MySQL:如何允许用户 B 更改用户 A 的程序而不授予他们全局 SELECT 权限?
MySQL: How can I allow user B to alter user A's procedure without giving them GLOBAL SELECT permission?
所以,最初的问题是,在 MySQL Workbench 中,我尝试了 Alter Procedure 但一无所获。没有错误,只是什么也没发生。事实证明,尽管由于存储过程的定义者不是我而对架构具有完全权限,但我无法查看它的源代码。
场景:
Database: Bugs
Users: A, B
Permissions:
grant all privileges on bugs.* to 'A'@'%'
grant all privileges on bugs.* to 'B'@'%'
用户 A 创建存储过程
create procedure user_A_procedure ...
我们现在有一个程序 user_A_prodecure 将 definer 设置为 A@%
security_type 设置为 DEFINER
mysql> SHOW PROCEDURE STATUS\G
Db: bugs
Name: user_A_prodecure
Type: PROCEDURE
Definer: A@%
Modified: 2018-10-26 10:30:06
Created: 2018-10-26 10:30:06
Security_type: DEFINER
Comment:
character_set_client: utf8
collation_connection: utf8_general_ci
数据库整理:utf8_general_ci
问题是,用户 B 希望能够编辑程序(他们无权访问原始来源),但他们不能。在 MySQL Workbench 中,当他们尝试更改过程时没有任何反应,在命令提示符下他们看不到源代码
mysql> SHOW CREATE PROCEDURE user_A_procedure
Procedure: user_A_procedure
sql_mode:
Create Procedure: NULL
character_set_client: utf8
collation_connection: utf8_general_ci
Database Collation: utf8_general_ci
这不是 return 源代码,如果它是由用户 A 执行的,而是 returns NULL。
事实证明,要使用 MySQL Workbench 或 SHOW CREATE PROCEDURE 查看另一个定义者的存储过程,必须授予用户 GLOBAL SELECT 权限 [1]。
GLOBAL SELECT 使用户能够读取每个数据库中的所有内容,这不是一个理想的选择。
所以我的问题是:如何允许用户 A see/alter 用户 B 的过程而不给他们全局 SELECT 权限?
参考文献:
MySQL 8.0 文档进行了更改并包含错误。
This statement is a MySQL extension. It returns the exact string that
can be used to re-create the named stored procedure. A similar
statement, SHOW CREATE FUNCTION, displays information about stored
functions (see Section 13.7.6.8, “SHOW CREATE FUNCTION Syntax”).
To use either statement, you must have the global SELECT privilege.
来源https://dev.mysql.com/doc/refman/8.0/en/show-create-procedure.html
对比 MySQL 5.7 文档。
This statement is a MySQL extension. It returns the exact string that
can be used to re-create the named stored procedure. A similar
statement, SHOW CREATE FUNCTION, displays information about stored
functions (see Section 13.7.5.8, “SHOW CREATE FUNCTION Syntax”).
To use either statement, you must be the user named in the routine
DEFINER clause or have SELECT access to the mysql.proc table. If you
do not have privileges for the routine itself, the value displayed for
the Create Procedure or Create Function field will be NULL.
来源https://dev.mysql.com/doc/refman/5.7/en/show-create-procedure.html
所以,最初的问题是,在 MySQL Workbench 中,我尝试了 Alter Procedure 但一无所获。没有错误,只是什么也没发生。事实证明,尽管由于存储过程的定义者不是我而对架构具有完全权限,但我无法查看它的源代码。
场景:
Database: Bugs
Users: A, B
Permissions:
grant all privileges on bugs.* to 'A'@'%'
grant all privileges on bugs.* to 'B'@'%'
用户 A 创建存储过程
create procedure user_A_procedure ...
我们现在有一个程序 user_A_prodecure 将 definer 设置为 A@%
security_type 设置为 DEFINER
mysql> SHOW PROCEDURE STATUS\G
Db: bugs
Name: user_A_prodecure
Type: PROCEDURE
Definer: A@%
Modified: 2018-10-26 10:30:06
Created: 2018-10-26 10:30:06
Security_type: DEFINER
Comment:
character_set_client: utf8 collation_connection: utf8_general_ci 数据库整理:utf8_general_ci
问题是,用户 B 希望能够编辑程序(他们无权访问原始来源),但他们不能。在 MySQL Workbench 中,当他们尝试更改过程时没有任何反应,在命令提示符下他们看不到源代码
mysql> SHOW CREATE PROCEDURE user_A_procedure
Procedure: user_A_procedure
sql_mode:
Create Procedure: NULL
character_set_client: utf8
collation_connection: utf8_general_ci
Database Collation: utf8_general_ci
这不是 return 源代码,如果它是由用户 A 执行的,而是 returns NULL。
事实证明,要使用 MySQL Workbench 或 SHOW CREATE PROCEDURE 查看另一个定义者的存储过程,必须授予用户 GLOBAL SELECT 权限 [1]。
GLOBAL SELECT 使用户能够读取每个数据库中的所有内容,这不是一个理想的选择。
所以我的问题是:如何允许用户 A see/alter 用户 B 的过程而不给他们全局 SELECT 权限?
参考文献:
MySQL 8.0 文档进行了更改并包含错误。
This statement is a MySQL extension. It returns the exact string that can be used to re-create the named stored procedure. A similar statement, SHOW CREATE FUNCTION, displays information about stored functions (see Section 13.7.6.8, “SHOW CREATE FUNCTION Syntax”).
To use either statement, you must have the global SELECT privilege.
来源https://dev.mysql.com/doc/refman/8.0/en/show-create-procedure.html
对比 MySQL 5.7 文档。
This statement is a MySQL extension. It returns the exact string that can be used to re-create the named stored procedure. A similar statement, SHOW CREATE FUNCTION, displays information about stored functions (see Section 13.7.5.8, “SHOW CREATE FUNCTION Syntax”).
To use either statement, you must be the user named in the routine DEFINER clause or have SELECT access to the mysql.proc table. If you do not have privileges for the routine itself, the value displayed for the Create Procedure or Create Function field will be NULL.
来源https://dev.mysql.com/doc/refman/5.7/en/show-create-procedure.html