MySQL权限篇讨论之权限收回之级联影响
2016-03-28 11:48
429 查看
比如,A把权限X授予了B(with grant option),B再把X权限授予了C。
那么A把B的X权限收回之后,C的X权限是否受到影响?答案是不影响。
D:\temp>mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> create user 'ut02'@'%';
Query OK, 0 rows affected (0.09 sec)
mysql> alter user 'ut02'@'%' identified by '20127163';
Query OK, 0 rows affected (0.38 sec)
mysql> show grants for 'ut02'@'%';
+----------------------------------+
| Grants for ut02@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql>
授予ut01@%某个权限:
mysql> grant select on test.t_area to 'ut01'@'%' with grant option;
Query OK, 0 rows affected (0.04 sec)
mysql> show grants for 'ut01'@'%';
+-----------------------------------------------------------------+
| Grants for ut01@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut01'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
此时,使用ut01@%用户将这个权限授予ut02@%用户:
C:\Users\Administrator>mysql -uut01
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on test.t_area to 'ut02'@'%';
Query OK, 0 rows affected (0.04 sec)
mysql>
此时,ut02@%的权限:
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' |
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql>
并且ut02@%用户能够select这个对象:
mysql> use test
Database changed
mysql> select count(*) from test.t_area;
+----------+
| count(*) |
+----------+
| 228 |
+----------+
1 row in set (0.05 sec)
mysql>
现在,将ut01@%的select权限收回:
mysql> revoke select on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.10 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' | #ut02@%用户并没有受到影响
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------------------------------------+
| Grants for ut01@% |
+----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT USAGE ON `test`.`t_area` TO 'ut01'@'%' WITH GRANT OPTION | #grant option权限还保留在
+----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> revoke grant option on test.t_area from 'ut01'@'%'; #一起收回
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' | #可见,权限收回并不影响级联
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql>
但是b授予c权限时with grant option了呢?继续看:
D:\temp>mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 17
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'ut01'@'%';
Query OK, 0 rows affected (0.06 sec)
mysql> alter user 'ut01'@'%' identified by '20127163';
Query OK, 0 rows affected (0.03 sec)
mysql> create user 'ut02'@'%';
Query OK, 0 rows affected (0.05 sec)
mysql> alter user 'ut02'@'%' identified by '20127163';
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+----------------------------------+
| Grants for ut02@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> grant select on test.t_area to 'ut01'@'%' with grant option;
Query OK, 0 rows affected (0.05 sec)
mysql>
此时登录ut01@%用户,并授予该权限给ut02@%用户:
C:\Users\Administrator>mysql -uut02
ERROR 1045 (28000): Access denied for user 'ut02'@'localhost' (using password: YES)
C:\Users\Administrator>mysql -uut01
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on test.t_area to 'ut02'@'%' with grant option;
Query OK, 0 rows affected (0.06 sec)
mysql>
再查看ut02@%的权限:
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
再将ut01@%的grant option权限回收:
mysql> revoke grant option on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.06 sec)
mysql> show grants for 'ut01'@'%';
+-----------------------------------------------+
| Grants for ut01@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut01'@'%' | #ut01@%的grant option已经被回收
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION | #但是ut02@%的grant option权限依然存在
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
再继续将select权限彻底revoke:
mysql> revoke select on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION | #可见依然没有影响
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
mysql里的权限要注意控制,否则就会出现上述情况。
那么A把B的X权限收回之后,C的X权限是否受到影响?答案是不影响。
D:\temp>mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> create user 'ut02'@'%';
Query OK, 0 rows affected (0.09 sec)
mysql> alter user 'ut02'@'%' identified by '20127163';
Query OK, 0 rows affected (0.38 sec)
mysql> show grants for 'ut02'@'%';
+----------------------------------+
| Grants for ut02@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql>
授予ut01@%某个权限:
mysql> grant select on test.t_area to 'ut01'@'%' with grant option;
Query OK, 0 rows affected (0.04 sec)
mysql> show grants for 'ut01'@'%';
+-----------------------------------------------------------------+
| Grants for ut01@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut01'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
此时,使用ut01@%用户将这个权限授予ut02@%用户:
C:\Users\Administrator>mysql -uut01
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on test.t_area to 'ut02'@'%';
Query OK, 0 rows affected (0.04 sec)
mysql>
此时,ut02@%的权限:
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' |
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql>
并且ut02@%用户能够select这个对象:
mysql> use test
Database changed
mysql> select count(*) from test.t_area;
+----------+
| count(*) |
+----------+
| 228 |
+----------+
1 row in set (0.05 sec)
mysql>
现在,将ut01@%的select权限收回:
mysql> revoke select on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.10 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' | #ut02@%用户并没有受到影响
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------------------------------------+
| Grants for ut01@% |
+----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT USAGE ON `test`.`t_area` TO 'ut01'@'%' WITH GRANT OPTION | #grant option权限还保留在
+----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> revoke grant option on test.t_area from 'ut01'@'%'; #一起收回
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' | #可见,权限收回并不影响级联
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql>
但是b授予c权限时with grant option了呢?继续看:
D:\temp>mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 17
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'ut01'@'%';
Query OK, 0 rows affected (0.06 sec)
mysql> alter user 'ut01'@'%' identified by '20127163';
Query OK, 0 rows affected (0.03 sec)
mysql> create user 'ut02'@'%';
Query OK, 0 rows affected (0.05 sec)
mysql> alter user 'ut02'@'%' identified by '20127163';
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+----------------------------------+
| Grants for ut02@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> grant select on test.t_area to 'ut01'@'%' with grant option;
Query OK, 0 rows affected (0.05 sec)
mysql>
此时登录ut01@%用户,并授予该权限给ut02@%用户:
C:\Users\Administrator>mysql -uut02
ERROR 1045 (28000): Access denied for user 'ut02'@'localhost' (using password: YES)
C:\Users\Administrator>mysql -uut01
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.7.11-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on test.t_area to 'ut02'@'%' with grant option;
Query OK, 0 rows affected (0.06 sec)
mysql>
再查看ut02@%的权限:
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
再将ut01@%的grant option权限回收:
mysql> revoke grant option on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.06 sec)
mysql> show grants for 'ut01'@'%';
+-----------------------------------------------+
| Grants for ut01@% |
+-----------------------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut01'@'%' | #ut01@%的grant option已经被回收
+-----------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION | #但是ut02@%的grant option权限依然存在
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
再继续将select权限彻底revoke:
mysql> revoke select on test.t_area from 'ut01'@'%';
Query OK, 0 rows affected (0.05 sec)
mysql> show grants for 'ut01'@'%';
+----------------------------------+
| Grants for ut01@% |
+----------------------------------+
| GRANT USAGE ON *.* TO 'ut01'@'%' |
+----------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'ut02'@'%';
+-----------------------------------------------------------------+
| Grants for ut02@% |
+-----------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ut02'@'%' |
| GRANT SELECT ON `test`.`t_area` TO 'ut02'@'%' WITH GRANT OPTION | #可见依然没有影响
+-----------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>
mysql里的权限要注意控制,否则就会出现上述情况。
相关文章推荐
- mysql ------ 存储过程
- mysql中使用分析函数(开窗函数)
- c#+windows环境 编写mysql集群服务
- jdbc创建-mysqls
- mac下mysql terminal设置以及常规用法
- MySQL备份时排除指定数据库的方法
- MySQL权限篇之FILE
- 如何将数据库从SQL Server迁移到MySQL
- MySql远程连接失败
- 关于如何使用Navicat(11.1.13) for MySQL如何创建存储过程
- MySQL提供的错误日志中的错误级别一共有3个分别为:
- mysql给root开启远程访问权限
- mysql:通用查询日志general_log
- mysql 字符串的截取与连接
- MYSQL 5.7.11 服务无法启动解决方法
- MYSQL_基本实例_mysql
- Enter password: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
- mysql:错误日志log_error:
- 初学mysql 总结(3)
- 【MySQL】常见错误与常用命令的集锦