From 755f4a507328e2daea69ab09a4a720b831a6ed41 Mon Sep 17 00:00:00 2001 From: Nullnotnil Date: Tue, 7 Jul 2020 16:13:37 -0600 Subject: [PATCH 1/2] sql-statements: add statement reference for ROLES --- TOC.md | 7 +- sql-statements/sql-statement-create-role.md | 169 ++++++++++++++ sql-statements/sql-statement-drop-role.md | 213 ++++++++++++++++++ .../sql-statement-grant-privileges.md | 1 + sql-statements/sql-statement-grant-role.md | 170 ++++++++++++++ sql-statements/sql-statement-revoke-role.md | 212 +++++++++++++++++ .../sql-statement-set-default-role.md | 180 +++++++++++++++ sql-statements/sql-statement-set-role.md | 11 +- 8 files changed, 961 insertions(+), 2 deletions(-) create mode 100644 sql-statements/sql-statement-create-role.md create mode 100644 sql-statements/sql-statement-drop-role.md create mode 100644 sql-statements/sql-statement-grant-role.md create mode 100644 sql-statements/sql-statement-revoke-role.md create mode 100644 sql-statements/sql-statement-set-default-role.md diff --git a/TOC.md b/TOC.md index 81c2d16e9f1e4..6cb8b9d8efa56 100644 --- a/TOC.md +++ b/TOC.md @@ -228,6 +228,7 @@ + [`CREATE BINDING`](/sql-statements/sql-statement-create-binding.md) + [`CREATE DATABASE`](/sql-statements/sql-statement-create-database.md) + [`CREATE INDEX`](/sql-statements/sql-statement-create-index.md) + + [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md) + [`CREATE SEQUENCE`](/sql-statements/sql-statement-create-sequence.md) + [`CREATE TABLE LIKE`](/sql-statements/sql-statement-create-table-like.md) + [`CREATE TABLE`](/sql-statements/sql-statement-create-table.md) @@ -242,8 +243,9 @@ + [`DROP COLUMN`](/sql-statements/sql-statement-drop-column.md) + [`DROP DATABASE`](/sql-statements/sql-statement-drop-database.md) + [`DROP INDEX`](/sql-statements/sql-statement-drop-index.md) + + [`DROP ROLE`](/sql-statements/sql-statement-drop-role.md) + [`DROP SEQUENCE`](/sql-statements/sql-statement-drop-sequence.md) - - [`DROP STATS`](/sql-statements/sql-statement-drop-stats.md) + + [`DROP STATS`](/sql-statements/sql-statement-drop-stats.md) + [`DROP TABLE`](/sql-statements/sql-statement-drop-table.md) + [`DROP USER`](/sql-statements/sql-statement-drop-user.md) + [`DROP VIEW`](/sql-statements/sql-statement-drop-view.md) @@ -255,6 +257,7 @@ + [`FLUSH STATUS`](/sql-statements/sql-statement-flush-status.md) + [`FLUSH TABLES`](/sql-statements/sql-statement-flush-tables.md) + [`GRANT `](/sql-statements/sql-statement-grant-privileges.md) + + [`GRANT `](/sql-statements/sql-statement-grant-role.md) + [`INSERT`](/sql-statements/sql-statement-insert.md) + [`KILL [TIDB]`](/sql-statements/sql-statement-kill.md) + [`LOAD DATA`](/sql-statements/sql-statement-load-data.md) @@ -267,6 +270,7 @@ + [`REPLACE`](/sql-statements/sql-statement-replace.md) + [`RESTORE`](/sql-statements/sql-statement-restore.md) + [`REVOKE `](/sql-statements/sql-statement-revoke-privileges.md) + + [`REVOKE `](/sql-statements/sql-statement-revoke-role.md) + [`ROLLBACK`](/sql-statements/sql-statement-rollback.md) + [`SELECT`](/sql-statements/sql-statement-select.md) + [`SET [NAMES|CHARACTER SET]`](/sql-statements/sql-statement-set-names.md) @@ -287,6 +291,7 @@ + [`SHOW CREATE USER`](/sql-statements/sql-statement-show-create-user.md) + [`SHOW DATABASES`](/sql-statements/sql-statement-show-databases.md) + [`SHOW DRAINER STATUS`](/sql-statements/sql-statement-show-drainer-status.md) + + [`SHOW DEFAULT ROLE`](/sql-statements/sql-statement-set-default-role.md) + [`SHOW ENGINES`](/sql-statements/sql-statement-show-engines.md) + [`SHOW ERRORS`](/sql-statements/sql-statement-show-errors.md) + [`SHOW [FULL] FIELDS FROM`](/sql-statements/sql-statement-show-fields-from.md) diff --git a/sql-statements/sql-statement-create-role.md b/sql-statements/sql-statement-create-role.md new file mode 100644 index 0000000000000..5f20ff2133859 --- /dev/null +++ b/sql-statements/sql-statement-create-role.md @@ -0,0 +1,169 @@ +--- +title: CREATE ROLE | TiDB SQL Statement Reference +summary: An overview of the usage of CREATE ROLE for the TiDB database. +category: reference +--- + +# CREATE ROLE + +This statement creates a new role, which can be assigned to users as part of role-based access control. + +## Synopsis + +**CreateRoleStmt:** + +![CreateRoleStmt](/media/sqlgram/CreateRoleStmt.png) + +**IfNotExists:** + +![IfNotExists](/media/sqlgram/IfNotExists.png) + +**RoleSpec:** + +![RoleSpec](/media/sqlgram/RoleSpec.png) + +## Examples + +Create a new role for the analytics team, and a new user called `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 37 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +mysql> GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 32 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +mysql> SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +mysql> SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 34 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 35 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + +## See also + +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [Role-Based Access Control](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-drop-role.md b/sql-statements/sql-statement-drop-role.md new file mode 100644 index 0000000000000..e048c8f247465 --- /dev/null +++ b/sql-statements/sql-statement-drop-role.md @@ -0,0 +1,213 @@ +--- +title: DROP ROLE | TiDB SQL Statement Reference +summary: An overview of the usage of DROP ROLE for the TiDB database. +category: reference +--- + +# DROP ROLE + +This statement removes a role, that was previously created with `CREATE ROLE`. + +## Synopsis + +**DropRoleStmt:** + +![DropRoleStmt](/media/sqlgram/DropRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +## Examples + +Create a new role for the analytics team, and a new user called `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 37 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +mysql> GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 32 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +mysql> SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +mysql> SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 34 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 35 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +Drop the role for the analyticsteam: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 41 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> DROP ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) +``` + +Jennifer no longer has the default role of analyticsteam associated, or can set the role to analyticsteam: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 42 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++--------------------------------------+ +| Grants for User | ++--------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | ++--------------------------------------+ +1 row in set (0.00 sec) + +mysql> SET ROLE analyticsteam; +ERROR 3530 (HY000): `analyticsteam`@`%` is is not granted to jennifer@% +``` + +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + +## See also + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [Role-Based Access Control](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-grant-privileges.md b/sql-statements/sql-statement-grant-privileges.md index 6aa07b3562c5c..ec03dead6260f 100644 --- a/sql-statements/sql-statement-grant-privileges.md +++ b/sql-statements/sql-statement-grant-privileges.md @@ -67,6 +67,7 @@ mysql> SHOW GRANTS FOR 'newuser'; ## See also +* [GRANT ](/sql-statements/sql-statement-grant-role.md) * [`REVOKE `](/sql-statements/sql-statement-revoke-privileges.md) * [SHOW GRANTS](/sql-statements/sql-statement-show-grants.md) * [Privilege Management](/privilege-management.md) diff --git a/sql-statements/sql-statement-grant-role.md b/sql-statements/sql-statement-grant-role.md new file mode 100644 index 0000000000000..c22a3b9b6282d --- /dev/null +++ b/sql-statements/sql-statement-grant-role.md @@ -0,0 +1,170 @@ +--- +title: GRANT | TiDB SQL Statement Reference +summary: An overview of the usage of GRANT for the TiDB database. +category: reference +--- + +# GRANT + +Assigns a previously created role to an existing user. The user can use then use the statement `SET ROLE ` to assume the privileges of the role, or `SET ROLE ALL` to assume all roles that have been assigned. + +## Synopsis + +**GrantRoleStmt:** + +![GrantRoleStmt](/media/sqlgram/GrantRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## Examples + +Create a new role for the analytics team, and a new user called `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 37 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +mysql> GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 32 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +mysql> SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +mysql> SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 34 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 35 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + +## See also + +* [GRANT ](/sql-statements/sql-statement-grant-privileges.md) +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [Role-Based Access Control](/role-based-access-control.md) \ No newline at end of file diff --git a/sql-statements/sql-statement-revoke-role.md b/sql-statements/sql-statement-revoke-role.md new file mode 100644 index 0000000000000..80d7c4c838c5e --- /dev/null +++ b/sql-statements/sql-statement-revoke-role.md @@ -0,0 +1,212 @@ +--- +title: REVOKE | TiDB SQL Statement Reference +summary: An overview of the usage of REVOKE for the TiDB database. +category: reference +--- + +# `REVOKE ` + +This statement removes a previously assigned role from a specified user (or list of users). + +## Synopsis + +**RevokeRoleStmt:** + +![RevokeRoleStmt](/media/sqlgram/RevokeRoleStmt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## Examples + +Create a new role for the analytics team, and a new user called `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 37 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +mysql> GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 32 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +mysql> SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +mysql> SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 34 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 35 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +Revoke the role of analyticsteam from `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 38 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> REVOKE analyticsteam FROM jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 39 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++--------------------------------------+ +| Grants for User | ++--------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | ++--------------------------------------+ +1 row in set (0.00 sec) +``` + +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + +## See also + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) +* [Role-Based Access Control](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-set-default-role.md b/sql-statements/sql-statement-set-default-role.md new file mode 100644 index 0000000000000..381710be03c00 --- /dev/null +++ b/sql-statements/sql-statement-set-default-role.md @@ -0,0 +1,180 @@ +--- +title: SET DEFAULT ROLE | TiDB SQL Statement Reference +summary: An overview of the usage of SET DEFAULT ROLE for the TiDB database. +category: reference +--- + +# `SET DEFAULT ROLE` + +This statement sets a specific role to be applied to a user by default. Thus, they will automatically have the permissions associated with a role without having to execute `SET ROLE ` or `SET ROLE ALL`. + +## Synopsis + +**SetDefaultRoleStmt:** + +![SetDefaultRoleStmt](/media/sqlgram/SetDefaultRoleStmt.png) + +**SetDefaultRoleOpt:** + +![SetDefaultRoleOpt](/media/sqlgram/SetDefaultRoleOpt.png) + +**RolenameList:** + +![RolenameList](/media/sqlgram/RolenameList.png) + +**UsernameList:** + +![UsernameList](/media/sqlgram/UsernameList.png) + +## Examples + +Create a new role for the analytics team, and a new user called `jennifer`: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 37 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> CREATE ROLE analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> GRANT SELECT ON test.* TO analyticsteam; +Query OK, 0 rows affected (0.02 sec) + +mysql> CREATE USER jennifer; +Query OK, 0 rows affected (0.01 sec) + +mysql> GRANT analyticsteam TO jennifer; +Query OK, 0 rows affected (0.01 sec) +``` + +Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role: + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 32 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +2 rows in set (0.00 sec) + +mysql> SHOW TABLES in test; +ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' +mysql> SET ROLE analyticsteam; +Query OK, 0 rows affected (0.00 sec) + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: + +```sql +$ mysql -uroot +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 34 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +Query OK, 0 rows affected (0.02 sec) +``` + +```sql +$ mysql -ujennifer +Welcome to the MySQL monitor. Commands end with ; or \g. +Your MySQL connection id is 35 +Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible + +Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + +Oracle is a registered trademark of Oracle Corporation and/or its +affiliates. Other names may be trademarks of their respective +owners. + +Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + +mysql> SHOW GRANTS; ++---------------------------------------------+ +| Grants for User | ++---------------------------------------------+ +| GRANT USAGE ON *.* TO 'jennifer'@'%' | +| GRANT Select ON test.* TO 'jennifer'@'%' | +| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | ++---------------------------------------------+ +3 rows in set (0.00 sec) + +mysql> SHOW TABLES IN test; ++----------------+ +| Tables_in_test | ++----------------+ +| t1 | ++----------------+ +1 row in set (0.00 sec) +``` + +`SET DEFAULT ROLE` will not automatically `GRANT` the associated role to the user. Attempting to `SET DEFAULT ROLE` for a role that `jennifer` does not have granted results in the following error: + +```sql +mysql> SET DEFAULT ROLE analyticsteam TO jennifer; +ERROR 3530 (HY000): `analyticsteam`@`%` is is not granted to jennifer@% +``` + +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + +## See also + +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET ROLE](/sql-statements/sql-statement-set-role.md) +* [Role-Based Access Control](/role-based-access-control.md) diff --git a/sql-statements/sql-statement-set-role.md b/sql-statements/sql-statement-set-role.md index 172814ab19917..0434650f78583 100644 --- a/sql-statements/sql-statement-set-role.md +++ b/sql-statements/sql-statement-set-role.md @@ -26,7 +26,7 @@ The `SET ROLE` statement is used to enable roles in the current session. After e ## Examples Create a user `'u1'@'%'` and three roles: `'r1'@'%'`, `'r2'@'%'` and `'r3'@'%'`. -Grant these roles to `'u1'@'%'` and set `'r1'@'%'` as the defualt role of `'u1'@'%'`. +Grant these roles to `'u1'@'%'` and set `'r1'@'%'` as the default role of `'u1'@'%'`. {{< copyable "sql" >}} @@ -109,6 +109,15 @@ SELECT CURRENT_ROLE(); 1 row in set (0.000 sec) ``` +## MySQL compatibility + +This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub. + ## See also +* [CREATE ROLE](/sql-statements/sql-statement-create-role.md) +* [DROP ROLE](/sql-statements/sql-statement-drop-role.md) +* [GRANT ](/sql-statements/sql-statement-grant-role.md) +* [REVOKE ](/sql-statements/sql-statement-revoke-role.md) +* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md) * [Role-Based Access Control](/role-based-access-control.md) From 57ed0fc49c047b6714a86af54812042dd0d8fef6 Mon Sep 17 00:00:00 2001 From: Null not nil <67764674+nullnotnil@users.noreply.github.com> Date: Wed, 8 Jul 2020 07:42:16 -0600 Subject: [PATCH 2/2] fix typo --- sql-statements/sql-statement-create-role.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sql-statements/sql-statement-create-role.md b/sql-statements/sql-statement-create-role.md index 5f20ff2133859..3889860540406 100644 --- a/sql-statements/sql-statement-create-role.md +++ b/sql-statements/sql-statement-create-role.md @@ -102,7 +102,7 @@ mysql> SHOW TABLES IN test; 1 row in set (0.00 sec) ``` -The statement `SET DEFAULT ROLE` can be used to associated a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: +The statement `SET DEFAULT ROLE` can be used to associate a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role: ```sql $ mysql -uroot