blob: 74771991b0d69c016d618dfaf790006df6e9adfd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
create user 'test_user'@'localhost';
create role test_role1;
create role test_role2;
create role test_role3;
grant test_role1 to test_user@localhost;
grant test_role3 to test_user@localhost;
grant test_role2 to test_role1;
select user, host from mysql.user where user not like 'root';
User Host
test_role1
test_role2
test_role3
test_user localhost
select * from mysql.roles_mapping;
Host User Role Admin_option
test_role1 test_role2 N
localhost root test_role1 Y
localhost root test_role2 Y
localhost root test_role3 Y
localhost test_user test_role1 N
localhost test_user test_role3 N
create function mysql.test_func (s CHAR(20))
returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s);
create procedure mysql.test_proc (OUT param1 INT)
begin
select COUNT(*) into param1 from mysql.roles_mapping;
end|
grant execute on function mysql.test_func to test_role2;
grant execute on procedure mysql.test_proc to test_role2;
grant execute on mysql.* to test_role3;
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
use mysql;
ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
select current_user(), current_role();
current_user() current_role()
test_user@localhost NULL
set role test_role1;
select current_user(), current_role();
current_user() current_role()
test_user@localhost test_role1
use mysql;
call test_proc(@a);
SELECT @a;
@a
6
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO `test_role2`
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO `test_role2`
GRANT USAGE ON *.* TO `test_role1`
GRANT USAGE ON *.* TO `test_role2`
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role2` TO `test_role1`
GRANT `test_role3` TO `test_user`@`localhost`
set role none;
select current_user(), current_role();
current_user() current_role()
test_user@localhost NULL
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
call test_proc(@a);
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_proc'
SELECT test_func('AABBCCDD');
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_func'
set role test_role3;
select current_user(), current_role();
current_user() current_role()
test_user@localhost test_role3
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON `mysql`.* TO `test_role3`
GRANT USAGE ON *.* TO `test_role3`
GRANT USAGE ON *.* TO `test_user`@`localhost`
GRANT `test_role1` TO `test_user`@`localhost`
GRANT `test_role3` TO `test_user`@`localhost`
call test_proc(@a);
SELECT @a;
@a
6
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2;
revoke execute on procedure mysql.test_proc from test_role2;
revoke execute on mysql.* from test_role3;
delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where Role like 'test%';
drop function mysql.test_func;
drop procedure mysql.test_proc;
flush privileges;
|