7.2.2 Grant Tables 授权表
The mysql system database includes several grant tables that contain information about user accounts and the privileges held by them. This section describes those tables. For information about other tables in the system database, see Section 6.3, “The mysql System Database”.mysql系统数据库包括几个授权表,其中包含有关用户帐户及其拥有的权限的信息。 本节描述这些表。 有关系统数据库中其他表的信息,请参见第6.3节“mysql系统数据库”。
Normally, to manipulate the contents of grant tables, you modify them indirectly by using account-management statements such as CREATE USER, GRANT, and REVOKE to set up accounts and control the privileges available to each one. See Section 14.7.1, “Account Management Statements”. The discussion here describes the underlying structure of the grant tables and how the server uses their contents when interacting with clients.通常,要操作授权表的内容,可以使用帐户管理语句(如CREATE USER,GRANT和REVOKE)间接修改它们,以设置帐户并控制每个帐户可用的权限。 请参见第14.7.1节“帐户管理语句”。 这里的讨论描述了权限表的底层结构以及服务器在与客户端交互时如何使用它们的内容。
复制代码
Note
Direct modification of grant tables using statements such as INSERT, UPDATE, or DELETE is discouraged and done at your own risk.
The server is free to ignore rows that become malformed as a result of such modifications.
不鼓励使用诸如INSERT,UPDATE或DELETE之类的语句直接修改授权表及风险自己承担。 服务器可以随意忽略由于这种修改而导致格式不正确的行。
As of MySQL 5.7.18, for any operation that modifies a grant table, the server checks whether the table has the expected structure
and produces an error if not. mysql_upgrade must be run to update the tables to the expected structure.
从MySQL 5.7.18起,对于修改授权表的任何操作,服务器都会检查表是否具有预期结构,如果没有,则会产生错误。 必须运行mysql_upgrade才能将表更新为预期结构。
复制代码
These mysql database tables contain grant information: mysql数据库表包含的授权信息:
7.2.2 Grant Tables 授权表
The mysql system database includes several grant tables that contain information about user accounts and the privileges held by them. This section describes those tables. For information about other tables in the system database, see Section 6.3, “The mysql System Database”.mysql系统数据库包括几个授权表,其中包含有关用户帐户及其拥有的权限的信息。 本节描述这些表。 有关系统数据库中其他表的信息,请参见第6.3节“mysql系统数据库”。
Normally, to manipulate the contents of grant tables, you modify them indirectly by using account-management statements such as CREATE USER, GRANT, and REVOKE to set up accounts and control the privileges available to each one. See Section 14.7.1, “Account Management Statements”. The discussion here describes the underlying structure of the grant tables and how the server uses their contents when interacting with clients.通常,要操作授权表的内容,可以使用帐户管理语句(如CREATE USER,GRANT和REVOKE)间接修改它们,以设置帐户并控制每个帐户可用的权限。 请参见第14.7.1节“帐户管理语句”。 这里的讨论描述了权限表的底层结构以及服务器在与客户端交互时如何使用它们的内容。
复制代码
Note
Direct modification of grant tables using statements such as INSERT, UPDATE, or DELETE is discouraged and done at your own risk. The server is free to ignore rows that become malformed as a result of such modifications.
不鼓励使用诸如INSERT,UPDATE或DELETE之类的语句直接修改授权表及风险自己承担。 服务器可以随意忽略由于这种修改而导致格式不正确的行。
As of MySQL 5.7.18, for any operation that modifies a grant table, the server checks whether the table has the expected structure and produces an error if not. mysql_upgrade must be run to update the tables to the expected structure.
从MySQL 5.7.18起,对于修改授权表的任何操作,服务器都会检查表是否具有预期结构,如果没有,则会产生错误。 必须运行mysql_upgrade才能将表更新为预期结构。
复制代码
These mysql database tables contain grant information: mysql数据库表包含的授权信息:
• user: User accounts, global privileges, and other non-privilege columns users账户,全局权限,和其他非特权列账户
• db: Database-level privileges 数据库级别权限
• tables_priv: Table-level privileges 表级别权限
• columns_priv: Column-level privileges 列级别权限
• procs_priv: Stored procedure and function privileges 存储存储过程和函数权限
• proxies_priv: Proxy-user privileges 用户代理权限
Each grant table contains scope columns and privilege columns:每个授权表包含范围列和特权列:
•Scope columns determine the scope of each row in the tables; that is, the context in which the row applies. For example, a user
table row with Host
and User
values of 'thomas.loc.gov'
and 'bob'
applies to authenticating connections made to the server from the host thomas.loc.gov
by a client that specifies a user name of bob
. Similarly, a db
table row with Host
, User
, and Db
column values of 'thomas.loc.gov'
, 'bob'
and 'reports'
applies when bob
connects from the host thomas.loc.gov
to access the reports
database. The tables_priv
and columns_priv
tables contain scope columns indicating tables or table/column combinations to which each row applies. The procs_priv
scope columns indicate the stored routine to which each row applies.
范围列确定表中每行的范围; 即行应用的上下文。 例如,用户表的行使用"thomas.loc.gov"和'bob'的Host和User变量值应用于认证连接,通过一个指定的'bob'用户名来间接到host为thomas.loc.gov的服务器上 。 类似地,当用户bob从主机thomas.loc.gov通过reports数据库连入时候,在db表上具有host,user,和db列上的thomas.loc.gov,bob,和reports的值将会被应用.tables_priv和columns_priv表包含指示每个行应用于的表或表/列组合的范围列。procs_priv范围列指示每行应用的存储例程
•Privilege columns indicate which privileges a table row grants; that is, which operations it permits to be performed. The server combines the information in the various grant tables to form a complete description of a user's privileges. Section 7.2.5, “Access Control, Stage 2: Request Verification”, describes the rules for this.特权列表明表行授予的特权; 也就是说,它允许执行哪些操作。 服务器组合各种授权表中的信息以形成用户特权的完整描述。 第7.2.5节“访问控制,阶段2:请求验证”描述了这一点的规则。
The server uses the grant tables in the following manner:服务器以下列方式使用授予表:
user
table scope columns determine whether to reject or permit incoming connections. For permitted connections, any privileges granted in theuser
table indicate the user's global privileges. Any privileges granted in this table apply to all databases on the server.用户表范围列决定是拒绝还是允许传入连接。 对于允许的连接,在用户表中授予的任何特权表示用户的全局特权。 此表中授予的任何特权适用于服务器上的所有数据库。Caution
Because any global privilege is considered a privilege for all databases, any global privilege enables a user to see all
database names with SHOW DATABASES or by examining the SCHEMATA table of INFORMATION_SCHEMA.
因为任何全局特权都被视为所有数据库的特权,任何全局特权使用户能够通过SHOW DATABASES或通过检查INFORMATION_SCHEMA的SCHEMATA表来查看所有数据库名称。
• The db
table scope columns determine which users can access which databases from which hosts. The privilege columns determine the permitted operations. A privilege granted at the database level applies to the database and to all objects in the database, such as tables and stored programs.
数据库表范围列确定哪些用户可以从哪些主机访问哪些数据库。 权限列确定允许的操作。 在数据库级别授予的特权适用于数据库和数据库中的所有对象,例如表和存储的程序。
•The tables_priv
and columns_priv
tables are similar to the db
table, but are more fine-grained: They apply at the table and column levels rather than at the database level. A privilege granted at the table level applies to the table and to all its columns. A privilege granted at the column level applies only to a specific column.
tables_priv和columns_priv表与db表类似,但是更细粒度:它们在表级和列级而不是在数据库级应用。 在表级别授予的权限适用于表及其所有列。 在列级别授予的权限仅适用于特定列。
•The procs_priv
table applies to stored routines (procedures and functions). A privilege granted at the routine level applies only to a single procedure or function.
procs_priv表适用于存储的例程(过程和函数)。 在例程级别授予的特权仅适用于单个过程或函数。
•The proxies_priv
table indicates which users can act as proxies for other users and whether a user can grant the PROXY
privilege to other users.
proxies_priv表指示哪些用户可以充当其他用户的代理以及用户是否可以向其他用户授予PROXY权限。
The server uses the user
and db
tables in the mysql
database at both the first and second stages of access control (see Section 7.2, “The MySQL Access Privilege System”). The columns in the user
and db
tables are shown here.
服务器在访问控制的第一和第二阶段使用mysql数据库中的用户和数据库表(请参见第7.2节“MySQL访问权限系统”)。 此处显示用户和数据库表中的列。
Table 7.3 user and db Table Columns
Table Name | user | db |
---|---|---|
Scope columns | Host |
Host |
User |
Db |
|
Password |
User |
|
Privilege columns | Select_priv |
Select_priv |
Insert_priv |
Insert_priv |
|
Update_priv |
Update_priv |
|
Delete_priv |
Delete_priv |
|
Index_priv |
Index_priv |
|
Alter_priv |
Alter_priv |
|
Create_priv |
Create_priv |
|
Drop_priv |
Drop_priv |
|
Grant_priv |
Grant_priv |
|
Create_view_priv |
Create_view_priv |
|
Show_view_priv |
Show_view_priv |
|
Create_routine_priv |
Create_routine_priv |
|
Alter_routine_priv |
Alter_routine_priv |
|
Execute_priv |
Execute_priv |
|
Trigger_priv |
Trigger_priv |
|
Event_priv |
Event_priv |
|
Create_tmp_table_priv |
Create_tmp_table_priv |
|
Lock_tables_priv |
Lock_tables_priv |
|
References_priv |
References_priv |
|
Reload_priv |
||
Shutdown_priv |
||
Process_priv |
||
File_priv |
||
Show_db_priv |
||
Super_priv |
||
Repl_slave_priv |
||
Repl_client_priv |
||
Create_user_priv |
||
Create_tablespace_priv |
||
Security columns | ssl_type |
|
ssl_cipher |
||
x509_issuer |
||
x509_subject |
||
plugin |
||
authentication_string |
||
password_expired |
||
password_last_changed |
||
password_lifetime |
||
account_locked |
||
Resource control columns | max_questions |
|
max_updates |
||
max_connections |
||
max_user_connections |
The user
table plugin
, Password
, and authentication_string
columns store authentication plugin and credential information. In MySQL 5.7.6, the Password
column was removed and all credentials are stored in the authentication_string
column.
If an account row names a plugin in the plugin
column, the server uses it to authenticate connection attempts for the account. It is up to the plugin whether it uses the Password
and authentication_string
column values.
如果帐户行在插件列中命名插件,则服务器使用它来验证帐户的连接尝试。 它是由插件决定是否使用Password和authentication_string列值。
As of MySQL 5.7.2, the plugin
column must be nonempty.从MySQL 5.7.2开始,插件列必须是非空的。
Before MySQL 5.7.2, the plugin
column for an account row is permitted to be empty. In this case, the server authenticates the account using themysql_native_password
or mysql_old_password
plugin implicitly, depending on the format of the password hash in the Password
column. If thePassword
value is empty or a 4.1 password hash (41 characters), the server uses mysql_native_password
. If the password value is a pre-4.1 password hash (16 characters), the server uses mysql_old_password
. (For additional information about these hash formats, see Section 7.1.2.4, “Password Hashing in MySQL”.) Clients must match the password in the Password
column of the account row.
在MySQL 5.7.2之前,帐户行的插件列允许为空。 在这种情况下,服务器使用mysql_native_password或mysql_old_password插件隐式地验证帐户,具体取决于密码列中密码哈希的格式。 如果密码值为空或4.1密码散列(41个字符),则服务器使用mysql_native_password。 如果密码值为4.1之前的密码哈希值(16个字符),则服务器使用mysql_old_password。 (有关这些哈希格式的更多信息,请参见第7.1.2.4节“MySQL中的密码哈希”。)客户端必须与帐户行的“密码”列中的密码匹配。
At startup, and at runtime when FLUSH PRIVILEGES
is executed, the server checks user
table rows. As of MySQL 5.7.2, for any row with an empty plugin
column, the server writes a warning to the error log of this form:
在启动时,并且在运行时,当执行FLUSH PRIVILEGES时,服务器检查用户表行。 从MySQL 5.7.2开始,对于具有空插件列的任何行,服务器向此窗体的错误日志写入警告:
[Warning] User entry 'user_name
'@'host_name
' has an empty plugin value. The user will be ignored and no one can login with this user anymore.
[警告]用户条目'user_name'@'host_name'具有空插件值。 用户将被忽略,任何人都不能再使用此用户登录。
To address this problem, see Section 7.5.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.
要解决这些问题,看Section 7.5.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.
The password_expired
column permits DBAs to expire account passwords and require users to reset their password. The default password_expired
value is 'N'
, but can be set to 'Y'
with the ALTER USER
statement. After an account's password has been expired, all operations performed by the account in subsequent connections to the server result in an error until the user issues an ALTER USER
statement (for MySQL 5.7.6 and up) or SET PASSWORD
statement (before MySQL 5.7.6) to establish a new account password.
password_expired列允许DBA设置过期帐户密码,并要求用户重置其密码。 缺省password_expired值为“N”,但可以使用ALTER USER语句设置为“Y”。 在帐户的密码已过期后,帐户在后续连接到服务器中执行的所有操作都会导致错误,直到用户发出ALTER USER语句(对于MySQL 5.7.6及更高版本)或SET PASSWORD语句(在MySQL 5.7.6之前)建立新的帐户密码。
It is possible after password expiration to “reset” a password by setting it to its current value. As a matter of good policy, it is preferable to choose a different password.
密码过期后,可以通过将密码设置为当前值来“重置”密码。 作为良好的策略,最好选择不同的密码。
password_last_changed
(added in MySQL 5.7.4) is a TIMESTAMP
column indicating when the password was last changed. The value is non-NULL
only for accounts that use MySQL built-in authentication methods (accounts that use an authentication plugin of mysql_native_password
,mysql_old_password
, or sha256_password
). The value is NULL
for other accounts, such as those authenticated using an external authentication system.
password_last_changed(在MySQL 5.7.4中添加)是一个TIMESTAMP列,指示上次更改密码的时间。 该值仅对使用MySQL内置身份验证方法的帐户(使用mysql_native_password,mysql_old_password或sha256_password的身份验证插件的帐户)为非NULL。 其他帐户的值为NULL,例如使用外部认证系统认证的帐户。
password_last_changed
is updated by the CREATE USER
, ALTER USER
, and SET PASSWORD
statements, and by GRANT
statements that create an account or change an account password.
password_last_changed由CREATE USER,ALTER USER和SET PASSWORD语句以及创建帐户或更改帐户密码的GRANT语句更新。
password_lifetime
(added in MySQL 5.7.4) indicates the account password lifetime, in days. If the password is past its lifetime (assessed using thepassword_last_changed
column), the server considers the password expired when clients connect using the account. A value of N
greater than zero means that the password must be changed every N
days. A value of 0 disables automatic password expiration. If the value is NULL
(the default), the global expiration policy applies, as defined by the default_password_lifetime
system variable.
password_lifetime(在MySQL 5.7.4中添加)表示帐户密码的生命周期,以天为单位。 如果密码超过其生命周期(使用password_last_changed列进行评估),则当客户端使用该帐户连接时,服务器认为密码已过期。 大于零的N值表示密码必须每N天更改一次。 值为0将禁用自动密码到期。 如果值为NULL(缺省值),则应用全局过期策略,由default_password_lifetime系统变量定义。
account_locked
(added in MySQL 5.7.6) indicates whether the account is locked (see Section 7.3.10, “User Account Locking”).
account_locked(在MySQL 5.7.6中添加)指示帐户是否被锁定(请参见第7.3.10节“用户帐户锁定”)。
During the second stage of access control, the server performs request verification to ensure that each client has sufficient privileges for each request that it issues. In addition to the user
and db
grant tables, the server may also consult the tables_priv
and columns_priv
tables for requests that involve tables. The latter tables provide finer privilege control at the table and column levels. They have the columns shown in the following table.
在访问控制的第二阶段期间,服务器执行请求验证以确保每个客户端对其发出的每个请求具有足够的特权。 除了用户和数据库授权表之外,服务器还可以查询涉及表的请求的tables_priv和columns_priv表。 后面的表在表和列级别提供更精细的权限控制。 它们具有下表中所示的列。
Table 7.4 tables_priv and columns_priv Table Columns
Table Name | tables_priv | columns_priv |
---|---|---|
Scope columns | Host |
Host |
Db |
Db |
|
User |
User |
|
Table_name |
Table_name |
|
Column_name |
||
Privilege columns | Table_priv |
Column_priv |
Column_priv |
||
Other columns | Timestamp |
Timestamp |
Grantor |
The Timestamp
and Grantor
columns are set to the current timestamp and the CURRENT_USER
value, respectively, but are otherwise unused.
时间戳和授予者列分别设置为当前时间戳和CURRENT_USER值,但未使用。
For verification of requests that involve stored routines, the server may consult the procs_priv
table, which has the columns shown in the following table.
Table 7.5 procs_priv Table Columns
Table Name | procs_priv |
---|---|
Scope columns | Host |
Db |
|
User |
|
Routine_name |
|
Routine_type |
|
Privilege columns | Proc_priv |
Other columns | Timestamp |
Grantor |
The Routine_type
column is an ENUM
column with values of 'FUNCTION'
or 'PROCEDURE'
to indicate the type of routine the row refers to. This column enables privileges to be granted separately for a function and a procedure with the same name.Routine_type列是具有值“FUNCTION”或“PROCEDURE”的ENUM列,以指示该行所引用的例程的类型。 此列允许为具有相同名称的函数和过程单独授予权限。
The Timestamp
and Grantor
columns are unused. TIMESTAMP和Grantor列不被使用
The proxies_priv
table records information about proxy accounts. It has these columns:proxies_priv表记录了代理用户的信息
-
Host
,User
: The proxy account; that is, the account that has thePROXY
privilege for the proxied account.代理帐户; 即具有代理帐户的PROXY权限的帐户。 -
Proxied_host
,Proxied_user
: The proxied account. 代理账户 -
Grantor
,Timestamp
: Unused. 未被使用 -
With_grant
: Whether the proxy account can grant thePROXY
privilege to other accounts.代理帐户是否可以将PROXY权限授予其他帐户。
For an account to be able to grant the PROXY
privilege to other accounts, it must have a row in the proxies_priv
table with With_grant
set to 1 andProxied_host
and Proxied_user
set to indicate the account or accounts for which the privilege can be granted. For example, the 'root'@'localhost'
account created during MySQL installation has a row in the proxies_priv
table that enables granting the PROXY
privilege for ''@''
, that is, for all users and all hosts. This enables root
to set up proxy users, as well as to delegate to other accounts the authority to set up proxy users. See Section 7.3.9, “Proxy Users”.
要使帐户能够将PROXY权限授予其他帐户,必须在proxies_priv表中具有一行,将With_grant设置为1,并将Proxied_host和Proxied_user设置为指示可以授予该权限的一个或多个帐户。 例如,在MySQL安装过程中创建的'root'@'localhost'帐户在proxies_priv表中有一行,该表允许授予“@”的PROXY权限,即所有用户和所有主机。 这使root可以设置代理用户,以及委派给其他帐户设置代理用户的权限。 请参见第7.3.9节“代理用户”。
Scope columns in the grant tables contain strings. The default value for each is the empty string. The following table shows the number of characters permitted in each column.范围列在授权表中包含字符串。 每个的默认值是空字符串。 下表显示每个列中允许的字符数。
Table 7.6 Grant Table Scope Column Lengths
Column Name | Maximum Permitted Characters |
---|---|
Host , Proxied_host |
60 |
User , Proxied_user |
32 (16 before MySQL 5.7.8) |
Password |
41 |
Db |
64 |
Table_name |
64 |
Column_name |
64 |
Routine_name |
64 |
For access-checking purposes, comparisons of User
, Proxied_user
, Password
, authentication_string
, Db
, and Table_name
values are case sensitive. Comparisons of Host
, Proxied_host
, Column_name
, and Routine_name
values are not case sensitive.为了进行访问检查,User,Proxied_user,Password,authentication_string,Db和Table_name值的比较区分大小写。 Host,Proxied_host,Column_name和Routine_name值的比较不区分大小写。
The user
and db
tables list each privilege in a separate column that is declared as ENUM('N','Y') DEFAULT 'N'
. In other words, each privilege can be disabled or enabled, with the default being disabled.用户和数据库表将每个特权列在一个单独的列中,该列声明为ENUM('N','Y')DEFAULT'N'。 换句话说,每个特权可以被禁用或启用,默认被禁用。
The tables_priv
, columns_priv
, and procs_priv
tables declare the privilege columns as SET
columns. Values in these columns can contain any combination of the privileges controlled by the table. Only those privileges listed in the column value are enabled.tables_priv,columns_priv和procs_priv表将特权列声明为SET列。 这些列中的值可以包含表所控制的特权的任何组合。 只有列值中列出的那些权限才会启用。
Table 7.7 Set-Type Privilege Column Values
Table Name | Column Name | Possible Set Elements |
---|---|---|
tables_priv |
Table_priv |
'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop', 'Grant', 'References', 'Index', 'Alter', 'Create View', 'Show view', 'Trigger' |
tables_priv |
Column_priv |
'Select', 'Insert', 'Update', 'References' |
columns_priv |
Column_priv |
'Select', 'Insert', 'Update', 'References' |
procs_priv |
Proc_priv |
'Execute', 'Alter Routine', 'Grant' |
Only the user
table specifies administrative privileges, such as RELOAD
and SHUTDOWN
. Administrative operations are operations on the server itself and are not database-specific, so there is no reason to list these privileges in the other grant tables. Consequently, the server need consult only the user
table to determine whether a user can perform an administrative operation.只有用户表指定管理权限,例如RELOAD和SHUTDOWN。 管理操作是服务器本身上的操作,不是数据库特定的,因此没有理由在其他授权表中列出这些权限。 因此,服务器只需要查询用户表以确定用户是否可以执行管理操作。
The FILE
privilege also is specified only in the user
table. It is not an administrative privilege as such, but a user's ability to read or write files on the server host is independent of the database being accessed.FILE权限也仅在用户表中指定。 它不是这样的管理权限,但用户在服务器主机上读取或写入文件的能力与正在访问的数据库无关。
The server reads the contents of the grant tables into memory when it starts. You can tell it to reload the tables by issuing a FLUSH PRIVILEGES
statement or executing a mysqladmin flush-privileges or mysqladmin reload command. Changes to the grant tables take effect as indicated in Section 7.2.6, “When Privilege Changes Take Effect”.服务器在启动时将授予表的内容读入内存。 您可以通过发出FLUSH PRIVILEGES语句或执行mysqladmin flush-privileges或mysqladmin reload命令来告诉它重新加载表。 对授予表的更改生效,如第7.2.6节“当权限更改生效时”所示。
When you modify an account, it is a good idea to verify that your changes have the intended effect. To check the privileges for a given account, use the SHOW GRANTS
statement. For example, to determine the privileges that are granted to an account with user name and host name values of bob
and pc84.example.com
, use this statement:修改帐户时,最好验证您的更改是否具有预期效果。 要检查给定帐户的权限,请使用SHOW GRANTS语句。 例如,要确定授予具有bob和pc84.example.com的用户名和主机名值的帐户的权限,请使用以下语句:
SHOW GRANTS FOR 'bob'@'pc84.example.com';
To display nonprivilege properties of an account, use SHOW CREATE USER:要显示帐户的非特权属性,请使用SHOW CREATE USER:
SHOW CREATE USER 'bob'@'pc84.example.com';