Artikel ini membawakan anda isu yang berkaitan dengan kebenaran akaun dalam MySQL Apabila pengguna melakukan sebarang operasi pangkalan data, pelayan akan mengesahkan sama ada pengguna mempunyai kebenaran yang sepadan Contohnya, membuat pertanyaan jadual memerlukan kebenaran SELECT, dan memadam objek memerlukan DROP. kebenaran. Semoga ia membantu semua orang.
Apabila klien menyambung ke pelayan MySQL, ia mesti memberikan pengesahan yang sah, seperti nama pengguna dan kata laluan. Apabila pengguna melakukan sebarang operasi pangkalan data, pelayan akan mengesahkan sama ada pengguna mempunyai kebenaran yang sepadan Contohnya, pertanyaan jadual memerlukan kebenaran SELECT, dan memadam objek memerlukan kebenaran DROP.
Untuk memudahkan pengurusan kebenaran pengguna, MySQL 8.0 menyediakan fungsi peranan. Peranan ialah himpunan kebenaran.
Dalam artikel ini kita membincangkan pengurusan akaun dan kebenaran dalam MySQL.
5.1 Mengurus pengguna
5.1.1 Mencipta pengguna
MySQL dicipta menggunakan CREATE Kenyataan PENGGUNA Pengguna, sintaks asas adalah seperti berikut:
CREATE USER [IF NOT EXISTS] account_name
IDENTIFIED BY 'password';
Salin selepas log masuk
Antaranya, nama_akaun ialah nama akaun terbahagi kepada dua bahagian: nama pengguna (nama_pengguna) dan nama hos (nama_hos), menggunakan % sambungan. IDENTIFIED BY digunakan untuk menentukan kata laluan pengguna. JIKA TIDAK WUJUD digunakan untuk mengelakkan mesej ralat semasa membuat akaun dengan nama yang sama.
Pernyataan berikut mencipta pengguna baharu dev01, yang boleh log masuk dari mesin tempatan (localhost):
mysql> CREATE USER dev01@localhost IDENTIFIED BY 'Dev01@mysql';
Query OK, 0 rows affected (0.21 sec)
Salin selepas log masuk
Akaun dalam MySQL ditentukan oleh nama pengguna dan nama hos. Pejabat hos.contoh dev01 pada .com dan dev01 pada hos home.example.com ialah dua akaun. Jika nama hos tidak dinyatakan, ini bermakna pengguna boleh log masuk daripada mana-mana hos:
user_name
user_name@%
Salin selepas log masuk
% ialah aksara kad bebas, mewakili sebarang rentetan sebagai tambahan, _ mewakili mana-mana aksara tunggal.
Jika nama pengguna atau nama hos mengandungi aksara khas, seperti ruang atau -, anda perlu menggunakan tanda petikan untuk memetik dua bahagian masing-masing:
'user-name'@'host-name'
Salin selepas log masuk
Selain tanda petikan tunggal, anda juga boleh menggunakan Backticks (`) atau petikan berganda (").
Maklumat akaun dalam MySQL disimpan dalam jadual pengguna pangkalan data sistem mysql:
mysql> select host, user from mysql.user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | dev01 |
| localhost | mysql.infoschema |
| localhost | mysql.session |
| localhost | mysql.sys |
| localhost | root |
+-----------+------------------+
5 rows in set (0.00 sec)
Salin selepas log masuk
Kecuali dev01@ localhost, yang lain Empat pengguna semuanya adalah pengguna sistem yang dicipta pada mulanya
Selain sintaks asas, anda juga boleh menentukan lebih banyak pilihan apabila mencipta pengguna:
resource_option: {
MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}Salin selepas log masuk
pilihan_sumber digunakan untuk. hadkan akses pengguna kepada sistem.
Berikut ialah pilihan pengurusan kata laluan:
mysql> CREATE USER 'dev02'@'%'
-> WITH MAX_QUERIES_PER_HOUR 1000 MAX_UPDATES_PER_HOUR 100;
Query OK, 0 rows affected (0.01 sec)Salin selepas log masuk
Pilihan pengurusan kata laluan boleh digunakan untuk menetapkan tamat tempoh kata laluan, dasar penggunaan semula dan pengesahan apabila menukar kata laluan:
mysql> select host, user, max_questions, max_updates from mysql.user;
+-----------+------------------+---------------+-------------+
| host | user | max_questions | max_updates |
+-----------+------------------+---------------+-------------+
| % | dev02 | 1000 | 100 |
| localhost | dev01 | 0 | 0 |
| localhost | mysql.infoschema | 0 | 0 |
| localhost | mysql.session | 0 | 0 |
| localhost | mysql.sys | 0 | 0 |
| localhost | root | 0 | 0 |
+-----------+------------------+---------------+-------------+
6 rows in set (0.00 sec)
Salin selepas log masuk
TAMAT TEMPOH KATA LALUAN, tetapkan kata laluan untuk tamat tempoh serta-merta; tamat tempoh; kata laluan baharu tidak boleh diulang dengan kata laluan N terakhir;
password_option: {
PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
| PASSWORD HISTORY {DEFAULT | N}
| PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
| PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}Salin selepas log masuk
Pernyataan ALTER USER boleh mengubah suai atribut pengguna Pilihan untuk mengubah suai pengguna adalah sama sebagai mencipta pengguna.
mysql> select host,user,
-> password_expired, password_last_changed,
-> password_lifetime, password_reuse_history,
-> password_reuse_time, password_require_current
-> from mysql.user;
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
| host | user | password_expired | password_last_changed | password_lifetime | password_reuse_history | password_reuse_time | password_require_current |
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
| % | dev02 | N | 2019-09-23 15:02:47 | NULL | NULL | NULL | NULL |
| localhost | dev01 | N | 2019-09-23 14:23:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.infoschema | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.session | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | mysql.sys | N | 2019-08-28 10:07:39 | NULL | NULL | NULL | NULL |
| localhost | root | N | 2019-08-28 10:07:44 | NULL | NULL | NULL | NULL |
+-----------+------------------+------------------+-----------------------+-------------------+------------------------+---------------------+--------------------------+
6 rows in set (0.00 sec)Salin selepas log masuk
Langkah pertama ialah menukar kata laluan pengguna. Pernyataan berikut digunakan untuk menukar kata laluan pengguna dev01:
mysql> ALTER USER dev01@localhost IDENTIFIED BY 'Dev01@2019';
Query OK, 0 rows affected (0.25 sec)
Salin selepas log masuk
MySQL 提供了 RENAME USER 语句,用于修改用户名:
mysql> RENAME USER dev02 TO dev03;
Query OK, 0 rows affected (0.26 sec)
Salin selepas log masuk
用户 dev02 被重命名为 dev03。
RENAME USER 语句自动将旧用户的权限授予新用户,但是不会自动解决旧用户上的对象依赖。例如,某个存储过程的定义者为旧的用户名,并且使用定义者权限运行时,将会产生错误。
另一个常见的用户修改操作就是锁定账户和解锁账户:
mysql> ALTER USER dev01@localhost ACCOUNT LOCK;
Query OK, 0 rows affected (0.13 sec)
Salin selepas log masuk
用户 dev01 被锁定,此时无法使用该用户进行连接:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u dev01 -p
Enter password: **********
ERROR 3118 (HY000): Access denied for user 'dev01'@'localhost'. Account is locked.
Salin selepas log masuk
系统变量 Locked_connects 用于记录锁定账户尝试登录的次数:
mysql> SHOW GLOBAL STATUS LIKE 'Locked_connects';
+-----------------+-------+
| Variable_name | Value |
+-----------------+-------+
| Locked_connects | 1 |
+-----------------+-------+
1 row in set (0.00 sec)
Salin selepas log masuk
最后我们将 dev01 进行解锁:
mysql> ALTER USER dev01@localhost ACCOUNT UNLOCK;
Query OK, 0 rows affected (0.10 sec)
Salin selepas log masuk
5.1.3 删除用户
DROP USER 语句用于删除一个用户。以下语句将会删除用 dev03:
mysql> DROP USER dev03;
Query OK, 0 rows affected (0.14 sec)
Salin selepas log masuk
如果被删除的用户已经连接到 MySQL 服务器,用户可以继续执行操作;但是无法建立新的连接。
5.2 管理权限
新创建的用户默认只有 USAGE 权限,只能连接数据库,而没有任何操作权限。使用 SHOW GRANTS 命令可以查看用户的权限:
mysql> SHOW GRANTS FOR dev01@localhost;
+-------------------------------------------+
| Grants for dev01@localhost |
+-------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
+-------------------------------------------+
1 row in set (0.00 sec)
Salin selepas log masuk
使用 GRANT 语句可以为用户授予权限。
5.2.1 授予权限
GRANT 语句基本语法如下:
GRANT privilege, ...
ON privilege_level
TO account_name;
Salin selepas log masuk
GRANT 语句支持一次授予多个权限,使用逗号进行分隔。
privilege_level 指定权限的作用级别,包括:
mysql> GRANT SELECT
-> ON *.*
-> TO dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+--------------------------------------------+
| Grants for dev01@localhost |
+--------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost` |
+--------------------------------------------+
1 row in set (0.00 sec)
Salin selepas log masuk
全局权限存储在 mysql.user 表中。
mysql> GRANT ALL
-> ON world.*
-> TO dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+----------------------------------------------------------+
| Grants for dev01@localhost |
+----------------------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost` |
| GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` |
+----------------------------------------------------------+
2 rows in set (0.00 sec)Salin selepas log masuk
数据库权限存储在 mysql.db 表中。
mysql> GRANT SELECT, INSERT, UPDATE, DELETE
-> ON world.country
-> TO dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+----------------------------------------------------------------------------------+
| Grants for dev01@localhost |
+----------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost` |
| GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `world`.`country` TO `dev01`@`localhost` |
+----------------------------------------------------------------------------------+
3 rows in set (0.00 sec)Salin selepas log masuk
表权限存储在 mysql.tables_priv 表中。
mysql> GRANT SELECT(code, name), UPDATE(population)
-> ON world.country
-> TO dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+----------------------------------------------------------------------------------------------------------------------------------+
| Grants for dev01@localhost |
+----------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost` |
| GRANT ALL PRIVILEGES ON `world`.* TO `dev01`@`localhost` |
| GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` |
+----------------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)Salin selepas log masuk
列权限存储在 mysql.columns_priv 表中。
mysql> GRANT CREATE ROUTINE
-> ON world.*
-> TO dev01@localhost;
Query OK, 0 rows affected (0.02 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for dev01@localhost |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost`|
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, ALTER ROUTINE, EVENT, TRIGGER ON `world`.* TO `dev01`@`localhost` |
| GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)Salin selepas log masuk
存储例程权限存储在 mysql.procs_priv 表中。
mysql> GRANT PROXY
-> ON root
-> TO dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for dev01@localhost |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT ON *.* TO `dev01`@`localhost` |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, ALTER ROUTINE, EVENT, TRIGGER ON `world`.* TO `dev01`@`localhost` |
| GRANT SELECT, SELECT (`code`, `name`), INSERT, UPDATE, UPDATE (`population`), DELETE ON `world`.`country` TO `dev01`@`localhost` |
| GRANT PROXY ON 'root'@'%' TO 'dev01'@'localhost' |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)Salin selepas log masuk
代理用户权限存储在 mysql.proxies_priv 表中。
5.2.2 撤销权限
REVOKE 语句执行与 GRANT 语句相反的操作,撤销授予用户的权限。
REVOKE privilegee, ..
ON privilege_level
FROM account_name;
Salin selepas log masuk
撤销权限的参数与授予权限时类似,以下语句撤销用户 dev01@localhost 所有的权限:
mysql> REVOKE ALL, GRANT OPTION
-> FROM dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+--------------------------------------------------+
| Grants for dev01@localhost |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
| GRANT PROXY ON 'root'@'%' TO 'dev01'@'localhost' |
+--------------------------------------------------+
2 rows in set (0.00 sec)Salin selepas log masuk
代理用户权限需要单独撤销:
mysql> REVOKE PROXY
-> ON root
-> FROM dev01@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR dev01@localhost;
+-------------------------------------------+
| Grants for dev01@localhost |
+-------------------------------------------+
| GRANT USAGE ON *.* TO `dev01`@`localhost` |
+-------------------------------------------+
1 row in set (0.00 sec)Salin selepas log masuk
用户 dev01@localhost 又恢复了初始的权限。
对于全局级别的权限,REVOKE 的效果在用户下次登录时生效;对于数据库级别的权限,REVOKE 的效果在执行 USE 命令后生效;对于表级或者字段级别的权限,REVOKE 的效果随后的查询立即生效。
5.3 管理角色
当用户越来越多时,权限的管理也越来越复杂;而实际上,许多用户需要相同或类似的权限。为此,MySQL 8.0 引入了一个新的特性:角色(Role)。角色是一组权限的集合。
与账户类似,角色也可以授予权限;但是角色不能用于登录数据库。通过角色为用户授权的步骤如下:
5.3.1 创建角色
假设我们的应用需要使用 world 数据库。开发人员需要该数据库的完全访问权限,测试人员需要表的读写权限,业务分析人员需要查询数据的权限。
首先,使用CREATE ROLE语句创建 3 个角色:
mysql> CREATE ROLE devp_role, read_role, write_role;
Query OK, 0 rows affected (0.02 sec)
Salin selepas log masuk
角色名称和账户名称类似,也可以包含 role_name 和 host_name 两部分,使用 @ 连接。
此时如果查询用户表:
mysql> SELECT host,user,authentication_string FROM mysql.user;
+-----------+------------------+------------------------------------------------------------------------+
| host | user | authentication_string |
+-----------+------------------+------------------------------------------------------------------------+
| % | devp_role | |
| % | read_role | |
| % | write_role | |
| localhost | dev01 | $A$005$lw58QcU;Q�I�|L`�k�tULChFhIVFxy5dsYrYmEhJkJqko4mezqefUFyT0zgyE2 |
| localhost | mysql.infoschema | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | mysql.session | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | mysql.sys | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED |
| localhost | root | $A$005$k���D�qbW(�q*0Uev;�TyKgUe56D9KXiFzPtrSGVxKjvM23CYN5pgE9dLrO0eT8 |
+-----------+------------------+------------------------------------------------------------------------+
8 rows in set (0.00 sec)
Salin selepas log masuk
可以看出,角色实际上也是一个用户,但是没有密码。
5.3.2 为角色授权
为角色授权和用户授权类似,也是使用 GRANT 语句。我们分别为上面的 3 个角色分配权限:
mysql> GRANT ALL ON world.* TO devp_role;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT SELECT ON world.* TO read_role;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT INSERT, UPDATE, DELETE ON world.* TO write_role;
Query OK, 0 rows affected (0.01 sec)
Salin selepas log masuk
查看角色的权限和查询用户的权限类似:
mysql> SHOW GRANTS FOR devp_role;
+------------------------------------------------------+
| Grants for devp_role@% |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO `devp_role`@`%` |
| GRANT ALL PRIVILEGES ON `world`.* TO `devp_role`@`%` |
+------------------------------------------------------+
2 rows in set (0.00 sec)
Salin selepas log masuk
5.3.2 为用户指定角色
接下来我们创建几个用户,然后为他们分别指定角色。
mysql> CREATE USER devp1 IDENTIFIED BY 'Devp1@2019';
Query OK, 0 rows affected (0.01 sec)
mysql> CREATE USER read1 IDENTIFIED BY 'Read1@2019';
Query OK, 0 rows affected (0.01 sec)
mysql> CREATE USER test1 IDENTIFIED BY 'Test1@2019';
Query OK, 0 rows affected (0.04 sec)
Salin selepas log masuk
为用户指定角色和授予权限类似,也是使用GRANT语句:
mysql> GRANT devp_role TO devp1;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT read_role TO read1;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT read_role, write_role TO test1;
Query OK, 0 rows affected (0.01 sec)
Salin selepas log masuk
再次查询用户的权限:
mysql> SHOW GRANTS FOR devp1;
+--------------------------------------+
| Grants for devp1@% |
+--------------------------------------+
| GRANT USAGE ON *.* TO `devp1`@`%` |
| GRANT `devp_role`@`%` TO `devp1`@`%` |
+--------------------------------------+
2 rows in set (0.00 sec)
Salin selepas log masuk
如果想要知道用户通过角色获得的具体权限,可以使用USING选项:
mysql> SHOW GRANTS FOR devp1 USING devp_role;
+--------------------------------------------------+
| Grants for devp1@% |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO `devp1`@`%` |
| GRANT ALL PRIVILEGES ON `world`.* TO `devp1`@`%` |
| GRANT `devp_role`@`%` TO `devp1`@`%` |
+--------------------------------------------------+
3 rows in set (0.00 sec)
Salin selepas log masuk
另外,也可以通过将一个用户授予另一个用户,实现权限的复制:
mysql> GRANT read1 TO test1;
Query OK, 0 rows affected (0.09 sec)
Salin selepas log masuk
用户是具有登录权限的角色,角色是不能登录的用户。
5.3.4 设置默认角色
使用 devp1 连接数据库:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u devp1 -p
Enter password: **********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.17 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use world;
ERROR 1044 (42000): Access denied for user 'devp1'@'%' to database 'world'
Salin selepas log masuk
我们已经为用户 devp1 授予了 devp_role 角色,该角色拥有数据库 world 上的所有权限;错误的原因在于该角色没有自动激活。使用CURRENT_ROLE()函数查看当前启动的角色:
mysql> SELECT current_role();
+----------------+
| current_role() |
+----------------+
| NONE |
+----------------+
1 row in set (0.00 sec)
Salin selepas log masuk
结果显示没有任何角色。SET DEFAULT ROLE命令可以设置用户默认的活动角色:
mysql> SET DEFAULT ROLE ALL
-> TO devp1;
Query OK, 0 rows affected (0.01 sec)Salin selepas log masuk
再次使用 devp1 连接数据库后,将会激活该用户所有的角色:
"C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe" -u devp1 -p
Enter password: **********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.17 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT current_role();
+-----------------+
| current_role() |
+-----------------+
| `devp_role`@`%` |
+-----------------+
1 row in set (0.00 sec)
mysql> use world;
Database changed
mysql> select * from city limit 1;
+----+-------+-------------+----------+------------+
| ID | Name | CountryCode | District | Population |
+----+-------+-------------+----------+------------+
| 1 | Kabul | AFG | Kabol | 1780000 |
+----+-------+-------------+----------+------------+
1 row in set (0.00 sec)
Salin selepas log masuk
另一种方式就是使用SET ROLE命令设置当前会话的活动角色:
SET ROLE NONE;
SET ROLE ALL;
SET ROLE DEFAULT;
Salin selepas log masuk
以上语句分别表示不设置任何角色、设置所有角色以及设置默认的角色。
5.3.5 撤销角色的权限
撤销角色的权限与撤销用户的权限类似,撤销角色的权限同时会影响到具有该角色的用户。
以下语句撤销角色 write_role 的 DELETE 权限:
mysql> REVOKE DELETE
-> ON world.*
-> FROM write_role;
Query OK, 0 rows affected (0.14 sec)Salin selepas log masuk
此时,用户 test1 上的相应权限也被撤销。
5.3.6 删除角色
DROP ROLE语句可以删除角色:
DROP ROLE role_name, ...;
Salin selepas log masuk
删除角色的同时会撤销为用户指定的角色。以下语句将会删除角色 read_role 和 write_role:
mysql> DROP ROLE read_role, write_role;
Query OK, 0 rows affected (0.10 sec)
Salin selepas log masuk
推荐学习:mysql视频教程
Atas ialah kandungan terperinci Mari kita bercakap tentang akaun dan kebenaran dalam mysql. Untuk maklumat lanjut, sila ikut artikel berkaitan lain di laman web China PHP!
![[Web front-end] Permulaan pantas Node.js](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
