Rechercher dans le manuel MySQL
6.2.2 Privileges Provided by MySQL
The privileges granted to a MySQL account determine which operations the account can perform. MySQL privileges differ in the contexts in which they apply and at different levels of operation:
Administrative privileges enable users to manage operation of the MySQL server. These privileges are global because they are not specific to a particular database.
Database privileges apply to a database and to all objects within it. These privileges can be granted for specific databases, or globally so that they apply to all databases.
Privileges for database objects such as tables, indexes, views, and stored routines can be granted for specific objects within a database, for all objects of a given type within a database (for example, all tables in a database), or globally for all objects of a given type in all databases.
Privileges also differ in terms of whether they are static (built in to the server) or dynamic (defined at runtime). Whether a privilege is static or dynamic affects its availability to be granted to user accounts and roles. For information about the differences between static and dynamic privileges, see Static Versus Dynamic Privileges.)
Information about account privileges is stored in the grant tables
in the mysql
system database. For a description
of the structure and contents of these tables, see
Section 6.2.3, “Grant Tables”. The MySQL server reads the
contents of the grant tables into memory when it starts, and
reloads them under the circumstances indicated in
Section 6.2.13, “When Privilege Changes Take Effect”. The server bases
access-control decisions on the in-memory copies of the grant
tables.
Some MySQL releases introduce changes to the grant tables to add new privileges or features. To make sure that you can take advantage of any new capabilities, update your grant tables to the current structure whenever you upgrade MySQL. See Section 2.11, “Upgrading MySQL”.
The following sections summarize the available privileges, provide more detailed descriptions of each privilege, and offer usage guidelines.
Summary of Available Privileges
The following table shows the static privilege names used in
GRANT
and
REVOKE
statements, along with the
column name associated with each privilege in the grant tables
and the context in which the privilege applies.
Table 6.2 Permissible Static Privileges for GRANT and REVOKE
Privilege | Grant Table Column | Context |
---|---|---|
ALL [PRIVILEGES] |
Synonym for “all privileges” | Server administration |
ALTER |
Alter_priv |
Tables |
ALTER ROUTINE |
Alter_routine_priv |
Stored routines |
CREATE |
Create_priv |
Databases, tables, or indexes |
CREATE ROLE |
Create_role_priv |
Server administration |
CREATE ROUTINE |
Create_routine_priv |
Stored routines |
CREATE TABLESPACE |
Create_tablespace_priv |
Server administration |
CREATE TEMPORARY TABLES |
Create_tmp_table_priv |
Tables |
CREATE USER |
Create_user_priv |
Server administration |
CREATE VIEW |
Create_view_priv |
Views |
DELETE |
Delete_priv |
Tables |
DROP |
Drop_priv |
Databases, tables, or views |
DROP ROLE |
Drop_role_priv |
Server administration |
EVENT |
Event_priv |
Databases |
EXECUTE |
Execute_priv |
Stored routines |
FILE |
File_priv |
File access on server host |
GRANT OPTION |
Grant_priv |
Databases, tables, or stored routines |
INDEX |
Index_priv |
Tables |
INSERT |
Insert_priv |
Tables or columns |
LOCK TABLES |
Lock_tables_priv |
Databases |
PROCESS |
Process_priv |
Server administration |
PROXY |
See proxies_priv table |
Server administration |
REFERENCES |
References_priv |
Databases or tables |
RELOAD |
Reload_priv |
Server administration |
REPLICATION CLIENT |
Repl_client_priv |
Server administration |
REPLICATION SLAVE |
Repl_slave_priv |
Server administration |
SELECT |
Select_priv |
Tables or columns |
SHOW DATABASES |
Show_db_priv |
Server administration |
SHOW VIEW |
Show_view_priv |
Views |
SHUTDOWN |
Shutdown_priv |
Server administration |
SUPER |
Super_priv |
Server administration |
TRIGGER |
Trigger_priv |
Tables |
UPDATE |
Update_priv |
Tables or columns |
USAGE |
Synonym for “no privileges” | Server administration |
The following table shows the dynamic privilege names used in
GRANT
and
REVOKE
statements, along with the
context in which the privilege applies.
Table 6.3 Permissible Dynamic Privileges for GRANT and REVOKE
Privilege | Context |
---|---|
APPLICATION_PASSWORD_ADMIN |
Dual password administration |
AUDIT_ADMIN |
Audit log administration |
BACKUP_ADMIN |
Backup administration |
BINLOG_ADMIN |
Backup and Replication administration |
BINLOG_ENCRYPTION_ADMIN |
Backup and Replication administration |
CLONE_ADMIN |
Clone administration |
CONNECTION_ADMIN |
Server administration |
ENCRYPTION_KEY_ADMIN |
Server administration |
FIREWALL_ADMIN |
Firewall administration |
FIREWALL_USER |
Firewall administration |
GROUP_REPLICATION_ADMIN |
Replication administration |
INNODB_REDO_LOG_ARCHIVE |
Redo log archiving administration. |
PERSIST_RO_VARIABLES_ADMIN |
Server administration |
REPLICATION_SLAVE_ADMIN |
Replication administration |
RESOURCE_GROUP_ADMIN |
Resource group administration |
RESOURCE_GROUP_USER |
Resource group administration |
ROLE_ADMIN |
Server administration |
SESSION_VARIABLES_ADMIN |
Server administration |
SET_USER_ID |
Server administration |
SYSTEM_USER |
Server administration |
SYSTEM_VARIABLES_ADMIN |
Server administration |
TABLE_ENCRYPTION_ADMIN |
Server administration |
VERSION_TOKEN_ADMIN |
Server administration |
XA_RECOVER_ADMIN |
Server administration |
Static privileges are built in to the server, in contrast to dynamic privileges, which are defined at runtime. The following list describes each static privilege available in MySQL.
Particular SQL statements might have more specific privilege requirements than indicated here. If so, the description for the statement in question provides the details.
These privilege specifiers are shorthand for “all privileges available at a given privilege level” (except
GRANT OPTION
). For example, grantingALL
at the global or table level grants all global privileges or all table-level privileges, respectively.Enables use of the
ALTER TABLE
statement to change the structure of tables.ALTER TABLE
also requires theCREATE
andINSERT
privileges. Renaming a table requiresALTER
andDROP
on the old table,CREATE
, andINSERT
on the new table.Enables use of statements that alter or drop stored routines (stored procedures and functions).
Enables use of statements that create new databases and tables.
Enables use of the
CREATE ROLE
statement. (TheCREATE USER
privilege also enables use of theCREATE ROLE
statement.) See Section 6.2.10, “Using Roles”.The
CREATE ROLE
andDROP ROLE
privileges are not as powerful asCREATE USER
because they can be used only to create and drop accounts. They cannot be used asCREATE USER
can be modify account attributes or rename accounts. See User and Role Interchangeability.Enables use of statements that create stored routines (stored procedures and functions).
Enables use of statements that create, alter, or drop tablespaces and log file groups.
Enables the creation of temporary tables using the
CREATE TEMPORARY TABLE
statement.After a session has created a temporary table, the server performs no further privilege checks on the table. The creating session can perform any operation on the table, such as
DROP TABLE
,INSERT
,UPDATE
, orSELECT
. For more information, see Section 13.1.20.3, “CREATE TEMPORARY TABLE Syntax”.Enables use of the
ALTER USER
,CREATE ROLE
,CREATE USER
,DROP ROLE
,DROP USER
,RENAME USER
, andREVOKE ALL PRIVILEGES
statements.Enables use of the
CREATE VIEW
statement.Enables rows to be deleted from tables in a database.
Enables use of statements that drop (remove) existing databases, tables, and views. The
DROP
privilege is required to use theALTER TABLE ... DROP PARTITION
statement on a partitioned table. TheDROP
privilege is also required forTRUNCATE TABLE
.Enables use of the
DROP ROLE
statement. (TheCREATE USER
privilege also enables use of theDROP ROLE
statement.) See Section 6.2.10, “Using Roles”.The
CREATE ROLE
andDROP ROLE
privileges are not as powerful asCREATE USER
because they can be used only to create and drop accounts. They cannot be used asCREATE USER
can be modify account attributes or rename accounts. See User and Role Interchangeability.Enables use of statements that create, alter, drop, or display events for the Event Scheduler.
Enables use of statements that execute stored routines (stored procedures and functions).
Affects the following operations and server behaviors:
Enables reading and writing files on the server host using the
LOAD DATA
andSELECT ... INTO OUTFILE
statements and theLOAD_FILE()
function. A user who has theFILE
privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.)Enables creating new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables.
Enables use of the
DATA DIRECTORY
orINDEX DIRECTORY
table option for theCREATE TABLE
statement.
As a security measure, the server does not overwrite existing files.
To limit the location in which files can be read and written, set the
secure_file_priv
system variable to a specific directory. See Section 5.1.8, “Server System Variables”.Enables you to grant to or revoke from other users those privileges that you yourself possess.
Enables use of statements that create or drop (remove) indexes.
INDEX
applies to existing tables. If you have theCREATE
privilege for a table, you can include index definitions in theCREATE TABLE
statement.Enables rows to be inserted into tables in a database.
INSERT
is also required for theANALYZE TABLE
,OPTIMIZE TABLE
, andREPAIR TABLE
table-maintenance statements.Enables use of explicit
LOCK TABLES
statements to lock tables for which you have theSELECT
privilege. This includes use of write locks, which prevents other sessions from reading the locked table.Enables display of information about the threads executing within the server (that is, information about the statements being executed by sessions). The privilege enables use of
SHOW PROCESSLIST
or mysqladmin processlist to see threads belonging to other accounts; you can always see your own threads. ThePROCESS
privilege also enables use ofSHOW ENGINE
.Enables one user to impersonate or become known as another user. See Section 6.2.18, “Proxy Users”.
Creation of a foreign key constraint requires the
REFERENCES
privilege for the parent table.Enables use of the
FLUSH
statement. It also enables mysqladmin commands that are equivalent toFLUSH
operations:flush-hosts
,flush-logs
,flush-privileges
,flush-status
,flush-tables
,flush-threads
,refresh
, andreload
.The
reload
command tells the server to reload the grant tables into memory.flush-privileges
is a synonym forreload
. Therefresh
command closes and reopens the log files and flushes all tables. The otherflush-
commands perform functions similar toxxx
refresh
, but are more specific and may be preferable in some instances. For example, if you want to flush just the log files,flush-logs
is a better choice thanrefresh
.The
RELOAD
privilege also enables use of theRESET MASTER
andRESET SLAVE
statements.Enables use of the
SHOW MASTER STATUS
,SHOW SLAVE STATUS
, andSHOW BINARY LOGS
statements. Grant this privilege to accounts that are used by slave servers to connect to the current server as their master.Enables the account to request updates that have been made to databases on the master server, using the
SHOW SLAVE HOSTS
,SHOW RELAYLOG EVENTS
, andSHOW BINLOG EVENTS
statements. This privilege is also required to use the mysqlbinlog options--read-from-remote-server
(-R
) and--read-from-remote-master
. Grant this privilege to accounts that are used by slave servers to connect to the current server as their master.Enables rows to be selected from tables in a database.
SELECT
statements require theSELECT
privilege only if they actually access tables. SomeSELECT
statements do not access tables and can be executed without permission for any database. For example, you can useSELECT
as a simple calculator to evaluate expressions that make no reference to tables:The
SELECT
privilege is also needed for other statements that read column values. For example,SELECT
is needed for columns referenced on the right hand side ofcol_name
=expr
assignment inUPDATE
statements or for columns named in theWHERE
clause ofDELETE
orUPDATE
statements.The
SELECT
privilege is needed for tables or views used withEXPLAIN
, including any underlying tables in view definitions.Enables the account to see database names by issuing the
SHOW DATABASE
statement. Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the--skip-show-database
option.CautionBecause any static global privilege is considered a privilege for all databases, any static global privilege enables a user to see all database names with
SHOW DATABASES
or by examining theSCHEMATA
table ofINFORMATION_SCHEMA
, except databases that have been restricted at the database level by partial revokes.Enables use of the
SHOW CREATE VIEW
statement. This privilege is also needed for views used withEXPLAIN
.Enables use of the
SHUTDOWN
andRESTART
statements, the mysqladmin shutdown command, and themysql_shutdown()
C API function.SUPER
is a powerful and far-reaching privilege and should not be granted lightly. If an account needs to perform only a subset ofSUPER
operations, it may be possible to achieve the desired privilege set by instead granting one or more dynamic privileges, each of which confers more limited capabilities. See Dynamic Privilege Descriptions.NoteSUPER
is deprecated and will be removed in a future version of MySQL. See Migrating Accounts from SUPER to Dynamic Privileges.SUPER
affects the following operations and server behaviors:Enables system variable changes at runtime:
Enables server configuration changes to global system variables with
SET GLOBAL
andSET PERSIST
.The corresponding dynamic privilege is
SYSTEM_VARIABLES_ADMIN
.Enables setting restricted session system variables that require a special privilege.
The corresponding dynamic privilege is
SESSION_VARIABLES_ADMIN
.
Enables changes to global transaction characteristics (see Section 13.3.7, “SET TRANSACTION Syntax”).
The corresponding dynamic privilege is
SYSTEM_VARIABLES_ADMIN
.Enables the account to start and stop replication, including Group Replication.
The corresponding dynamic privilege is
REPLICATION_SLAVE_ADMIN
for regular replication,GROUP_REPLICATION_ADMIN
for Group Replication.Enables use of the
CHANGE MASTER TO
andCHANGE REPLICATION FILTER
statements.The corresponding dynamic privilege is
REPLICATION_SLAVE_ADMIN
.Enables binary log control by means of the
PURGE BINARY LOGS
andBINLOG
statements.The corresponding dynamic privilege is
BINLOG_ADMIN
.Enables setting the effective authorization ID when executing a view or stored program. A user with this privilege can specify any account in the
DEFINER
attribute of a view or stored program.The corresponding dynamic privilege is
SET_USER_ID
.Enables use of the
CREATE SERVER
,ALTER SERVER
, andDROP SERVER
statements.Enables use of the mysqladmin debug command.
Enables
InnoDB
encryption key rotation.The corresponding dynamic privilege is
ENCRYPTION_KEY_ADMIN
.Enables execution of Version Tokens user-defined functions.
The corresponding dynamic privilege is
VERSION_TOKEN_ADMIN
.Enables granting and revoking roles, use of the
WITH ADMIN OPTION
clause of theGRANT
statement, and nonempty<graphml>
element content in the result from theROLES_GRAPHML()
function.The corresponding dynamic privilege is
ROLE_ADMIN
.Enables control over client connections not permitted to non-
SUPER
accounts:Enables use of the
KILL
statement or mysqladmin kill command to kill threads belonging to other accounts. (An account can always kill its own threads.)The server does not execute
init_connect
system variable content whenSUPER
clients connect.The server accepts one connection from a
SUPER
client even if the connection limit configured by themax_connections
system variable is reached.A server in offline mode (
offline_mode
enabled) does not terminateSUPER
client connections at the next client request, and accepts new connections fromSUPER
clients.Updates can be performed even when the
read_only
system variable is enabled. This applies to explicit table updates, and to use of account-management statements such asGRANT
andREVOKE
that update tables implicitly.
The corresponding dynamic privilege for the preceding connection-control operations is
CONNECTION_ADMIN
.
You may also need the
SUPER
privilege to create or alter stored functions if binary logging is enabled, as described in Section 24.7, “Stored Program Binary Logging”.Enables trigger operations. You must have this privilege for a table to create, drop, execute, or display triggers for that table.
When a trigger is activated (by a user who has privileges to execute
INSERT
,UPDATE
, orDELETE
statements for the table associated with the trigger), trigger execution requires that the user who defined the trigger still have theTRIGGER
privilege for the table.Enables rows to be updated in tables in a database.
This privilege specifier stands for “no privileges.” It is used at the global level with
GRANT
to specify clauses such asWITH GRANT OPTION
without naming specific account privileges in the privilege list.SHOW GRANTS
displaysUSAGE
to indicate that an account has no privileges at a privilege level.
Dynamic privileges are defined at runtime, in contrast to static privileges, which are built in to the server. The following list describes each dynamic privilege available in MySQL.
Most dynamic privileges are defined at server startup. Others are defined by a particular server component or plugin, as indicated in the privilege descriptions. In such cases, the privilege is unavailable unless the component or plugin that defines it is enabled.
Particular SQL statements might have more specific privilege requirements than indicated here. If so, the description for the statement in question provides the details.
APPLICATION_PASSWORD_ADMIN
(added in MySQL 8.0.14)For dual-password capability, this privilege enables use of the
RETAIN CURRENT PASSWORD
andDISCARD OLD PASSWORD
clauses forALTER USER
andSET PASSWORD
statements that apply to your own account. This privilege is required to manipulate your own secondary password because most users require only one password.If an account is to be permitted to manipulate secondary passwords for all accounts, it should be granted the
CREATE USER
privilege rather thanAPPLICATION_PASSWORD_ADMIN
.For more information about use of dual passwords, see Section 6.2.15, “Password Management”.
Enables audit log configuration. This privilege is defined by the
audit_log
plugin; see Section 6.4.5, “MySQL Enterprise Audit”.Enables execution of the
LOCK INSTANCE FOR BACKUP
statement and access to the Performance Schemalog_status
table.The
BACKUP_ADMIN
privilege is automatically granted to users with theRELOAD
privilege when performing an in-place upgrade to MySQL 8.0 from an earlier version.Enables binary log control by means of the
PURGE BINARY LOGS
andBINLOG
statements.Enables setting the system variable
binlog_encryption
, which activates or deactivates encryption for binary log files and relay log files. This ability is not provided by theBINLOG_ADMIN
,SYSTEM_VARIABLES_ADMIN
, orSESSION_VARIABLES_ADMIN
privileges. The related system variablebinlog_rotate_encryption_master_key_at_startup
, which rotates the binary log master key automatically when the server is restarted, does not require this privilege.Enables execution of the
CLONE
statements. IncludesBACKUP_ADMIN
andSHUTDOWN
privileges.Enables use of the
KILL
statement or mysqladmin kill command to kill threads belonging to other accounts. (An account can always kill its own threads.)Enables setting system variables related to client connections, or circumventing restrictions related to client connections.
CONNECTION_ADMIN
applies to the effects of these system variables:init_connect
: The server does not executeinit_connect
system variable content whenCONNECTION_ADMIN
clients connect.max_connections
: The server accepts one connection from aCONNECTION_ADMIN
client even if the connection limit configured by themax_connections
system variable is reached.offline_mode
: A server in offline mode (offline_mode
enabled) does not terminateCONNECTION_ADMIN
client connections at the next client request, and accepts new connections fromCONNECTION_ADMIN
clients.read_only
: Updates can be performed even when theread_only
system variable is enabled. This applies to explicit table updates, and to use of account-management statements such asGRANT
andREVOKE
that update tables implicitly.
Enables
InnoDB
encryption key rotation.Enables a user to administer firewall rules for any user. This privilege is defined by the
MYSQL_FIREWALL
plugin; see Section 6.4.7, “MySQL Enterprise Firewall”.Enables users to update their own firewall rules. This privilege is defined by the
MYSQL_FIREWALL
plugin; see Section 6.4.7, “MySQL Enterprise Firewall”.Enables the account to start and stop Group Replication using the
START GROUP REPLICATION
andSTOP GROUP REPLICATION
statements, to change the global setting for thegroup_replication_consistency
system variable, and to use thegroup_replication_set_write_concurrency()
andgroup_replication_set_communication_protocol()
UDFs. Grant this privilege to accounts that are used to administer servers that are members of a replication group.Enables a user to initiate redo log archiving.
For users who also have
SYSTEM_VARIABLES_ADMIN
,PERSIST_RO_VARIABLES_ADMIN
enables use ofSET PERSIST_ONLY
to persist global system variables to themysqld-auto.cnf
option file in the data directory. This statement is similar toSET PERSIST
but does not modify the runtime global system variable value. This makesSET PERSIST_ONLY
suitable for configuring read-only system variables that can be set only at server startup.Enables the account to connect to the master server, start and stop replication using the
START SLAVE
andSTOP SLAVE
statements, and use theCHANGE MASTER TO
andCHANGE REPLICATION FILTER
statements. Grant this privilege to accounts that are used by slave servers to connect to the current server as their master. This privilege does not apply to Group Replication; useGROUP_REPLICATION_ADMIN
for that.Enables resource group management, consisting of creating, altering, and dropping resource groups, and assignment of threads and statements to resource groups. A user with this privilege can perform any operation relating to resource groups.
Enables assigning threads and statements to resource groups. A user with this privilege can use the
SET RESOURCE GROUP
statement and theRESOURCE_GROUP
optimizer hint.Enables granting and revoking roles, use of the
WITH ADMIN OPTION
clause of theGRANT
statement, and nonempty<graphml>
element content in the result from theROLES_GRAPHML()
function. Required to set the value of themandatory_roles
system variable.Enables connections to the network interface that permits only administrative connections (see Section 8.12.4.1, “How MySQL Handles Client Connections”).
SESSION_VARIABLES_ADMIN
(added in MySQL 8.0.14)For most system variables, setting the session value requires no special privileges and can be done by any user to affect the current session. For some system variables, setting the session value can have effects outside the current session and thus is a restricted operation. For these, the
SESSION_VARIABLES_ADMIN
privilege enables the user to set the session value.If a system variable is restricted and requires a special privilege to set the session value, the variable description indicates that restriction. Examples include
binlog_format
,sql_log_bin
, andsql_log_off
.Prior to MySQL 8.0.14 when
SESSION_VARIABLES_ADMIN
was added, restricted session system variables can be set only by users who have theSYSTEM_VARIABLES_ADMIN
orSUPER
privilege.The
SESSION_VARIABLES_ADMIN
privilege is a subset of theSYSTEM_VARIABLES_ADMIN
andSUPER
privileges. A user who has either of those privileges is also permitted to set restricted session variables and effectively hasSESSION_VARIABLES_ADMIN
by implication and need not be grantedSESSION_VARIABLES_ADMIN
explicitly.Enables setting the effective authorization ID when executing a view or stored program. A user with this privilege can specify any account in the
DEFINER
attribute of a view or stored program.SYSTEM_USER
(added in MySQL 8.0.16)The
SYSTEM_USER
privilege distinguishes system users from regular users:A user with the
SYSTEM_USER
privilege is a system user.A user without the
SYSTEM_USER
privilege is a regular user.
The
SYSTEM_USER
privilege has an effect on the accounts to which a given user can apply its other privileges, as well as whether the user is protected from other accounts:A system user can modify both system and regular accounts. That is, a user who has the appropriate privileges to perform a given operation on regular accounts is enabled by possession of
SYSTEM_USER
to also perform the operation on system accounts. A system account can be modified only by system users with appropriate privileges, not by regular users.A regular user with appropriate privileges can modify regular accounts, but not system accounts. A regular account can be modified by both system and regular users with appropriate privileges.
For more information, see Section 6.2.11, “Account Categories”.
The protection against modification by regular accounts that is afforded to system accounts by the
SYSTEM_USER
privilege does not apply to regular accounts that have privileges on themysql
system schema and thus can directly modify the grant tables in that schema. For full protection, do not grantmysql
schema privileges to regular accounts. See Protecting System Accounts Against Manipulation by Regular Accounts.Affects the following operations and server behaviors:
Enables system variable changes at runtime:
Enables server configuration changes to global system variables with
SET GLOBAL
andSET PERSIST
.Enables server configuration changes to global system variables with
SET PERSIST_ONLY
, if the user also hasPERSIST_RO_VARIABLES_ADMIN
.Enables setting restricted session system variables that require a special privilege. In effect,
SYSTEM_VARIABLES_ADMIN
impliesSESSION_VARIABLES_ADMIN
without explicitly grantingSESSION_VARIABLES_ADMIN
.
Enables changes to global transaction characteristics (see Section 13.3.7, “SET TRANSACTION Syntax”).
TABLE_ENCRYPTION_ADMIN
(added in MySQL 8.0.16)Enables a user to override default encryption settings when
table_encryption_privilege_check
is enabled; see Defining an Encryption Default for Schemas and General Tablespaces.Enables execution of Version Tokens user-defined functions. This privilege is defined by the
version_tokens
plugin; see Section 5.6.6, “Version Tokens”.Enables execution of the
XA RECOVER
statement; see Section 13.3.8.1, “XA Transaction SQL Syntax”.Prior to MySQL 8.0, any user could execute the
XA RECOVER
statement to discover the XID values for outstanding prepared XA transactions, possibly leading to commit or rollback of an XA transaction by a user other than the one who started it. In MySQL 8.0,XA RECOVER
is permitted only to users who have theXA_RECOVER_ADMIN
privilege, which is expected to be granted only to administrative users who have need for it. This might be the case, for example, for administrators of an XA application if it has crashed and it is necessary to find outstanding transactions started by the application so they can be rolled back. This privilege requirement prevents users from discovering the XID values for outstanding prepared XA transactions other than their own. It does not affect normal commit or rollback of an XA transaction because the user who started it knows its XID.
It is a good idea to grant to an account only those privileges
that it needs. You should exercise particular caution in
granting the FILE
and
administrative privileges:
FILE
can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed usingSELECT
to transfer its contents to the client host.GRANT OPTION
enables users to give their privileges to other users. Two users that have different privileges and with theGRANT OPTION
privilege are able to combine privileges.ALTER
may be used to subvert the privilege system by renaming tables.SHUTDOWN
can be abused to deny service to other users entirely by terminating the server.PROCESS
can be used to view the plain text of currently executing statements, including statements that set or change passwords.SUPER
can be used to terminate other sessions or change how the server operates.Privileges granted for the
mysql
system database itself can be used to change passwords and other access privilege information:Passwords are stored encrypted, so a malicious user cannot simply read them to know the plain text password. However, a user with write access to the
mysql.user
system tableauthentication_string
column can change an account's password, and then connect to the MySQL server using that account.INSERT
orUPDATE
granted for themysql
system database enable a user to add privileges or modify existing privileges, respectively.DROP
for themysql
system database enables a user to remote privilege tables, or even the database itself.
MySQL supports static and dynamic privileges:
Static privileges are built in to the server. They are always available to be granted to user accounts and cannot be unregistered.
Dynamic privileges can be registered and unregistered at runtime. This affects their availability: A dynamic privilege that has not been registered cannot be granted.
For example, the SELECT
and
INSERT
privileges are static and
always available, whereas a dynamic privilege becomes available
only if the server component that implements it has been
enabled.
The remainder of this section describes how dynamic privileges work in MySQL. The discussion uses the term “components” but applies equally to plugins.
Server administrators should be aware of which server components define dynamic privileges. For MySQL distributions, documentation of components that define dynamic privileges describes those privileges.
Third-party components may also define dynamic privileges; an administrator should understand those privileges and not install components that might conflict or compromise server operation. For example, one component conflicts with another if both define a privilege with the same name. Component developers can reduce the likelihood of this occurrence by choosing privilege names having a prefix based on the component name.
The server maintains the set of registered dynamic privileges internally in memory. Unregistration occurs at server shutdown.
Normally, a server component that defines dynamic privileges registers them when it is installed, during its initialization sequence. When uninstalled, a server component does not unregister its registered dynamic privileges. (This is current practice, not a requirement. That is, components could, but do not, unregister at any time privileges they register.)
No warning or error occurs for attempts to register an already registered dynamic privilege. Consider the following sequence of statements:
- INSTALL COMPONENT 'my_component';
- UNINSTALL COMPONENT 'my_component';
- INSTALL COMPONENT 'my_component';
The first INSTALL COMPONENT
statement registers any privileges defined by server component
my_component
, but
UNINSTALL COMPONENT
does not
unregister them. For the second INSTALL
COMPONENT
statement, the component privileges it
registers are found to be already registered, but no warnings or
errors occur.
Dynamic privileges apply only at the global level. The server
stores information about current assignments of dynamic
privileges to user accounts in the
mysql.global_grants
system table:
The server automatically registers privileges named in
global_grants
during server startup (unless the--skip-grant-tables
option is given).The
GRANT
andREVOKE
statements modify the contents ofglobal_grants
.Dynamic privilege assignments listed in
global_grants
are persistent. They are not removed at server shutdown.
Example: The following statement grants to user
u1
the privileges required to control
replication (including Group Replication) on a slave server, and
to modify system variables:
Granted dynamic privileges appear in the output from the
SHOW GRANTS
statement and the
INFORMATION_SCHEMA
USER_PRIVILEGES
table.
For GRANT
and
REVOKE
at the global level, any
named privileges not recognized as static are checked against
the current set of registered dynamic privileges and granted if
found. Otherwise, an error occurs to indicate an unknown
privilege identifier.
For GRANT
and
REVOKE
the meaning of
ALL [PRIVILEGES]
at the global level includes
all static global privileges, as well as all currently
registered dynamic privileges:
GRANT ALL
at the global level grants all static global privileges and all currently registered dynamic privileges. A dynamic privilege registered subsequent to execution of theGRANT
statement is not granted retroactively to any account.REVOKE ALL
at the global level revokes all granted static global privileges and all granted dynamic privileges.
The FLUSH PRIVILEGES
statement
reads the global_grants
table for dynamic
privilege assignments and registers any unregistered privileges
found there.
For descriptions of the dynamic privileges provided by MySQL Server and server components included in MySQL distributions, see Section 6.2.2, “Privileges Provided by MySQL”.
In MySQL 8.0, many operations that previously
required the SUPER
privilege are
also associated with a dynamic privilege of more limited scope.
(For descriptions of these privileges, see
Section 6.2.2, “Privileges Provided by MySQL”.) Each such operation can
be permitted to an account by granting the associated dynamic
privilege rather than SUPER
. This
change improves security by enabling DBAs to avoid granting
SUPER
and tailor user privileges
more closely to the operations permitted.
SUPER
is now deprecated and will
be removed in a future version of MySQL.
When removal of SUPER
occurs,
operations that formerly required
SUPER
will fail unless accounts
granted SUPER
are migrated to the
appropriate dynamic privileges. Use the following instructions
to accomplish that goal so that accounts are ready prior to
SUPER
removal:
Execute this query to identify accounts that are granted
SUPER
:For each account identified by the preceding query, determine the operations for which it needs
SUPER
. Then grant the dynamic privileges corresponding to those operations, and revokeSUPER
.For example, if
'u1'@'localhost'
requiresSUPER
for binary log purging and system variable modification, these statements make the required changes to the account:After you have modified all applicable accounts, the
INFORMATION_SCHEMA
query in the first step should produce an empty result set.
Deutsche Übersetzung
Sie haben gebeten, diese Seite auf Deutsch zu besuchen. Momentan ist nur die Oberfläche übersetzt, aber noch nicht der gesamte Inhalt.Wenn Sie mir bei Übersetzungen helfen wollen, ist Ihr Beitrag willkommen. Alles, was Sie tun müssen, ist, sich auf der Website zu registrieren und mir eine Nachricht zu schicken, in der Sie gebeten werden, Sie der Gruppe der Übersetzer hinzuzufügen, die Ihnen die Möglichkeit gibt, die gewünschten Seiten zu übersetzen. Ein Link am Ende jeder übersetzten Seite zeigt an, dass Sie der Übersetzer sind und einen Link zu Ihrem Profil haben.
Vielen Dank im Voraus.
Dokument erstellt 26/06/2006, zuletzt geändert 26/10/2018
Quelle des gedruckten Dokuments:https://www.gaudry.be/de/mysql-rf-privileges-provided.html
Die Infobro ist eine persönliche Seite, deren Inhalt in meiner alleinigen Verantwortung liegt. Der Text ist unter der CreativeCommons-Lizenz (BY-NC-SA) verfügbar. Weitere Informationen auf die Nutzungsbedingungen und dem Autor.
Referenzen
Diese Verweise und Links verweisen auf Dokumente, die während des Schreibens dieser Seite konsultiert wurden, oder die zusätzliche Informationen liefern können, aber die Autoren dieser Quellen können nicht für den Inhalt dieser Seite verantwortlich gemacht werden.
Der Autor Diese Website ist allein dafür verantwortlich, wie die verschiedenen Konzepte und Freiheiten, die mit den Nachschlagewerken gemacht werden, hier dargestellt werden. Denken Sie daran, dass Sie mehrere Quellinformationen austauschen müssen, um das Risiko von Fehlern zu reduzieren.