sql-statements: add statement reference for ROLES (#4313) (#4400)

* cherry pick #4313 to release-3.0 Signed-off-by: ti-srebot <ti-srebot@pingcap.com> * sql-statements: add statement reference for ROLES * Update sql-statement-start-transaction.md * Delete sql-statement-shutdown.md * Update toc and add 11 sqlgram images Co-authored-by: JoyinQ <56883733+Joyinqin@users.noreply.github.com> Co-authored-by: lilin90 <lilin@pingcap.com>
pingcap · Sep 1, 2020 · d5b4d58 · d5b4d58
1 parent c4fa40a
commit d5b4d58
Show file tree

Hide file tree

Showing 20 changed files with 687 additions and 3 deletions.
diff --git a/TOC.md b/TOC.md
@@ -149,6 +149,7 @@
       - [`COMMIT`](/sql-statements/sql-statement-commit.md)
       - [`CREATE DATABASE`](/sql-statements/sql-statement-create-database.md)
       - [`CREATE INDEX`](/sql-statements/sql-statement-create-index.md)
+      - [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md)
       - [`CREATE TABLE LIKE`](/sql-statements/sql-statement-create-table-like.md)
       - [`CREATE TABLE`](/sql-statements/sql-statement-create-table.md)
       - [`CREATE USER`](/sql-statements/sql-statement-create-user.md)
@@ -161,6 +162,7 @@
       - [`DROP COLUMN`](/sql-statements/sql-statement-drop-column.md)
       - [`DROP DATABASE`](/sql-statements/sql-statement-drop-database.md)
       - [`DROP INDEX`](/sql-statements/sql-statement-drop-index.md)
+      - [`DROP ROLE`](/sql-statements/sql-statement-drop-role.md)
       - [`DROP TABLE`](/sql-statements/sql-statement-drop-table.md)
       - [`DROP USER`](/sql-statements/sql-statement-drop-user.md)
       - [`DROP VIEW`](/sql-statements/sql-statement-drop-view.md)
@@ -171,6 +173,7 @@
       - [`FLUSH STATUS`](/sql-statements/sql-statement-flush-status.md)
       - [`FLUSH TABLES`](/sql-statements/sql-statement-flush-tables.md)
       - [`GRANT <privileges>`](/sql-statements/sql-statement-grant-privileges.md)
+      - [`GRANT <role>`](/sql-statements/sql-statement-grant-role.md)
       - [`INSERT`](/sql-statements/sql-statement-insert.md)
       - [`KILL [TIDB]`](/sql-statements/sql-statement-kill.md)
       - [`LOAD DATA`](/sql-statements/sql-statement-load-data.md)
@@ -182,8 +185,10 @@
       - [`RENAME TABLE`](/sql-statements/sql-statement-rename-table.md)
       - [`REPLACE`](/sql-statements/sql-statement-replace.md)
       - [`REVOKE <privileges>`](/sql-statements/sql-statement-revoke-privileges.md)
+      - [`REVOKE <role>`](/sql-statements/sql-statement-revoke-role.md)
       - [`ROLLBACK`](/sql-statements/sql-statement-rollback.md)
       - [`SELECT`](/sql-statements/sql-statement-select.md)
+      - [`SET DEFAULT ROLE`](/sql-statements/sql-statement-set-default-role.md)
       - [`SET [NAMES|CHARACTER SET]`](/sql-statements/sql-statement-set-names.md)
       - [`SET PASSWORD`](/sql-statements/sql-statement-set-password.md)
       - [`SET ROLE`](/sql-statements/sql-statement-set-role.md)

diff --git a/media/sqlgram/CreateRoleStmt.png b/media/sqlgram/CreateRoleStmt.png
diff --git a/media/sqlgram/DropRoleStmt.png b/media/sqlgram/DropRoleStmt.png
diff --git a/media/sqlgram/GrantRoleStmt.png b/media/sqlgram/GrantRoleStmt.png
diff --git a/media/sqlgram/RevokeRoleStmt.png b/media/sqlgram/RevokeRoleStmt.png
diff --git a/media/sqlgram/RoleNameString.png b/media/sqlgram/RoleNameString.png
diff --git a/media/sqlgram/RoleSpec.png b/media/sqlgram/RoleSpec.png
diff --git a/media/sqlgram/Rolename.png b/media/sqlgram/Rolename.png
diff --git a/media/sqlgram/RolenameList.png b/media/sqlgram/RolenameList.png
diff --git a/media/sqlgram/SetDefaultRoleStmt.png b/media/sqlgram/SetDefaultRoleStmt.png
diff --git a/media/sqlgram/UsernameList.png b/media/sqlgram/UsernameList.png
diff --git a/media/sqlgram/UsingRoles.png b/media/sqlgram/UsingRoles.png
diff --git a/sql-statements/sql-statement-create-role.md b/sql-statements/sql-statement-create-role.md
@@ -0,0 +1,124 @@
+---
+title: CREATE ROLE
+summary: TiDB 数据库中 CREATE ROLE 的使用概况。
+---
+
+# CREATE ROLE
+
+`CREATE ROLE` 语句是基于角色的访问控制 (RBAC) 操作的一部分，用于创建新角色并将新角色分配给用户。
+
+## 语法图
+
+**CreateRoleStmt:**
+
+![CreateRoleStmt](/media/sqlgram/CreateRoleStmt.png)
+
+**IfNotExists:**
+
+![IfNotExists](/media/sqlgram/IfNotExists.png)
+
+**RoleSpec:**
+
+![RoleSpec](/media/sqlgram/RoleSpec.png)
+
+## 示例
+
+创建新角色 `analyticsteam` 和新用户 `jennifer`：
+
+```sql
+$ mysql -uroot
+
+CREATE ROLE analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+GRANT SELECT ON test.* TO analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+CREATE USER jennifer;
+Query OK, 0 rows affected (0.01 sec)
+
+GRANT analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.01 sec)
+```
+
+需要注意的是，默认情况下，用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限：
+
+```sql
+$ mysql -ujennifer
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+2 rows in set (0.00 sec)
+
+SHOW TABLES in test;
+ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test'
+SET ROLE analyticsteam;
+Query OK, 0 rows affected (0.00 sec)
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联，这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。
+
+```sql
+$ mysql -uroot
+
+SET DEFAULT ROLE analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.02 sec)
+```
+
+```sql
+$ mysql -ujennifer
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+## MySQL 兼容性
+
+`CREATE ROLE` 语句与 MySQL 8.0 的“角色”功能完全兼容。如发现任何其他兼容性差异，请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。
+
+## 另请参阅
+
+* [DROP ROLE](/sql-statements/sql-statement-drop-role.md)
+* [GRANT <role>](/sql-statements/sql-statement-grant-role.md)
+* [REVOKE <role>](/sql-statements/sql-statement-revoke-role.md)
+* [SET ROLE](/sql-statements/sql-statement-set-role.md)
+* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md)
+* [基于角色的访问控制](/role-based-access-control.md)
diff --git a/sql-statements/sql-statement-drop-role.md b/sql-statements/sql-statement-drop-role.md
@@ -0,0 +1,146 @@
+---
+title: DROP ROLE
+summary: TiDB 数据库中 DROP ROLE 的使用概况。
+---
+
+# DROP ROLE
+
+使用 `DROP ROLE` 语句可删除已用 `CREATE ROLE` 语句创建的角色。
+
+## 语法图
+
+**DropRoleStmt:**
+
+![DropRoleStmt](/media/sqlgram/DropRoleStmt.png)
+
+**RolenameList:**
+
+![RolenameList](/media/sqlgram/RolenameList.png)
+
+## 示例
+
+创建新角色 `analyticsteam` 和新用户 `jennifer`：
+
+```sql
+$ mysql -uroot
+
+CREATE ROLE analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+GRANT SELECT ON test.* TO analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+CREATE USER jennifer;
+Query OK, 0 rows affected (0.01 sec)
+
+GRANT analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.01 sec)
+```
+
+需要注意的是，默认情况下，用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限：
+
+```sql
+$ mysql -ujennifer
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+2 rows in set (0.00 sec)
+
+SHOW TABLES in test;
+ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test'
+SET ROLE analyticsteam;
+Query OK, 0 rows affected (0.00 sec)
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联，这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。
+
+```sql
+$ mysql -uroot
+
+SET DEFAULT ROLE analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.02 sec)
+```
+
+```sql
+$ mysql -ujennifer
+
+SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+删除角色 `analyticsteam`：
+
+```sql
+$ mysql -uroot
+
+DROP ROLE analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+```
+
+Jennifer 不再具有与 analyticsteam 关联的默认角色，或不能再将 analyticsteam 设为启用角色：
+
+```sql
+$ mysql -ujennifer
+
+SHOW GRANTS;
++--------------------------------------+
+| Grants for User                      |
++--------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%' |
++--------------------------------------+
+1 row in set (0.00 sec)
+
+SET ROLE analyticsteam;
+ERROR 3530 (HY000): `analyticsteam`@`%` is is not granted to jennifer@%
+```
+
+## MySQL 兼容性
+
+`DROP ROLE` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异，请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。
+
+## 另请参阅
+
+* [CREATE ROLE](/sql-statements/sql-statement-create-role.md)
+* [GRANT <role>](/sql-statements/sql-statement-grant-role.md)
+* [REVOKE <role>](/sql-statements/sql-statement-revoke-role.md)
+* [SET ROLE](/sql-statements/sql-statement-set-role.md)
+* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md)
+* [基于角色的访问控制](/role-based-access-control.md)
diff --git a/sql-statements/sql-statement-grant-privileges.md b/sql-statements/sql-statement-grant-privileges.md
@@ -84,6 +84,7 @@ SHOW GRANTS FOR 'newuser';
 
 ## 另请参阅
 
+* [GRANT <role>](/sql-statements/sql-statement-grant-role.md)
 * [`REVOKE <privileges>`](/sql-statements/sql-statement-revoke-privileges.md)
 * [SHOW GRANTS](/sql-statements/sql-statement-show-grants.md)
-* [Privilege Management](/privilege-management.md)
+* [权限管理](/privilege-management.md)