1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
|
create user 'test_user'@'localhost';
create role test_role1;
create role test_role2;
create role test_role3;
grant test_role1 to test_user@localhost;
grant test_role3 to test_user@localhost;
grant test_role2 to test_role1;
select user, host from mysql.user where user not like 'root';
User Host
mariadb.sys localhost
test_role1
test_role2
test_role3
test_user localhost
select * from mysql.roles_mapping;
Host User Role Admin_option
test_role1 test_role2 N
localhost root test_role1 Y
localhost root test_role2 Y
localhost root test_role3 Y
localhost test_user test_role1 N
localhost test_user test_role3 N
create function mysql.test_func (s CHAR(20))
returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s);
create procedure mysql.test_proc (OUT param1 INT)
begin
select COUNT(*) into param1 from mysql.roles_mapping;
end|
grant execute on function mysql.test_func to test_role2;
grant execute on procedure mysql.test_proc to test_role2;
grant execute on mysql.* to test_role3;
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
use mysql;
ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
select current_user(), current_role();
current_user() current_role()
test_user@localhost NULL
set role test_role1;
select current_user(), current_role();
current_user() current_role()
test_user@localhost test_role1
use mysql;
call test_proc(@a);
SELECT @a;
@a
6
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO `test_role2`
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO `test_role2`
GRANT USAGE ON *.* TO `test_role1`
GRANT USAGE ON *.* TO `test_role2`
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role2` TO `test_role1`
GRANT `test_role3` TO `test_user`@`localhost`
set role none;
select current_user(), current_role();
current_user() current_role()
test_user@localhost NULL
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
call test_proc(@a);
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_proc'
SELECT test_func('AABBCCDD');
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_func'
set role test_role3;
select current_user(), current_role();
current_user() current_role()
test_user@localhost test_role3
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON `mysql`.* TO `test_role3`
GRANT USAGE ON *.* TO `test_role3`
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
call test_proc(@a);
SELECT @a;
@a
6
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2;
revoke execute on procedure mysql.test_proc from test_role2;
revoke execute on mysql.* from test_role3;
delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where Role like 'test%';
drop function mysql.test_func;
drop procedure mysql.test_proc;
flush privileges;
|