1. 背景
* 角色的概念管理数据库访问权限。 根据角色自身的设置不同,一个角色可以看做是一个数据库用户,或者一组数据库用户。 角色可以拥有数据库对象(比如,表)以及可以把这些对象上的权限赋予其它角色, 以控制谁拥有访问哪些对象的权限。另外,我们也可以把一个角色的成员 (membership)权限赋予其它角色,这样就允许成员角色使用它被赋予成员权限的角色之权限。
* MySQL 5.7开始利用 'proxy' 代理实现类似 'rols' 角色管理功能。
2. 环境
* MySQL ServerServer version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.7.18 |
+-----------+
1 row in set (0.00 sec)
3. 实现
* 启用代理用户映射mysql> SET @@global.check_proxy_users = ON;
Query OK, 0 rows affected (0.00 sec)
mysql> SET @@global.mysql_native_password_proxy_users = ON;
Query OK, 0 rows affected (0.00 sec)
* 创建角色(rols) 用户mysql> create user 'rols_it'@'127.0.0.1';
Query OK, 0 rows affected (0.01 sec)
* 创建普通用户tommysql> create user 'tom'@'127.0.0.1' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
* 通过proxy方式添加tom用户到角色mysql> grant proxy on 'rols_it'@'127.0.0.1' to 'tom'@'127.0.0.1';
Query OK, 0 rows affected (0.00 sec)
4. 测试
* 创建测试数据库 itmysql> create database it;
Query OK, 1 row affected (0.00 sec)
* 给角色 (rols) 添加数据库 it 的查看权限mysql> grant select ON it.* TO 'rols_it'@'127.0.0.1';
Query OK, 0 rows affected (0.00 sec)
* 查看角色权限mysql> show grants for 'rols_it'@'127.0.0.1';
+-------------------------------------------------+
| Grants for rols_it@127.0.0.1 |
+-------------------------------------------------+
| GRANT USAGE ON *.* TO 'rols_it'@'127.0.0.1' |
| GRANT SELECT ON `it`.* TO 'rols_it'@'127.0.0.1' |
+-------------------------------------------------+
2 rows in set (0.01 sec)
* 查看tom用户权限mysql> show grants for 'tom'@'127.0.0.1';
+-----------------------------------------------------------+
| Grants for tom@127.0.0.1 |
+-----------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tom'@'127.0.0.1' |
| GRANT PROXY ON 'rols_it'@'127.0.0.1' TO 'tom'@'127.0.0.1' |
+-----------------------------------------------------------+
2 rows in set (0.00 sec)
* 通过tom用户登陆连接MySQL[root@MySQL mysql_data]# mysql -utom -p123456 -h127.0.0.1
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| it |
+--------------------+
2 rows in set (0.00 sec)
5. 总结
以需求驱动技术,技术本身没有优略之分,只有业务之分。
126
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
