MySQL8 基于角色的權(quán)限管理

MySQL8新增了角色(role)的概念,使賬號(hào)權(quán)限的管理,更加靈活方便。所謂角色,就是一些權(quán)限的集合。然后再把該集合授權(quán)給某個(gè)賬戶(往往是某一批賬戶,因?yàn)橘~號(hào)會(huì)綁定IP,不同的IP,雖然賬號(hào)名相同被視為不同賬號(hào)),這樣當(dāng)我們需要對(duì)這些賬號(hào)減少或增加權(quán)限時(shí),只需要修改權(quán)限集合(role)即可,不用單個(gè)賬號(hào)多次修改。這確實(shí)使DBA的運(yùn)維輕松了不少。

下面我們看下role是如何使用的。

創(chuàng)建角色

比如開發(fā)環(huán)境賬戶需要某庫的所有權(quán)限,生產(chǎn)環(huán)境賬號(hào)往往需要增刪改查這些權(quán)限,我們可以單獨(dú)為這些權(quán)限建一個(gè)role.如果有讀寫分離,還可以建兩個(gè)讀和寫的role。


create role 'app_dev','app_read','app_write';

mysql8[(none)]>show grants for 'app_dev';

+-------------------------------------+

| Grants for app_dev@%                |

+-------------------------------------+

| GRANT USAGE ON *.* TO `app_dev`@`%` |

+-------------------------------------+

創(chuàng)建角色時(shí)同樣可以綁定Host(默認(rèn)%), 即角色名分為name + host兩部分,這和賬號(hào)沒有什么區(qū)別。

同樣創(chuàng)建的角色也和賬號(hào)一樣保存在mysql.user表中。通過查詢此表可以看到角色的信息:


mysql8[(none)]>select * from mysql.user;

+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+

| Host      | User            | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin                | authentication_string                                                  | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time |

+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+

| %        | app_dev          | N          | N          | N          | N          | N          | N        | N          | N            | N            | N        | N          | N              | N          | N          | N            | N          | N                    | N                | N            | N              | N                | N                | N              | N                  | N                  | N                | N          | N            | N                      |          |            |            |              |            0 |          0 |              0 |                    0 | caching_sha2_password |                                                                        | Y                | 2018-06-14 11:27:35  |              NULL | Y              | N                | N              |                  NULL |                NULL |

| %        | app_read        | N          | N          | N          | N          | N          | N        | N          | N            | N            | N        | N          | N              | N          | N          | N            | N          | N                    | N                | N            | N              | N                | N                | N              | N                  | N                  | N                | N          | N            | N                      |          |            |            |              |            0 |          0 |              0 |                    0 | caching_sha2_password |                                                                        | Y                | 2018-06-14 11:27:35  |              NULL | Y              | N                | N              |                  NULL |                NULL |

| %        | app_write        | N          | N          | N          | N          | N          | N        | N          | N            | N            | N        | N          | N              | N          | N          | N            | N          | N                    | N                | N            | N              | N                | N                | N              | N                  | N                  | N                | N          | N            | N                      |          |            |            |              |            0 |          0 |              0 |                    0 | caching_sha2_password |                                                                        | Y                | 2018-06-14 11:27:35  |              NULL | Y              | N                | N              |                  NULL |                NULL |

| %        | repl            | N          | N          | N          | N          | N          | N        | N          | N            | N            | N        | N          | N              | N          | N          | N            | N          | N                    | N                | N            | Y              | N                | N                | N              | N                  | N                  | N

給角色授權(quán)

上面我們建了三個(gè)role,但這三個(gè)role都只有usage權(quán)限,我們還需要對(duì)角色進(jìn)行授權(quán)。授權(quán)方式與給賬號(hào)授權(quán)是完全一樣的。


mysql8[(none)]>grant select , insert,update,delete on test.* to app_dev;

Query OK, 0 rows affected (0.02 sec)

mysql8[(none)]>grant select on test.* to app_read;

Query OK, 0 rows affected (0.10 sec)

mysql8[(none)]>show grants for app_read;

+--------------------------------------------+

| Grants for app_read@%                      |

+--------------------------------------------+

| GRANT USAGE ON *.* TO `app_read`@`%`      |

| GRANT SELECT ON `test`.* TO `app_read`@`%` |

+--------------------------------------------+

2 rows in set (0.00 sec)

mysql8[(none)]>show grants for app_dev;

+-------------------------------------------------------------------+

| Grants for app_dev@%                                              |

+-------------------------------------------------------------------+

| GRANT USAGE ON *.* TO `app_dev`@`%`                              |

| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `app_dev`@`%` |

+-------------------------------------------------------------------+

授權(quán)后我們看到各角色已經(jīng)具有了相應(yīng)的權(quán)限。

將角色授權(quán)于賬號(hào)

下面我們創(chuàng)建具體的賬號(hào),并將相應(yīng)的role授權(quán)給賬號(hào)。


mysql8[(none)]>create user dev01 identified with mysql_native_password by 'dev01';

Query OK, 0 rows affected (0.04 sec)

mysql8[(none)]>grant app_dev to dev01;

Query OK, 0 rows affected (0.05 sec)

mysql8[(none)]>show grants for dev01;

+------------------------------------+

| Grants for dev01@%                |

+------------------------------------+

| GRANT USAGE ON *.* TO `dev01`@`%`  |

| GRANT `app_dev`@`%` TO `dev01`@`%` |

+------------------------------------+

我們創(chuàng)建了一個(gè)賬號(hào)dev01,并授權(quán)角色app_dev, 執(zhí)行show grants 查看權(quán)限時(shí),看到的是角色,并不是具體的權(quán)限。如果要查看具體的權(quán)限則需要這樣執(zhí)行show grants.


mysql8[(none)]>show grants for dev01 using app_dev;

+-----------------------------------------------------------------+

| Grants for dev01@%                                              |

+-----------------------------------------------------------------+

| GRANT USAGE ON *.* TO `dev01`@`%`                              |

| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO `dev01`@`%` |

| GRANT `app_dev`@`%` TO `dev01`@`%`                              |

+-----------------------------------------------------------------+

通過使用using app_dev,會(huì)將賬號(hào)和角色的權(quán)限一并顯示。

我們給角色app_dev添加create權(quán)限


mysql8[(none)]>grant create on test.* to app_dev;

Query OK, 0 rows affected (0.10 sec)

mysql8[(none)]>show grants for dev01 using app_dev;

+-------------------------------------------------------------------------+

| Grants for dev01@%                                                      |

+-------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO `dev01`@`%`                                      |

| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` |

| GRANT `app_dev`@`%` TO `dev01`@`%`                                      |

+-------------------------------------------------------------------------+

3 rows in set (0.00 sec)

可以看到給角色添加權(quán)限后,dev01賬號(hào)也具有了create權(quán)限。

激活角色

上面的一些列操作貌似完美,dev02賬號(hào)可以使用了,其實(shí)還不行!使用dev01賬號(hào)登陸:


mysql> show grants for dev01 using app_dev;

+-------------------------------------------------------------------------+

| Grants for dev01@%                                                      |

+-------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO `dev01`@`%`                                      |

| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `test`.* TO `dev01`@`%` |

| GRANT `app_dev`@`%` TO `dev01`@`%`                                      |

+-------------------------------------------------------------------------+

3 rows in set (0.00 sec)

mysql> show databases;

+--------------------+

| Database          |

+--------------------+

| information_schema |

+--------------------+

1 row in set (0.01 sec)

發(fā)現(xiàn)權(quán)限也有,但并看不到test庫,什么也無法執(zhí)行。為什么呢?角色沒有被激活


mysql> select current_role()

    -> ;

+----------------+

| current_role() |

+----------------+

| NONE          |

+----------------+

1 row in set (0.00 sec)

執(zhí)行select current_role()發(fā)現(xiàn)是None. 所授權(quán)的角色并沒有被激活,因此這個(gè)賬號(hào) 還是廢柴一個(gè)。

對(duì)賬號(hào)激活權(quán)限也很簡單


mysql8[(none)]>set default role all to dev01;

Query OK, 0 rows affected (0.06 sec)

這樣對(duì)dev01授予的所有角色都會(huì)被激活。再使用dev01登陸就正常訪問了。


mysql> show databases;

+--------------------+

| Database          |

+--------------------+

| information_schema |

| test              |

+--------------------+

2 rows in set (0.01 sec)

mysql> select current_role();

+----------------+

| current_role() |

+----------------+

| `app_dev`@`%`  |

+----------------+

1 row in set (0.00 sec)

可以看到當(dāng)前激活的角色為app_dev.

感覺流程太繁瑣了,都授權(quán)完了還要激活,但MySQL8 提供已一個(gè)參數(shù),可以使角色在賬號(hào)登陸后自動(dòng)被激活。


mysql8[(none)]>show global variables like 'activate_all_roles_on_login';

+-----------------------------+-------+

| Variable_name              | Value |

+-----------------------------+-------+

| activate_all_roles_on_login | OFF  |

+-----------------------------+-------+

1 row in set (0.01 sec)

mysql8[(none)]>set global activate_all_roles_on_login=ON;

Query OK, 0 rows affected (0.00 sec)

把a(bǔ)ctivate_all_roles_on_login設(shè)置為ON就可以了。


mysql8[(none)]>create user query identified with mysql_native_password by 'query';

Query OK, 0 rows affected (0.04 sec)

mysql8[(none)]>grant app_read to query;

Query OK, 0 rows affected (0.06 sec)

mysql8[(none)]>show grants for query using app_read;

+-----------------------------------------+

| Grants for query@%                      |

+-----------------------------------------+

| GRANT USAGE ON *.* TO `query`@`%`      |

| GRANT SELECT ON `test`.* TO `query`@`%` |

| GRANT `app_read`@`%` TO `query`@`%`    |

+-----------------------------------------+

3 rows in set (0.00 sec)

mysql8[(none)]>exit

使用query賬號(hào)登陸


mysql> show databases;

+--------------------+

| Database          |

+--------------------+

| information_schema |

| test              |

+--------------------+

2 rows in set (0.00 sec)

mysql> select current_user();

+----------------+

| current_user() |

+----------------+

| query@%        |

+----------------+

1 row in set (0.00 sec)

mysql> select current_role();

+----------------+

| current_role() |

+----------------+

| `app_read`@`%` |

+----------------+

1 row in set (0.00 sec)

可以看到角色已被激活。

角色和賬號(hào)交互使用

角色和賬號(hào)沒有什么區(qū)別,可以把一個(gè)賬號(hào)當(dāng)做一個(gè)角色,將其授權(quán)給其它賬號(hào)。詳見MySQL 官方文檔


CREATE USER 'u1';

CREATE ROLE 'r1';

GRANT SELECT ON db1.* TO 'u1';

GRANT SELECT ON db2.* TO 'r1';

CREATE USER 'u2';

CREATE ROLE 'r2';

GRANT 'u1', 'r1' TO 'u2';

GRANT 'u1', 'r1' TO 'r2';

這也太靈活了吧? 我驚掉了下巴!

閱讀更多

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 幾乎任何一個(gè)后臺(tái),都會(huì)涉及到權(quán)限管理,哪些人(用戶)有能夠登陸,能夠操作哪些東西(權(quán)限)。 基于角色的訪問控制方法...
    烤魚吃辣椒閱讀 10,690評(píng)論 1 71
  • 有了QQ,將號(hào)碼發(fā)給同事、同學(xué)、朋友。 于是,即使多年沒見面的人都會(huì)或發(fā)個(gè)短信,或打個(gè)電話,或留個(gè)言支持我這個(gè)新手...
    高小花0218閱讀 178評(píng)論 0 0
  • 哭的時(shí)候沒人哄 于是我們學(xué)會(huì)了堅(jiān)強(qiáng) 怕的時(shí)候沒人陪 于是我們學(xué)會(huì)了勇敢 煩的時(shí)候沒人傾訴 于是我們學(xué)會(huì)了承受 累的...
    Mr酵母君閱讀 143評(píng)論 0 2
  • “奧呦…玩的是王者農(nóng)藥呀…怎么樣,玩的咋樣?”,中午飯局上一哥們跟另一個(gè)手里抱著手機(jī)玩游戲的哥們調(diào)侃著說道。當(dāng)下如...
    將軍_84fd閱讀 476評(píng)論 0 0
  • 我是一只小小鳥, 膽小而懦弱。 飛也飛不高, 卻擁有無盡的勇氣和力量。 這個(gè)世間, 嘈雜的聲音, 繚亂的節(jié)奏。 到...
    阿俊xi閱讀 211評(píng)論 0 0

友情鏈接更多精彩內(nèi)容