允许AS user/role combination is permitted to have more privileges than the executing user, but only if the statement does not grant those additional privileges.AS用户/角色组合拥有比执行用户更多的权限,但前提是该语句不授予这些额外权限。
AS is supported only for granting global privileges (ON *.*).S仅在授予全局权限时受支持(ON *.*)。
AS is not supported for PROXY grants.PROXY授权不支持AS。
The following example illustrates the effect of the 下面的示例说明了AS clause. AS子句的效果。Create a user 创建具有某些全局权限以及这些权限限制的用户u1 that has some global privileges, as well as restrictions on those privileges:u1:
CREATE USER u1; GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO u1; REVOKE INSERT, UPDATE ON schema1.* FROM u1; REVOKE SELECT ON schema2.* FROM u1;
Also create a role 还可以创建一个角色r1 that lifts some of the privilege restrictions and grant the role to u1:r1,解除一些权限限制,并将该角色授予u1:
CREATE ROLE r1; GRANT INSERT ON schema1.* TO r1; GRANT SELECT ON schema2.* TO r1; GRANT r1 TO u1;
Now, using an account that has no privilege restrictions of its own, grant to multiple users the same set of global privileges, but each with different restrictions imposed by the 现在,使用一个本身没有权限限制的帐户,向多个用户授予相同的全局权限集,但每个用户都有AS clause, and check which privileges are actually granted.AS子句施加的不同限制,并检查实际授予了哪些权限。
The 此处的GRANT statement here has no AS clause, so the privileges granted are exactly those specified:GRANT语句没有AS子句,因此授予的权限与指定的权限完全相同:
mysql>CREATE USER u2;mysql>GRANT SELECT, INSERT, UPDATE ON *.* TO u2;mysql>SHOW GRANTS FOR u2;+-------------------------------------------------+ | Grants for u2@% | +-------------------------------------------------+ | GRANT SELECT, INSERT, UPDATE ON *.* TO `u2`@`%` | +-------------------------------------------------+
The 此处的GRANT statement here has an AS clause, so the privileges granted are those specified but with the restrictions from u1 applied:GRANT语句有一个AS子句,因此授予的权限是指定的权限,但应用了u1的限制:
mysql>CREATE USER u3;mysql>GRANT SELECT, INSERT, UPDATE ON *.* TO u3 AS u1;mysql>SHOW GRANTS FOR u3;+----------------------------------------------------+ | Grants for u3@% | +----------------------------------------------------+ | GRANT SELECT, INSERT, UPDATE ON *.* TO `u3`@`%` | | REVOKE INSERT, UPDATE ON `schema1`.* FROM `u3`@`%` | | REVOKE SELECT ON `schema2`.* FROM `u3`@`%` | +----------------------------------------------------+
As mentioned previously, the 如前所述,AS clause can only add privilege restrictions; it cannot escalate privileges. AS子句只能添加权限限制;它不能升级权限。Thus, although 因此,尽管u1 has the DELETE privilege, that is not included in the privileges granted because the statement does not specify granting DELETE.u1具有DELETE权限,但由于语句未指定授予DELETE,因此该权限不包括在授予的权限中。
The 此处AS clause for the GRANT statement here makes the role r1 active for u1. GRANT语句的AS子句使角色r1对u1处于活动状态。That role lifts some of the restrictions on 这一角色解除了对u1. u1的一些限制。Consequently, the privileges granted have some restrictions, but not so many as for the previous 因此,授予的权限有一些限制,但没有上一次GRANT statement:GRANT语句的限制那么多:
mysql>CREATE USER u4;mysql>GRANT SELECT, INSERT, UPDATE ON *.* TO u4 AS u1 WITH ROLE r1;mysql>SHOW GRANTS FOR u4;+-------------------------------------------------+ | Grants for u4@% | +-------------------------------------------------+ | GRANT SELECT, INSERT, UPDATE ON *.* TO `u4`@`%` | | REVOKE UPDATE ON `schema1`.* FROM `u4`@`%` | +-------------------------------------------------+
If a 如果GRANT statement includes an AS clause, privilege restrictions on the user who executes the statement are ignored (rather than applied as they would be in the absence of an userAS clause).GRANT语句包含AS user子句,则对执行该语句的用户的权限限制将被忽略(而不是在没有AS子句的情况下应用)。
The optional 可选WITH clause is used to enable a user to grant privileges to other users. WITH子句用于允许用户向其他用户授予权限。The WITH GRANT OPTION clause gives the user the ability to give to other users any privileges the user has at the specified privilege level.WITH GRANT OPTION子句允许用户将其在指定权限级别上拥有的任何权限授予其他用户。
To grant the 要向帐户授予GRANT OPTION privilege to an account without otherwise changing its privileges, do this:GRANT OPTION权限而不更改其权限,请执行以下操作:
GRANT USAGE ON *.* TO 'someuser'@'somehost' WITH GRANT OPTION;
Be careful to whom you give the 请注意您授予授予GRANT OPTION privilege because two users with different privileges may be able to combine privileges!GRANT OPTION权限的用户,因为两个具有不同权限的用户可能可以组合权限!
You cannot grant another user a privilege which you yourself do not have; the 你不能授予其他用户你自己没有的权限;GRANT OPTION privilege enables you to assign only those privileges which you yourself possess.GRANT OPTION权限允许您仅分配自己拥有的权限。
Be aware that when you grant a user the 请注意,当您在特定权限级别授予用户GRANT OPTION privilege at a particular privilege level, any privileges the user possesses (or may be given in the future) at that level can also be granted by that user to other users. GRANT OPTION权限时,该用户在该级别拥有(或将来可能授予)的任何权限也可以由该用户授予其他用户。Suppose that you grant a user the 假设您授予用户对数据库的INSERT privilege on a database. INSERT权限。If you then grant the 如果随后对数据库授予SELECT privilege on the database and specify WITH GRANT OPTION, that user can give to other users not only the SELECT privilege, but also INSERT. SELECT权限,并指定WITH GRANT OPTION,则该用户不仅可以将SELECT权限授予其他用户,还可以将INSERT权限授予其他用户。If you then grant the 如果随后向数据库上的用户授予UPDATE privilege to the user on the database, the user can grant INSERT, SELECT, and UPDATE.UPDATE权限,则用户可以授予INSERT、SELECT和UPDATE权限。
For a nonadministrative user, you should not grant the 对于非管理用户,不应全局或为ALTER privilege globally or for the mysql system schema. mysql系统架构授予ALTER权限。If you do that, the user can try to subvert the privilege system by renaming tables!如果这样做,用户可以尝试通过重命名表来颠覆权限系统!
For additional information about security risks associated with particular privileges, see Section 6.2.2, “Privileges Provided by MySQL”.有关与特定权限相关的安全风险的更多信息,请参阅第6.2.2节,“MySQL提供的权限”。
The biggest differences between the MySQL and standard SQL versions of MySQL和GRANT are:GRANT的标准SQL版本之间最大的区别是:
MySQL associates privileges with the combination of a host name and user name and not with only a user name.MySQL将权限与主机名和用户名相结合,而不仅仅是用户名。
Standard SQL does not have global or database-level privileges, nor does it support all the privilege types that MySQL supports.标准SQL没有全局或数据库级别的权限,也不支持MySQL支持的所有权限类型。
MySQL does not support the standard SQL MySQL不支持标准SQLUNDER privilege.UNDER权限。
Standard SQL privileges are structured in a hierarchical manner. 标准SQL权限是以分层方式构造的。If you remove a user, all privileges the user has been granted are revoked. 如果删除用户,则该用户已被授予的所有权限都将被撤销。This is also true in MySQL if you use 如果使用DROP USER. DROP USER,MySQL中也是如此。See Section 13.7.1.5, “DROP USER Statement”.参见第13.7.1.5节,“DROP USER语句”。
In standard SQL, when you drop a table, all privileges for the table are revoked. 在标准SQL中,当您删除一个表时,该表的所有权限都将被撤销。In standard SQL, when you revoke a privilege, all privileges that were granted based on that privilege are also revoked. 在标准SQL中,当您撤销权限时,基于该权限授予的所有权限也将被撤销。In MySQL, privileges can be dropped with DROP USER or REVOKE statements.
In MySQL, it is possible to have the 在MySQL中,可以只对表中的某些列拥有INSERT privilege for only some of the columns in a table. INSERT权限。In this case, you can still execute 在这种情况下,您仍然可以在表上执行INSERT statements on the table, provided that you insert values only for those columns for which you have the INSERT privilege. INSERT语句,前提是只为具有INSERT权限的列插入值。The omitted columns are set to their implicit default values if strict SQL mode is not enabled. 如果未启用严格SQL模式,则省略的列将设置为其隐式默认值。In strict mode, the statement is rejected if any of the omitted columns have no default value. 在严格模式下,如果省略的任何列没有默认值,则该语句将被拒绝。(Standard SQL requires you to have the (标准SQL要求您对所有列都具有INSERT privilege on all columns.) INSERT权限。)For information about strict SQL mode and implicit default values, see Section 5.1.11, “Server SQL Modes”, and Section 11.6, “Data Type Default Values”.有关严格SQL模式和隐式默认值的信息,请参阅第5.1.11节,“服务器SQL模式”和第11.6节,“数据类型默认值”。