MySQL的用户权限管理一般都是通过User+Host的形式来区分不同的用户权限,当用户数一多,逐一去修改权限就变得较为繁琐。
实际运用中,很多用户需要的权限极为相似。此时,利用MySQL官方提供的Proxy User功能来实现“用户组权限”进行组内用户权限批量管理,就变得颇有意义了。
先来看下官方的操作文档:
-- create proxy account
CREATE USER 'employee_ext'@'localhost'
IDENTIFIED WITH my_auth_plugin AS 'my_auth_string';
-- create proxied account and grant its privileges
CREATE USER 'employee'@'localhost'
IDENTIFIED BY 'employee_pass';
GRANT ALL ON employees.*
TO 'employee'@'localhost';
-- grant PROXY privilege to proxy account for proxied account
GRANT PROXY
ON 'employee'@'localhost'
TO 'employee_ext'@'localhost';我们分别在5.6和5.7两个版本的MySQL上进行实验
MySQL5.6 测试过程
mysql> select version();
+------------+
| version() |
+------------+
| 5.6.36-log |
+------------+
1 row in set (0.00 sec)
mysql> create user 'group1';
Query OK, 0 rows affected (0.01 sec)
mysql> create user 'user1';
Query OK, 0 rows affected (0.01 sec)
mysql> create user 'user2';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on 'group1' to 'user1';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on 'group1' to 'user2';
Query OK, 0 rows affected (0.01 sec)查看权限
mysql> show grants for 'group1';
+-------------------------------------+
| Grants for group1@% |
+-------------------------------------+
| GRANT SELECT ON *.* TO 'group1'@'%' |
+-------------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'user1';
+--------------------------------------------+
| Grants for user1@% |
+--------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'%' |
| GRANT PROXY ON 'group1'@'%' TO 'user1'@'%' |
+--------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'user2';
+--------------------------------------------+
| Grants for user2@% |
+--------------------------------------------+
| GRANT USAGE ON *.* TO 'user2'@'%' |
| GRANT PROXY ON 'group1'@'%' TO 'user2'@'%' |
+--------------------------------------------+
2 rows in set (0.00 sec)使用新账户登录,由于没有赋予特定权限(只有USAGE权限),登录后只能看到information_schema
[root@237_21 ~]# mysql -uuser1 -S /tmp/mysql3306.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.6.36-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
使用管理员账户登录,修改组权限
[root@237_21 ~]# mysql -uroot -p -S /tmp/mysql3306.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.6.36-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on *.* to 'group1';
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'group1';
+-------------------------------------+
| Grants for group1@% |
+-------------------------------------+
| GRANT SELECT ON *.* TO 'group1'@'%' |
+-------------------------------------+
1 row in set (0.00 sec)
查看组内用户权限的变动情况
mysql> show grants for 'user1';
+--------------------------------------------+
| Grants for user1@% |
+--------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'%' |
| GRANT PROXY ON 'group1'@'%' TO 'user1'@'%' |
+--------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for 'user2';
+--------------------------------------------+
| Grants for user2@% |
+--------------------------------------------+
| GRANT USAGE ON *.* TO 'user2'@'%' |
| GRANT PROXY ON 'group1'@'%' TO 'user2'@'%' |
+--------------------------------------------+
2 rows in set (0.00 sec)
再以组内用户的身份登录MySQL,发现权限并没有从组内继承过来。
[root@237_21 ~]# mysql -uuser1 -S /tmp/mysql3306.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.6.36-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
MySQL5.7 测试过程
mysql> select version();
+------------+
| version() |
+------------+
| 5.7.18-log |
+------------+
1 row in set (0.01 sec)
mysql> create user 'group1';
Query OK, 0 rows affected (0.01 sec)
mysql> create user 'user1';
Query OK, 0 rows affected (0.01 sec)
mysql> create user 'user2';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on 'group1' to 'user1';
Query OK, 0 rows affected (0.00 sec)
mysql> grant proxy on 'group1' to 'user2';
Query OK, 0 rows affected (0.01 sec)查看组内用户权限
[root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show grants;
+------------------------------------+
| Grants for group1@% |
+------------------------------------+
| GRANT USAGE ON *.* TO 'group1'@'%' |
+------------------------------------+
1 row in set (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)组账号新增SELECT权限
[root@237_21 mysql3307]# mysql -uroot -p -S /tmp/mysql3307.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant select on *.* to 'group1';
Query OK, 0 rows affected (0.00 sec)
注:在未打开check_proxy_users、mysql_native_password_proxy_users参数的情况下,用户权限将不会映射过来,如下
mysql> show variables like "%proxy%";
+-----------------------------------+-------+
| Variable_name | Value |
+-----------------------------------+-------+
| check_proxy_users | OFF |
| mysql_native_password_proxy_users | OFF |
| proxy_user | |
| sha256_password_proxy_users | OFF |
+-----------------------------------+-------+
4 rows in set (0.00 sec)
[root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
打开后重新测试
[root@237_21 mysql3307]# mysql -uroot -p -S /tmp/mysql3307.sock
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> set global check_proxy_users =1;
Query OK, 0 rows affected (0.00 sec)
mysql> set global mysql_native_password_proxy_users =1;
Query OK, 0 rows affected (0.00 sec)
mysql> show variables like "%proxy%";
+-----------------------------------+-------+
| Variable_name | Value |
+-----------------------------------+-------+
| check_proxy_users | ON |
| mysql_native_password_proxy_users | ON |
| proxy_user | |
| sha256_password_proxy_users | OFF |
+-----------------------------------+-------+
4 rows in set (0.00 sec)
再次以组内用户的身份登录,权限已经继承过来了。
[root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
mysql> select * from mysql.proxies_priv;
+-----------+-------+--------------+--------------+------------+----------------------+---------------------+
| Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp |
+-----------+-------+--------------+--------------+------------+----------------------+---------------------+
| localhost | root | | | 1 | boot@connecting host | 0000-00-00 00:00:00 |
| % | user2 | % | group1 | 0 | root@localhost | 0000-00-00 00:00:00 |
| % | user1 | % | group1 | 0 | root@localhost | 0000-00-00 00:00:00 |
+-----------+-------+--------------+--------------+------------+----------------------+---------------------+
3 rows in set (0.00 sec)
结论
虽然相关文档在MySQL5.6甚至更早的5.5版本中已经存在,但实际Proxy User功能直到5.7版本才真正得以实现。
官方文档:
https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html
MariaDB的Role功能:
https://yq.aliyun.com/articles/50907