Rechercher dans le manuel MySQL
6.2.12 Privilege Restriction Using Partial Revokes
Prior to MySQL 8.0.16, it is not possible to grant privileges that
apply globally except for certain schemas. As of MySQL 8.0.16,
that is possible if the
partial_revokes
system variable
is enabled. Specifically, for users who have privileges at the
global level, partial_revokes
enables privileges for specific schemas to be revoked while
leaving the privileges in place for other schemas. Privilege
restrictions thus imposed may be useful for administration of
accounts that have global privileges but should not be permitted
to access certain schemas. For example, it is possible to permit
an account to modify any table except those in the
mysql
system schema.
For brevity, CREATE USER
statements shown here do not include passwords. For production
use, always assign account passwords.
Using Partial Revokes
The partial_revokes
system
variable controls whether privilege restrictions can be placed
on accounts. By default,
partial_revokes
is disabled and
attempts to partially revoke global privileges produce an error:
To permit the REVOKE
operation,
enable partial_revokes
:
SET
PERSIST
sets the value for the running MySQL instance.
It also saves the value, causing it to be used for subsequent
server restarts. To change the value for the running MySQL
instance without saving it for subsequent restarts, use the
GLOBAL
keyword rather than
PERSIST
. See Section 13.7.5.1, “SET Syntax for Variable Assignment”.
With partial_revokes
enabled,
the partial revoke succeeds:
- +------------------------------------------+
- | Grants for u1@% |
- +------------------------------------------+
- +------------------------------------------+
SHOW GRANTS
lists partial revokes
as REVOKE
statements in its
output. The result indicates that u1
has
global SELECT
and
INSERT
privileges, except that
INSERT
cannot be exercised for
tables in the world
schema. That is, access
by u1
to world
tables is
read only.
The server records privilege restrictions implemented through
partial revokes in the mysql.user
system
table. If an account has partial revokes, its
User_attributes
column value has a
Restrictions
attribute:
- +------+------+------------------------------------------------------+
- +------+------+------------------------------------------------------+
- | u1 | % | [{"Database": "world", "Privileges": ["INSERT"]}] |
- +------+------+------------------------------------------------------+
Although partial revokes can be imposed for any schema,
privilege restrictions on the mysql
system
schema in particular are useful as part of a strategy for
preventing regular accounts from modifying system accounts.
See Protecting System Accounts Against Manipulation by Regular Accounts.
Partial revoke operations are subject to these conditions:
Partial revokes must name the schema literally. Schema names that contain the
%
or_
SQL wildcard characters (for example,myschema%
) are not permitted.It is possible to use partial revokes to place restrictions on nonexistent schemas, but only if the revoked privilege is granted globally. If a privilege is not granted globally, revoking it for a nonexistent schema produces an error.
Partial revokes apply at the schema level only. You cannot use partial revokes for privileges that apply only globally (such as
FILE
orBINLOG_ADMIN
), or for table, column, or routine privileges.
As mentioned previously, partial revokes of schema-level
privileges appear in SHOW GRANTS
output as REVOKE
statements. This
differs from how SHOW GRANTS
represents “plain” schema-level privileges:
When granted, schema-level privileges are represented by their own
GRANT
statements in the output:- +---------------------------------------+
- | Grants for u1@% |
- +---------------------------------------+
- +---------------------------------------+
When revoked, schema-level privileges simply disappear from the output. They do not appear as
REVOKE
statements:
When a user grants a privilege, any restriction the grantor has
on the privilege is inherited by the grantee, unless the grantee
already has the privilege without the restriction. Consider the
following two users, one of whom has the global
SELECT
privilege:
Suppose that an administrative user admin
has
a global but partially revoked
SELECT
privilege:
- +------------------------------------------------------+
- | Grants for admin@% |
- +------------------------------------------------------+
- +------------------------------------------------------+
If admin
grants
SELECT
globally to
u1
and u2
, the result
differs for each user:
If
admin
grantsSELECT
globally tou1
, who has noSELECT
privilege to begin with,u1
inherits theadmin
privilege restriction:On the other hand,
u2
already holds a globalSELECT
privilege without restriction.GRANT
can only add to a grantee's existing privileges, not reduce them, so ifadmin
grantsSELECT
globally tou2
,u2
does not inherit theadmin
restriction:
If a GRANT
statement includes an
AS
clause,
the privilege restrictions applied are those on the user/role
combination specified by the clause, rather than those on the
user who executes the statement. For information about the
user
AS
clause, see Section 13.7.1.6, “GRANT Syntax”.
Restrictions on new privileges granted to an account are added to any existing restrictions for that account:
- +---------------------------------------------------------+
- | Grants for u1@% |
- +---------------------------------------------------------+
- +---------------------------------------------------------+
- +---------------------------------------------------------+
- | Grants for u1@% |
- +---------------------------------------------------------+
- +---------------------------------------------------------+
Aggregation of privilege restrictions applies both when
privileges are partially revoked explicitly (as just shown) and
when restrictions are inherited implicitly from the user who
executes the statement or the user mentioned in an AS
clause.
user
If an account has a privilege restriction on a schema:
The account cannot grant to other accounts a privilege on the restricted schema or any object within it.
Another account that does not have the restriction can grant privileges to the restricted account for the restricted schema or objects within it. Suppose that an unrestricted user executes these statements:
The resulting account has these privileges, with the ability to perform limited operations within the restricted schema:
- +-----------------------------------------------------------+
- | Grants for u1@% |
- +-----------------------------------------------------------+
- +-----------------------------------------------------------+
If an account has a restriction on a global privilege, the restriction is removed by any of these actions:
Granting the privilege globally to the account by an account that has no restriction on the privilege.
Granting the privilege at the schema level.
Revoking the privilege globally.
Consider a user u1
who holds several
privileges globally, but with restrictions on
INSERT
,
UPDATE
and
DELETE
:
- +----------------------------------------------------------+
- | Grants for u1@% |
- +----------------------------------------------------------+
- +----------------------------------------------------------+
Granting a privilege globally to u1
from an
account with no restriction removes the privilege restriction.
For example, to remove the INSERT
restriction:
- +---------------------------------------------------------+
- | Grants for u1@% |
- +---------------------------------------------------------+
- +---------------------------------------------------------+
Granting a privilege at the schema level to
u1
removes the privilege restriction. For
example, to remove the UPDATE
restriction:
- +---------------------------------------------------------+
- | Grants for u1@% |
- +---------------------------------------------------------+
- +---------------------------------------------------------+
Revoking a global privilege removes the privilege, including any
restrictions on it. For example, to remove the
DELETE
restriction (at the cost
of removing all DELETE
access):
- +-------------------------------------------------+
- | Grants for u1@% |
- +-------------------------------------------------+
- +-------------------------------------------------+
If an account has a privilege at both the global and schema
levels, you must revoke it at the schema level twice to effect a
partial revoke. Suppose that u1
has these
privileges, where INSERT
is held
both globally and on the world
schema:
- +-----------------------------------------+
- | Grants for u1@% |
- +-----------------------------------------+
- +-----------------------------------------+
Revoking INSERT
on
world
revokes the schema-level privilege
(SHOW GRANTS
no longer displays
the schema-level GRANT
statement):
- +-----------------------------------------+
- | Grants for u1@% |
- +-----------------------------------------+
- +-----------------------------------------+
Revoking INSERT
on
world
again performs a partial revoke of the
global privilege (SHOW GRANTS
now
includes a schema-level REVOKE
statement):
- +------------------------------------------+
- | Grants for u1@% |
- +------------------------------------------+
- +------------------------------------------+
To provide access to accounts for some schemas but not others, partial revokes provide an alternative to the approach of explicitly granting schema-level access without granting global privileges. The two approaches have different advantages and disadvantages.
Granting schema-level privileges and not global privileges:
Adding a new schema: The schema is inaccessible to existing accounts by default. For any account to which the schema should be accessible, the DBA must grant schema-level access.
Adding a new account: The DBA must grant schema-level access for each schema to which the account should have access.
Granting global privileges in conjunction with partial revokes:
Adding a new schema: The schema is accessible to existing accounts that have global privileges. For any such account to which the schema should be inaccessible, the DBA must add a partial revoke.
Adding a new account: The DBA must grant the global privileges, plus a partial revoke on each restricted schema.
The approach that uses explicit schema-level grant is more convenient for accounts for which access is limited to a few schemas. The approach that uses partial revokes is more convenient for accounts with broad access to all schemas except a few.
Once enabled, partial_revokes
cannot be disabled if any account has privilege restrictions. If
any such account exists, disabling
partial_revokes
fails:
For attempts to disable
partial_revokes
at startup, the server logs an error message and enablespartial_revokes
.For attempts to disable
partial_revokes
at runtime, an error occurs and thepartial_revokes
value remains unchanged.
To disable partial_revokes
when
restrictions exist, the restrictions first must be removed:
Determine which accounts have partial revokes:
For each such account, remove its privilege restrictions. Suppose that the previous step shows account
u1
to have these restrictions:- [{"Database": "world", "Privileges": ["INSERT", "DELETE"]
Restriction removal can be done various ways:
Grant the privileges globally, without restrictions:
Grant the privileges at the schema level:
Revoke the privileges globally (assuming that they are no longer needed):
Remove the account itself (assuming that it is no longer needed):
After all privilege restrictions are removed, it is possible to disable partial revokes:
In replication scenarios, if
partial_revokes
is enabled on
any host, it must be enabled on all hosts. Otherwise,
REVOKE
statements to partially
revoke a global privilege do not have the same effect for all
hosts on which replication occurs, potentially resulting in
replication inconsistencies or errors.
Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-partial-revokes.html
The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.
References
These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.