在程序中允许 GRANT?
Allow GRANT in procedures?
我创建了一个过程,该过程将准备一个语句来向具有密码的用户授予权限。我创建此过程是为了避免必须向管理员用户授予明确的 GRANT 权限,而是让他们使用完全符合我期望的过程。
程序如下:
CREATE PROCEDURE grantPermission (perm VARCHAR(30), target VARCHAR(30), id VARCHAR(8), host VARCHAR(45), passwd VARCHAR(45))
BEGIN
SET @setPermissionCmd = CONCAT('GRANT ', perm, ' ON ', target, ' TO ''', id, '''@''', host, ''' IDENTIFIED BY ''', passwd, ''';');
PREPARE setPermissionStmt FROM @setPermissionCmd;
EXECUTE setPermissionStmt;
DEALLOCATE PREPARE setPermissionStmt;
FLUSH PRIVILEGES;
END
当我 CALL 这个过程时,我得到一个错误代码 1142,我没有 GRANT 的权限。这里有两个问题。第一,我以 root 的身份执行它,它应该拥有所有权限(我没有拿走任何权限,root 是创建该过程的人)。第二,有权执行程序应该意味着有权执行其中的任何操作。
我的测试:
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.35-1ubuntu1 (Ubuntu)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> CREATE TABLE `tableTest`(`id` INT UNSIGNED);
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'userTest'@'localhost' IDENTIFIED BY 'mypass';
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
+-----------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> DELIMITER //
mysql> DROP PROCEDURE IF EXISTS `grantPermission`//
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> CREATE PROCEDURE `grantPermission` (`perm` VARCHAR(30),
-> `target` VARCHAR(30),
-> `id` VARCHAR(8),
-> `host` VARCHAR(45),
-> `passwd` VARCHAR(45))
-> BEGIN
-> SET @`setPermissionCmd` = CONCAT(
-> 'GRANT ', `perm`, ' ON `', `target`, '`
> TO ''', `id`, '''@''', `host`, '''
> IDENTIFIED BY ''', `passwd`, ''';');
-> PREPARE `setPermissionStmt` FROM @`setPermissionCmd`;
-> EXECUTE `setPermissionStmt`;
-> DEALLOCATE PREPARE `setPermissionStmt`;
-> FLUSH PRIVILEGES;
-> END//
Query OK, 0 rows affected (0.00 sec)
mysql> DELIMITER ;
mysql> CALL `grantPermission`('SELECT', 'tableTest', 'userTest', 'localhost', 'mypass');
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
| GRANT SELECT ON `test`.`tableTest` TO 'userTest'@'localhost' |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
我创建了一个过程,该过程将准备一个语句来向具有密码的用户授予权限。我创建此过程是为了避免必须向管理员用户授予明确的 GRANT 权限,而是让他们使用完全符合我期望的过程。
程序如下:
CREATE PROCEDURE grantPermission (perm VARCHAR(30), target VARCHAR(30), id VARCHAR(8), host VARCHAR(45), passwd VARCHAR(45))
BEGIN
SET @setPermissionCmd = CONCAT('GRANT ', perm, ' ON ', target, ' TO ''', id, '''@''', host, ''' IDENTIFIED BY ''', passwd, ''';');
PREPARE setPermissionStmt FROM @setPermissionCmd;
EXECUTE setPermissionStmt;
DEALLOCATE PREPARE setPermissionStmt;
FLUSH PRIVILEGES;
END
当我 CALL 这个过程时,我得到一个错误代码 1142,我没有 GRANT 的权限。这里有两个问题。第一,我以 root 的身份执行它,它应该拥有所有权限(我没有拿走任何权限,root 是创建该过程的人)。第二,有权执行程序应该意味着有权执行其中的任何操作。
我的测试:
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.35-1ubuntu1 (Ubuntu)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use test;
Database changed
mysql> CREATE TABLE `tableTest`(`id` INT UNSIGNED);
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'userTest'@'localhost' IDENTIFIED BY 'mypass';
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
+-----------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> DELIMITER //
mysql> DROP PROCEDURE IF EXISTS `grantPermission`//
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> CREATE PROCEDURE `grantPermission` (`perm` VARCHAR(30),
-> `target` VARCHAR(30),
-> `id` VARCHAR(8),
-> `host` VARCHAR(45),
-> `passwd` VARCHAR(45))
-> BEGIN
-> SET @`setPermissionCmd` = CONCAT(
-> 'GRANT ', `perm`, ' ON `', `target`, '`
> TO ''', `id`, '''@''', `host`, '''
> IDENTIFIED BY ''', `passwd`, ''';');
-> PREPARE `setPermissionStmt` FROM @`setPermissionCmd`;
-> EXECUTE `setPermissionStmt`;
-> DEALLOCATE PREPARE `setPermissionStmt`;
-> FLUSH PRIVILEGES;
-> END//
Query OK, 0 rows affected (0.00 sec)
mysql> DELIMITER ;
mysql> CALL `grantPermission`('SELECT', 'tableTest', 'userTest', 'localhost', 'mypass');
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
| GRANT SELECT ON `test`.`tableTest` TO 'userTest'@'localhost' |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)