sql-statements: add statement reference for ROLES

TOC.md

@@ -228,6 +228,7 @@
       + [`CREATE BINDING`](/sql-statements/sql-statement-create-binding.md)
       + [`CREATE DATABASE`](/sql-statements/sql-statement-create-database.md)
       + [`CREATE INDEX`](/sql-statements/sql-statement-create-index.md)
+      + [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md)
       + [`CREATE SEQUENCE`](/sql-statements/sql-statement-create-sequence.md)
       + [`CREATE TABLE LIKE`](/sql-statements/sql-statement-create-table-like.md)
       + [`CREATE TABLE`](/sql-statements/sql-statement-create-table.md)
@@ -242,8 +243,9 @@
       + [`DROP COLUMN`](/sql-statements/sql-statement-drop-column.md)
       + [`DROP DATABASE`](/sql-statements/sql-statement-drop-database.md)
       + [`DROP INDEX`](/sql-statements/sql-statement-drop-index.md)
+      + [`DROP ROLE`](/sql-statements/sql-statement-drop-role.md)
       + [`DROP SEQUENCE`](/sql-statements/sql-statement-drop-sequence.md)
-      - [`DROP STATS`](/sql-statements/sql-statement-drop-stats.md)
+      + [`DROP STATS`](/sql-statements/sql-statement-drop-stats.md)
       + [`DROP TABLE`](/sql-statements/sql-statement-drop-table.md)
       + [`DROP USER`](/sql-statements/sql-statement-drop-user.md)
       + [`DROP VIEW`](/sql-statements/sql-statement-drop-view.md)
@@ -255,6 +257,7 @@
       + [`FLUSH STATUS`](/sql-statements/sql-statement-flush-status.md)
       + [`FLUSH TABLES`](/sql-statements/sql-statement-flush-tables.md)
       + [`GRANT <privileges>`](/sql-statements/sql-statement-grant-privileges.md)
+      + [`GRANT <role>`](/sql-statements/sql-statement-grant-role.md)
       + [`INSERT`](/sql-statements/sql-statement-insert.md)
       + [`KILL [TIDB]`](/sql-statements/sql-statement-kill.md)
       + [`LOAD DATA`](/sql-statements/sql-statement-load-data.md)
@@ -267,6 +270,7 @@
       + [`REPLACE`](/sql-statements/sql-statement-replace.md)
       + [`RESTORE`](/sql-statements/sql-statement-restore.md)
       + [`REVOKE <privileges>`](/sql-statements/sql-statement-revoke-privileges.md)
+      + [`REVOKE <role>`](/sql-statements/sql-statement-revoke-role.md)
       + [`ROLLBACK`](/sql-statements/sql-statement-rollback.md)
       + [`SELECT`](/sql-statements/sql-statement-select.md)
       + [`SET [NAMES|CHARACTER SET]`](/sql-statements/sql-statement-set-names.md)
@@ -287,6 +291,7 @@
       + [`SHOW CREATE USER`](/sql-statements/sql-statement-show-create-user.md)
       + [`SHOW DATABASES`](/sql-statements/sql-statement-show-databases.md)
       + [`SHOW DRAINER STATUS`](/sql-statements/sql-statement-show-drainer-status.md)
+      + [`SHOW DEFAULT ROLE`](/sql-statements/sql-statement-set-default-role.md)
       + [`SHOW ENGINES`](/sql-statements/sql-statement-show-engines.md)
       + [`SHOW ERRORS`](/sql-statements/sql-statement-show-errors.md)
       + [`SHOW [FULL] FIELDS FROM`](/sql-statements/sql-statement-show-fields-from.md)

sql-statements/sql-statement-create-role.md

@@ -0,0 +1,169 @@
+---
+title: CREATE ROLE | TiDB SQL Statement Reference
+summary: An overview of the usage of CREATE ROLE for the TiDB database.
+category: reference
+---
+
+# CREATE ROLE
+
+This statement creates a new role, which can be assigned to users as part of role-based access control.
+
+## Synopsis
+
+**CreateRoleStmt:**
+
+![CreateRoleStmt](/media/sqlgram/CreateRoleStmt.png)
+
+**IfNotExists:**
+
+![IfNotExists](/media/sqlgram/IfNotExists.png)
+
+**RoleSpec:**
+
+![RoleSpec](/media/sqlgram/RoleSpec.png)
+
+## Examples
+
+Create a new role for the analytics team, and a new user called `jennifer`:
+
+```sql
+$ mysql -uroot
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 37
+Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
+
+Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+mysql> CREATE ROLE analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+mysql> GRANT SELECT ON test.* TO analyticsteam;
+Query OK, 0 rows affected (0.02 sec)
+
+mysql> CREATE USER jennifer;
+Query OK, 0 rows affected (0.01 sec)
+
+mysql> GRANT analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.01 sec)
+```
+
+Note that by default `jennifer` needs to `SET ROLE analyticsteam` in order to be able to use the privileges associated with the role:
+
+```sql
+$ mysql -ujennifer
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 32
+Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
+
+Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+mysql> SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+2 rows in set (0.00 sec)
+
+mysql> SHOW TABLES in test;
+ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test'
+mysql> SET ROLE analyticsteam;
+Query OK, 0 rows affected (0.00 sec)
+
+mysql> SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+mysql> SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+The statement `SET DEFAULT ROLE` can be used to associate a role to `jennifer` so that she will not have to execute the statement `SET ROLE` in order to assume the privileges associated with the role:
+
+```sql
+$ mysql -uroot
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 34
+Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
+
+Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+mysql> SET DEFAULT ROLE analyticsteam TO jennifer;
+Query OK, 0 rows affected (0.02 sec)
+```
+
+```sql
+$ mysql -ujennifer
+Welcome to the MySQL monitor.  Commands end with ; or \g.
+Your MySQL connection id is 35
+Server version: 5.7.25-TiDB-v4.0.0-beta.2-728-ga9177fe84 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
+
+Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+
+Oracle is a registered trademark of Oracle Corporation and/or its
+affiliates. Other names may be trademarks of their respective
+owners.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+mysql> SHOW GRANTS;
++---------------------------------------------+
+| Grants for User                             |
++---------------------------------------------+
+| GRANT USAGE ON *.* TO 'jennifer'@'%'        |
+| GRANT Select ON test.* TO 'jennifer'@'%'    |
+| GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
++---------------------------------------------+
+3 rows in set (0.00 sec)
+
+mysql> SHOW TABLES IN test;
++----------------+
+| Tables_in_test |
++----------------+
+| t1             |
++----------------+
+1 row in set (0.00 sec)
+```
+
+## MySQL compatibility
+
+This statement is understood to be fully compatible with roles, which are a feature of MySQL 8.0. Any compatibility differences should be [reported via an issue](/report-issue.md) on GitHub.
+
+## See also
+
+* [DROP ROLE](/sql-statements/sql-statement-drop-role.md)
+* [GRANT <role>](/sql-statements/sql-statement-grant-role.md)
+* [REVOKE <role>](/sql-statements/sql-statement-revoke-role.md)
+* [SET ROLE](/sql-statements/sql-statement-set-role.md)
+* [SET DEFAULT ROLE](/sql-statements/sql-statement-set-default-role.md)
+* [Role-Based Access Control](/role-based-access-control.md)