MySQL中以用户执行存储过程的权限为EXECUTE

  比如我们在名为configdb的数据库下创建了如下存储过程,存储过程的定义者为user_admin

  use configdb;

  drop procedure if exists sp_dev_test_user_add;

  delimiter $$

  CREATE DEFINER=`user_admin`@`%` PROCEDURE `sp_dev_test_user_add`(

  in var_user varchar(30),

  in var_ip varchar(15),

  in var_username varchar(30),

  in var_email varchar(30),

  in var_orginfo varchar(30)

  )

  BEGIN

  create temporary table errors (error varchar(500));

  if exists ( select user from mysql.user where user=var_user) then

  insert into errors values (concat('用户名 "',var_user,'" 已存在!'));

  end if;

  if exists (select * from errors) then

  select error from errors;

  else

  set @user=concat(var_user,'@\'',var_ip,'\'');

  set @s=concat('create user ',@user,' identified by ''12345'';');

  prepare cmd from @s;

  execute cmd;

  set @s=concat('GRANT SELECT ON `mysql`.`func` TO ',@user,';');

  prepare cmd from @s;

  execute cmd;

  set @s=concat('GRANT SELECT ON `mysql`.`proc` TO ',@user,';');

  prepare cmd from @s;

  execute cmd;

  replace into dev_test_userinfo values (var_user,var_username,var_email,var_orginfo);

  end if;

  drop temporary table errors;

  END

  $$

  delimiter ;

  试着创建一个普通用户user_test1

  mysql>create user user_test1 identified by '12345';

  查看其权限

  mysql>show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  +-----------------------------------------------------------------------------------------------------------+

  赋予其configdb上的select\insert\delete\update权限

  mysql>grant select,insert,delete,update on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9'

  mysql> show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  使用此用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql>call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1370 (42000): execute command denied to user 'user_test1'@'%' for routine 'configdb.sp_dev_test_user_add'

  看来是权限不足,继续赋予其configdb上的execute权限

  mysql> grant execute on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用此用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql>call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1449 (HY000): The user specified as a definer ('user_admin'@'%') does not exist

  这次可以调用该存储过程了,但是提示存储过程定义中的definer不存在,原来仅仅是连接到MySQL服务器的用户具有执行存储过程的权限是远远不够的,最终要通过存储过程定义中指定的definer来执行存储过程。

  创建user_admin'@'%'这个用户,并赋予configdb上相应的权限

  mysql>create user user_admin identified by '12345';

  mysql> grant select,insert,delete,update on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_admin;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1370 (42000): execute command denied to user 'user_admin'@'%' for routine 'configdb.sp_dev_test_user_add'

  看来不仅仅是连接到MySQL服务器的用户需要具有存储过程上的执行权限,存储过程定义者同样需要该权限。

  mysql> grant execute on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_admin;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1044 (42000): Access denied for user 'user_admin'@'%' to database 'configdb'

  可以执行存储过程了,但是提示权限不足,仔细查看存储过程的定义可以看到,存储过程中包含创建用户和赋予权限的语句,而我们赋给'user_test1'@'%'用户和'user_admin'@'%'都不具有这样的权限。

  赋予'user_test1'@'%'创建用户的权限和赋权的权限,以及创建临时表的权限

  mysql> grant create user on *.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' with grant option;

  mysql> grant create temporary tables on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_test1'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1044 (42000): Access denied for user 'user_admin'@'%' to database 'configdb'

  对了,不管你是以什么账户登录的MySQL,最后是使用存储过程的definer执行存储过程的,所以应当把创建用户和赋权的权限付给definer,这里为user_admin'@'%'这个账户。

  赋予'user_admin'@'%'创建用户的权限和赋权的权限

  mysql> grant create user on *.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' with grant option;

  mysql> grant create temporary tables on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_admin'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1142 (42000): SELECT command denied to user 'user_admin'@'%' for table 'user'

  哦,除了configdb库外还得有mysql库上user表的权限,给加上,看来权限问题还真是棘手,呵呵~

  mysql> grant select,insert,delete,update on mysql.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_admin'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `mysql`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  Query OK, 0 rows affected (0.05 sec)

  终于OK了,相信通过这一系列过程,大家应该能够很清楚的了解MySQL存储过程相关的执行权限了。另外,定义该存储过程还需要有CREATE ROUTINE的权限、更该存储过程需要有ALTER ROUTINE的权限(这里是用超级用户在configdb创建的存储过程,上述权限都是具备的),调用存储过程的用户需要有EXECUTE权限,最终执行存储过程的用户也即存储过程定义者要具备存储过程定义语句中相关的各种权限。

  MySQL的权限分的比较细,大致可分为表权限、列权限、过程权限具体可参考MySQL官方手册。

[转]MySQL中存储过程权限问题的更多相关文章

  1. SqlServer和MySQL中存储过程out返回值处理C#代码

    1.SqlServer中out处理 C#代码 #region"SqlServer中存储过程处理out返回值" //public void getdata() //{ // stri ...

  2. Mysql中五级权限小结

    mysql的权限控制主要是通过mysql库下的db,user,host,table_priv,column_priv表控制. 由于权限信息数据量比较小,所以mysql在启动时会将所有的权限消息加载到内 ...

  3. Mysql中存储过程和函数的写法

    MySQL中,创建存储过程的基本形式如下: CREATE PROCEDURE sp_name ([proc_parameter[,...]]) [characteristic ...] routine ...

  4. MYSQL中存储过程的创建,调用及语法

    MySQL 存储过程是从 MySQL 5.0 开始增加的新功能.存储过程的优点有一箩筐.不过最主要的还是执行效率和SQL 代码封装.特别是 SQL 代码封装功能,如果没有存储过程,在外部程序访问数据库 ...

  5. MySQL中存储过程+事件的使用方法

    一.背景 将界面操作日志存储在MySQL数据库中的operationlog表中,如果该表不能自动备份,表中的数据会越来越多,影响速度.可以定期将表中数据备份到另外一个表中来解决. 二.解决方案 1.使 ...

  6. 详细解读MySQL中的权限

    一.前言 很多文章中会说,数据库的权限按最小权限为原则,这句话本身没有错,但是却是一句空话.因为最小权限,这个东西太抽象,很多时候你并弄不清楚具体他需要哪 些权限. 现在很多mysql用着root账户 ...

  7. 如何创建新用户和授予MySQL中的权限

    原创官网http://www.howtoing.com/how-to-create-a-new-user-and-grant-permissions-in-mysql/ 关于MySQL MySQL是一 ...

  8. MySql中存储过程的理解

    到底什么是存储过程,又为什么需要使用存储过程? 存储过程简单来说,就是为以后的使用而保存的一条或多条MySQL语句的集合,可将其视为批文件,虽然它们的作用不仅限与批处理. 使用存储过程有3个主要的好处 ...

  9. MySql中存储过程中的@变量总是无法执行,提示Parameter '@XXX' must be defined

    一.情形: 在.net调用Mysql时,比如如下的一句SQL,总是无法执行,可是在其它SQL客户端窗口中是能正确执行的. drop procedure if exists AddColumnUnles ...

随机推荐

  1. 全面了解 Linux 服务器 - 1. 查看 Linux 服务器的 CPU 详细情况

    1. 查看 Linux 服务器的 CPU 详细情况 判断依据: 具有相同的 core id 的 CPU 是同意个 core 超线程. 具有相同的 physical id 的 CPU 是同一个 CPU ...

  2. 【原】安装mongo的php插件

    http://pecl.php.net/package/mongo https://github.com/mongodb/mongo-php-driver/tarball/master 1. 安装mo ...

  3. ios开发 iphone中获取网卡地址和ip地址

    这是获取网卡的硬件地址的代码,如果无法编译通过,记得把下面的这几个头文件加上把. #include <sys/socket.h> // Per msqr#include <sys/s ...

  4. HDU2045

    http://acm.hdu.edu.cn/showproblem.php?pid=2045 如果n-1的颜色和1相同,那么n有两种走法,如果n-1 的颜色和1不同,那么n只有1种选择方法 公式就是f ...

  5. UVa10806 Dijkstra,Dijkstra-费用网络流

    Problem, in short Given a weighed, undirected graph, find the shortest path from S to T and back wit ...

  6. C++ 约瑟夫环问题

    约瑟夫环比较经典了 已知n个人(以编号1,2,3...n分别表示)围坐在一张圆桌周围.从编号为k的人开始报数,数到m的那个人出列:他的下一个人又从1开始报数,数到m的那个人又出列:依此规律重复下去,直 ...

  7. Qlikview 的权限控制

    Qlikview报表控件/数据的权限控制,首先在“文档属性”->“打开”-> 勾选“基于访问权限的初始数据减少”, 这样打开报表的时候会提示输入用户名和密码. Qlikview 的权限控制 ...

  8. SQLServer日志无法收缩原因分析及解决

    SQL Server中的事务日志无疑是SQL Server中最重要的部分之一.因为SQL SERVER利用事务日志来确保持久性(Durability)和事务回滚(Rollback).从而还部分确保了事 ...

  9. 关于yaha中文分词(将中文分词后,结合TfidfVectorizer变成向量)

    https://github.com/jannson/yaha # -*- coding: utf-8 -*- """ Created on Wed Aug 10 08: ...

  10. innobackupex的安装

    innobackupex的安装方法有3种: 通过RPM包安装: 通过源码包安装: 通过二进制包安装. 第3种方法最简单,这里只介绍它.以下是安装步骤: 打开官方下载链接: Version默认是最新版本 ...