diff --git a/TOC.md b/TOC.md index d6f69a73bb7a..2e49a4ae7748 100644 --- a/TOC.md +++ b/TOC.md @@ -149,6 +149,7 @@ - [`COMMIT`](/sql-statements/sql-statement-commit.md) - [`CREATE DATABASE`](/sql-statements/sql-statement-create-database.md) - [`CREATE INDEX`](/sql-statements/sql-statement-create-index.md) + - [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md) - [`CREATE TABLE LIKE`](/sql-statements/sql-statement-create-table-like.md) - [`CREATE TABLE`](/sql-statements/sql-statement-create-table.md) - [`CREATE USER`](/sql-statements/sql-statement-create-user.md) @@ -161,6 +162,7 @@ - [`DROP COLUMN`](/sql-statements/sql-statement-drop-column.md) - [`DROP DATABASE`](/sql-statements/sql-statement-drop-database.md) - [`DROP INDEX`](/sql-statements/sql-statement-drop-index.md) + - [`DROP ROLE`](/sql-statements/sql-statement-drop-role.md) - [`DROP TABLE`](/sql-statements/sql-statement-drop-table.md) - [`DROP USER`](/sql-statements/sql-statement-drop-user.md) - [`DROP VIEW`](/sql-statements/sql-statement-drop-view.md) @@ -171,6 +173,7 @@ - [`FLUSH STATUS`](/sql-statements/sql-statement-flush-status.md) - [`FLUSH TABLES`](/sql-statements/sql-statement-flush-tables.md) - [`GRANT `](/sql-statements/sql-statement-grant-privileges.md) + - [`GRANT `](/sql-statements/sql-statement-grant-role.md) - [`INSERT`](/sql-statements/sql-statement-insert.md) - [`KILL [TIDB]`](/sql-statements/sql-statement-kill.md) - [`LOAD DATA`](/sql-statements/sql-statement-load-data.md) @@ -182,8 +185,10 @@ - [`RENAME TABLE`](/sql-statements/sql-statement-rename-table.md) - [`REPLACE`](/sql-statements/sql-statement-replace.md) - [`REVOKE `](/sql-statements/sql-statement-revoke-privileges.md) + - [`REVOKE `](/sql-statements/sql-statement-revoke-role.md) - [`ROLLBACK`](/sql-statements/sql-statement-rollback.md) - [`SELECT`](/sql-statements/sql-statement-select.md) + - [`SET DEFAULT ROLE`](/sql-statements/sql-statement-set-default-role.md) - [`SET [NAMES|CHARACTER SET]`](/sql-statements/sql-statement-set-names.md) - [`SET PASSWORD`](/sql-statements/sql-statement-set-password.md) - [`SET ROLE`](/sql-statements/sql-statement-set-role.md) diff --git a/media/sqlgram/CreateRoleStmt.png b/media/sqlgram/CreateRoleStmt.png new file mode 100644 index 000000000000..0eb656dde737 Binary files /dev/null and b/media/sqlgram/CreateRoleStmt.png differ diff --git a/media/sqlgram/DropRoleStmt.png b/media/sqlgram/DropRoleStmt.png new file mode 100644 index 000000000000..9f65ffec2c89 Binary files /dev/null and b/media/sqlgram/DropRoleStmt.png differ diff --git a/media/sqlgram/GrantRoleStmt.png b/media/sqlgram/GrantRoleStmt.png new file mode 100644 index 000000000000..c2984fdc001d Binary files /dev/null and b/media/sqlgram/GrantRoleStmt.png differ diff --git a/media/sqlgram/RevokeRoleStmt.png b/media/sqlgram/RevokeRoleStmt.png new file mode 100644 index 000000000000..e9c0b6b6e70e Binary files /dev/null and b/media/sqlgram/RevokeRoleStmt.png differ diff --git a/media/sqlgram/RoleNameString.png b/media/sqlgram/RoleNameString.png new file mode 100644 index 000000000000..f3e4356433af Binary files /dev/null and b/media/sqlgram/RoleNameString.png differ diff --git a/media/sqlgram/RoleSpec.png b/media/sqlgram/RoleSpec.png new file mode 100644 index 000000000000..222e142f9809 Binary files /dev/null and b/media/sqlgram/RoleSpec.png differ diff --git a/media/sqlgram/Rolename.png b/media/sqlgram/Rolename.png new file mode 100755 index 000000000000..787c153370b2 Binary files /dev/null and b/media/sqlgram/Rolename.png differ diff --git a/media/sqlgram/RolenameList.png b/media/sqlgram/RolenameList.png new file mode 100755 index 000000000000..7c1e351293bb Binary files /dev/null and b/media/sqlgram/RolenameList.png differ diff --git a/media/sqlgram/SetDefaultRoleStmt.png b/media/sqlgram/SetDefaultRoleStmt.png new file mode 100644 index 000000000000..b67a272eb386 Binary files /dev/null and b/media/sqlgram/SetDefaultRoleStmt.png differ diff --git a/media/sqlgram/UsernameList.png b/media/sqlgram/UsernameList.png new file mode 100644 index 000000000000..490382c1928b Binary files /dev/null and b/media/sqlgram/UsernameList.png differ diff --git a/media/sqlgram/UsingRoles.png b/media/sqlgram/UsingRoles.png new file mode 100755 index 000000000000..41ff3a60d64c Binary files /dev/null and b/media/sqlgram/UsingRoles.png differ diff --git a/sql-statements/sql-statement-create-role.md b/sql-statements/sql-statement-create-role.md new file mode 100644 index 000000000000..41f9f4131a73 --- /dev/null +++ b/sql-statements/sql-statement-create-role.md @@ -0,0 +1,124 @@ +--- +title: CREATE ROLE +summary: TiDB 数据库中 CREATE ROLE 的使用概况。 +--- + +# CREATE ROLE + +`CREATE ROLE` 语句是基于角色的访问控制 (RBAC) 操作的一部分,用于创建新角色并将新角色分配给用户。 + +## 语法图 + +**CreateRoleStmt:** + +![CreateRoleStmt](/media/sqlgram/CreateRoleStmt.png) + +**IfNotExists:** + +![IfNotExists](/media/sqlgram/IfNotExists.png) + +**RoleSpec:** + +![RoleSpec](/media/sqlgram/RoleSpec.png) + +## 示例 + +创建新角色 `analyticsteam` 和新用户 `jennifer`: + +```sql +$ mysql -uroot + +CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +需要注意的是,默认情况下,用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联,这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。 + +```sql +$ mysql -uroot + +SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +## MySQL 兼容性 + +`CREATE ROLE` 语句与 MySQL 8.0 的“角色”功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + +## 另请参阅 + +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-drop-role.md b/sql-statements/sql-statement-drop-role.md new file mode 100644 index 000000000000..903f42e5782d --- /dev/null +++ b/sql-statements/sql-statement-drop-role.md @@ -0,0 +1,146 @@ +--- +title: DROP ROLE +summary: TiDB 数据库中 DROP ROLE 的使用概况。 +--- + +# DROP ROLE + +使用 `DROP ROLE` 语句可删除已用 `CREATE ROLE` 语句创建的角色。 + +## 语法图 + +**DropRoleStmt:** + +![DropRoleStmt](/media/sqlgram/DropRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +## 示例 + +创建新角色 `analyticsteam` 和新用户 `jennifer`: + +```sql +$ mysql -uroot + +CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +需要注意的是,默认情况下,用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联,这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。 + +```sql +$ mysql -uroot + +SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +删除角色 `analyticsteam`: + +```sql +$ mysql -uroot + +DROP ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) +``` + +Jennifer 不再具有与 analyticsteam 关联的默认角色,或不能再将 analyticsteam 设为启用角色: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++--------------------------------------+ +| Grants for User | ++--------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | ++--------------------------------------+ +1 row in set (0.00 sec) + +SET ROLE analyticsteam; +ERROR 3530 (HY000): `analyticsteam`@`%` is is not granted to jennifer@% +``` + +## MySQL 兼容性 + +`DROP ROLE` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + +## 另请参阅 + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-grant-privileges.md b/sql-statements/sql-statement-grant-privileges.md index 2bf488e801db..f7895d9a19ec 100644 --- a/sql-statements/sql-statement-grant-privileges.md +++ b/sql-statements/sql-statement-grant-privileges.md @@ -84,6 +84,7 @@ SHOW GRANTS FOR 'newuser'; ## 另请参阅 +* [GRANT ](/sql-statements/sql-statement-grant-role.md) * [`REVOKE `](/sql-statements/sql-statement-revoke-privileges.md) * [SHOW GRANTS](/sql-statements/sql-statement-show-grants.md) -* [Privilege Management](/privilege-management.md) +* [权限管理](/privilege-management.md) diff --git a/sql-statements/sql-statement-grant-role.md b/sql-statements/sql-statement-grant-role.md new file mode 100644 index 000000000000..46334c828086 --- /dev/null +++ b/sql-statements/sql-statement-grant-role.md @@ -0,0 +1,122 @@ +--- +title: GRANT +summary: TiDB 数据库中 GRANT 的使用概况。 +--- + +# `GRANT ` + +`GRANT ` 语句用于将之前创建的角色授予给现有用户。用户可以通过 `SET ROLE ` 语句拥有角色权限,或者通过 `SET ROLE ALL` 语句拥有被授予的所有角色。 + +## 语法图 + +**GrantRoleStmt:** + +![GrantRoleStmt](/media/sqlgram/GrantRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## 示例 + +创建新角色 `analyticsteam` 和新用户 `jennifer`: + +```sql +$ mysql -uroot + +CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) +GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) +CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) +GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +需要注意的是,默认情况下,用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联,这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。 + +```sql +$ mysql -uroot + +SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +## MySQL 兼容性 + +`GRANT ` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + +## 另请参阅 + +* [GRANT ](/sql-statements/sql-statement-grant-privileges.md) +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-revoke-role.md b/sql-statements/sql-statement-revoke-role.md new file mode 100644 index 000000000000..c179131474f5 --- /dev/null +++ b/sql-statements/sql-statement-revoke-role.md @@ -0,0 +1,145 @@ +--- +title: REVOKE +summary: TiDB 数据库中 REVOKE 的使用概况。 +--- + +# `REVOKE ` + +`REVOKE ` 语句用于从指定的用户(或用户列表)中收回之前授予的角色。 + +## 语法图 + +**RevokeRoleStmt:** + +![RevokeRoleStmt](/media/sqlgram/RevokeRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## 示例 + +创建新角色 `analyticsteam` 和新用户 `jennifer`: + +```sql +$ mysql -uroot + +CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +需要注意的是,默认情况下,用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联,这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。 + +```sql +$ mysql -uroot + +SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +收回角色 `analyticsteam`: + +```sql +$ mysql -uroot + +REVOKE analyticsteam FROM jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++--------------------------------------+ +| Grants for User | ++--------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | ++--------------------------------------+ +1 row in set (0.00 sec) +``` + +## MySQL 兼容性 + +`REVOKE ` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + +## 另请参阅 + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-set-default-role.md b/sql-statements/sql-statement-set-default-role.md new file mode 100644 index 000000000000..3a441c0d793c --- /dev/null +++ b/sql-statements/sql-statement-set-default-role.md @@ -0,0 +1,132 @@ +--- +title: SET DEFAULT ROLE +summary: TiDB 数据库中 SET DEFAULT ROLE 的使用概况。 +--- + +# `SET DEFAULT ROLE` + +`SET DEFAULT ROLE` 语句默认设置将特定角色应用于用户。因此,用户不必执行 `SET ROLE ` 或 `SET ROLE ALL` 语句,也可以自动具有与角色相关联的权限。 + +## 语法图 + +**SetDefaultRoleStmt:** + +![SetDefaultRoleStmt](/media/sqlgram/SetDefaultRoleStmt.png) + +**SetDefaultRoleOpt:** + +![SetDefaultRoleOpt](/media/sqlgram/SetDefaultRoleOpt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## 示例 + +创建新角色 `analyticsteam` 和新用户 `jennifer`: + +```sql +$ mysql -uroot + +CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) +GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) +CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) +GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +需要注意的是,默认情况下,用户 `jennifer` 需要执行 `SET ROLE analyticsteam` 语句才能使用与角色相关联的权限: + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +执行 `SET DEFAULT ROLE` 语句将用户 `jennifer` 与某一角色相关联,这样该用户无需执行 `SET ROLE` 语句就能拥有与角色相关联的权限。 + +```sql +$ mysql -uroot + +SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer + +SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +`SET DEFAULT ROLE` 语句不会自动将相关角色授予 (`GRANT`) 用户。若尝试为 `jennifer` 尚未被授予的角色执行 `SET DEFAULT ROLE` 语句会导致以下错误: + +```sql +SET DEFAULT ROLE analyticsteam TO jennifer; +ERROR 3530 (HY000): `analyticsteam`@`%` is is not granted to jennifer@% +``` + +## MySQL 兼容性 + +`SET DEFAULT ROLE` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + +## 另请参阅 + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-set-role.md b/sql-statements/sql-statement-set-role.md index 998e76121fa0..ef077d446d9f 100644 --- a/sql-statements/sql-statement-set-role.md +++ b/sql-statements/sql-statement-set-role.md @@ -72,7 +72,7 @@ SELECT CURRENT_ROLE(); 1 row in set (0.000 sec) ``` -执行 `SET ROLE` 将启用角色设置为 `DEFALUT`。 +执行 `SET ROLE` 将启用角色设置为 `DEFAULT`。 {{< copyable "sql" >}} @@ -108,6 +108,15 @@ SELECT CURRENT_ROLE(); 1 row in set (0.000 sec) ``` +## MySQL 兼容性 + +`SET ROLE` 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何其他兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 + ## 另请参阅 +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) * [基于角色的访问控制](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-start-transaction.md b/sql-statements/sql-statement-start-transaction.md index ebe02bfd7d92..0a6b4233b909 100644 --- a/sql-statements/sql-statement-start-transaction.md +++ b/sql-statements/sql-statement-start-transaction.md @@ -60,7 +60,7 @@ Query OK, 0 rows affected (0.01 sec) ## MySQL 兼容性 -`START TRANSACTION` 语句与 MySQL 完全兼容。如有任何兼容性差异,请在 GitHub 上提交 [issue](/report-issue.md)。 +`START TRANSACTION` 语句与 MySQL 完全兼容。如发现任何兼容性差异,请在 GitHub 上提交 [issue](https://github.com/pingcap/tidb/issues/new/choose)。 ## 另请参阅