MySQL使用show effective grants查看权限官方解读
更新时间:2023年07月26日 10:21:28 作者:GreatSQL社区
这篇文章主要为大家介绍了MySQL使用show effective grants查看权限,有需要的朋友可以借鉴参考下,希望能够有所帮助,祝大家多多进步,早日升职加薪
1、问题描述
用户 show grants 显示只有连接权限,但该用户却能执行 sbtest.*下的所有操作
GreatSQL> \s ... Server version: 8.0.32-24 GreatSQL, Release 24, Revision 3714067bc8c ... GreatSQL> show grants; +---------------------------------------+ | Grants for user1@172.% | +---------------------------------------+ | GRANT USAGE ON *.* TO `user1`@`172.%` | +---------------------------------------+ 1 row in set (0.00 sec) GreatSQL> select * from sbtest.sbtest1 limit 1; +----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+ | id | k | c | pad | +----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+ | 1 | 250 | 50739423477-59896895752-91121550334-25071371310-03454727381-25307272676-12883025003-48844794346-97662793974-67443907837 | 10824941535-62754685647-36430831520-45812593797-70371571680 | +----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+ 1 row in set (0.00 sec)
2、官方文档
MySQL 官方手册,有这样一段话
https://dev.mysql.com/doc/refman/8.0/en/show-grants.html
SHOW GRANTS does not display privileges that are available to the named account but are granted to a different account. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS does not display them.
Percona Server 官方手册,有类似一段话
https://docs.percona.com/percona-server/8.0/management/extend...
In Oracle MySQL SHOW GRANTS displays only the privileges granted explicitly to the named account. Other privileges might be available to the account, but they are not displayed. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS will not display them. Percona Server for MySQL offers the SHOW EFFECTIVE GRANTS command to display all the effectively available privileges to the account, including those granted to a different account.
概括如下:
- 用户 A 的 user 与用户 B 的 user 相同,或者用户 A 是匿名用户
- 用户 B 的 host 范围是用户 A 的 host 范围的子集
满足上述两个条件,此时用户 B 拥有显式授予给用户 A 的权限,但 SHOW GRANTS 不会显示这部分权限。在 Percona Server 可以通过 SHOW EFFECTIVE GRANTS 查看。
3、测试验证
3.1、同 user 用户
1)、创建用户并授权
# 创建用户 GreatSQL> CREATE USER grantee@localhost IDENTIFIED BY 'grantee1'; Query OK, 0 rows affected (0.05 sec) GreatSQL> CREATE USER grantee@'%' IDENTIFIED BY 'grantee2'; Query OK, 0 rows affected (0.01 sec) # 创建数据库 GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest; Query OK, 1 row affected, 1 warning (0.00 sec) GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest1; Query OK, 1 row affected (0.05 sec) # 授权 GreatSQL> GRANT ALL PRIVILEGES ON sbtest.* TO grantee@'%'; Query OK, 0 rows affected (0.02 sec)
2)、查看权限
GreatSQL> show grants for grantee@localhost; +---------------------------------------------+ | Grants for grantee@localhost | +---------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | +---------------------------------------------+ 1 row in set (0.01 sec)
权限列表没有显示 grantee@localhost 对 sbtest 库的权限,但实际 grantee@localhost 已经拥有 sbtest 库下所有操作权限
3)、grantee@localhost 登录,执行操作
GreatSQL> show grants; +---------------------------------------------+ | Grants for grantee@localhost | +---------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | +---------------------------------------------+ 1 row in set (0.00 sec) GreatSQL> create table sbtest.t1(id int primary key); Query OK, 0 rows affected (0.04 sec) GreatSQL> insert into sbtest.t1 select 1; Query OK, 1 row affected (0.01 sec) Records: 1 Duplicates: 0 Warnings: 0
4)、使用 SHOW EFFECTIVE GRANTS 查看权限
GreatSQL> show effective grants; +-------------------------------------------------------------+ | Effective grants for grantee@localhost | +-------------------------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | | GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` | +-------------------------------------------------------------+ 2 rows in set (0.01 sec)
SHOW EFFECTIVE GRANTS显示出拥有的同 user 用户权限
3.2、匿名用户
匿名用户请参考:https://dev.mysql.com/doc/refman/8.0/en/connection-access.html
1)、创建匿名用户并授权
# 未指定host,默认为% GreatSQL> CREATE USER ''; Query OK, 0 rows affected (0.04 sec) GreatSQL> GRANT ALL ON sbtest1.* TO ''; Query OK, 0 rows affected (0.02 sec)
2)、查看权限
GreatSQL> show grants for grantee@localhost; +---------------------------------------------+ | Grants for grantee@localhost | +---------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | +---------------------------------------------+ 1 row in set (0.01 sec)
权限列表没有显示 grantee@localhost 对 sbtest1 库的权限,但实际 grantee@localhost 已经拥有 sbtest1 库下所有操作权限
3)、grantee@localhost 登录,执行操作
GreatSQL> select user(), current_user(); +-------------------+-------------------+ | user() | current_user() | +-------------------+-------------------+ | grantee@localhost | grantee@localhost | +-------------------+-------------------+ 1 row in set (0.00 sec) GreatSQL> show grants; +---------------------------------------------+ | Grants for grantee@localhost | +---------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | +---------------------------------------------+ 1 row in set (0.00 sec) GreatSQL> create table sbtest1.t2(id int primary key); Query OK, 0 rows affected (0.03 sec) GreatSQL> insert into sbtest1.t2 select 2; Query OK, 1 row affected (0.01 sec) Records: 1 Duplicates: 0 Warnings: 0
4)、使用 SHOW EFFECTIVE GRANTS 查看权限
GreatSQL> show effective grants; +-------------------------------------------------------------+ | Effective grants for grantee@localhost | +-------------------------------------------------------------+ | GRANT USAGE ON *.* TO `grantee`@`localhost` | | GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` | +-------------------------------------------------------------+ 2 rows in set (0.01 sec)
注意:SHOW EFFECTIVE GRANTS没有显示出拥有的匿名用户权限,sbtest.*是拥有的同 user 用户权限
4、建议
1)、使用 SHOW EFFECTIVE GRANTS 代替 SHOW GRANTS(GreatDB、GreatSQL、Percona Server)
GreatSQL> show effective grants for user1@`172.%`; +-------------------------------------------------------+ | Effective grants for user1@172.% | +-------------------------------------------------------+ | GRANT USAGE ON *.* TO `user1`@`172.%` | | GRANT ALL PRIVILEGES ON `sbtest`.* TO `user1`@`172.%` | +-------------------------------------------------------+ 2 rows in set (0.00 sec)
2)、账号加固
- 匿名用户,禁止匿名用户登录
GreatSQL> select user, host from mysql.user where user=''; +------+------+ | user | host | +------+------+ | | % | +------+------+ 1 row in set (0.02 sec)
- 同 user 不同 host
GreatSQL> select u.user, u.host, p.user priv_user, p.host priv_host from (
-> select user, host from mysql.db
-> union
-> select user, host from mysql.tables_priv
-> union
-> select user, host from mysql.columns_priv) p
-> left join mysql.user u on p.user=u.user
-> where p.host<>u.host;
+---------+-----------+-----------+-----------+
| user | host | priv_user | priv_host |
+---------+-----------+-----------+-----------+
| user1 | 172.% | user1 | % |
| grantee | localhost | grantee | % |
+---------+-----------+-----------+-----------+
2 rows in set (0.01 sec)到各权限表查看对应user信息,核实权限'错乱'的原因
GreatSQL> select * from mysql.user where user='user1'\G
*************************** 1. row ***************************
Host: 172.%
User: user1
Select_priv: N
...
1 row in set (0.05 sec)
GreatSQL> select * from mysql.db where user='user1'\G
*************************** 1. row ***************************
Host: %
Db: sbtest
User: user1
Select_priv: Y
...
1 row in set (0.01 sec)user 表只有 user1@'172.%',db 表只有 user1@'%',对应算两个用户。
可能是手动更新过权限表:例如创建用户xx@'%',授权db.*所有权限,后来更新mysql.user表中的记录为xx@'172.%'限制登录来源。
根据精确匹配原则,user1可以从172.%主机连接数据库,全局权限为N(mysql.user),db权限匹配上user1@'%',拥有sbtest库的所有操作权限。
Enjoy GreatSQL :)
## 关于 GreatSQL
GreatSQL是由万里数据库维护的MySQL分支,专注于提升MGR可靠性及性能,支持InnoDB并行查询特性,是适用于金融级应用的MySQL分支版本。
相关链接:
以上就是MySQL使用show effective grants查看权限的详细内容,更多关于MySQL show effective grants查看权限的资料请关注脚本之家其它相关文章!
相关文章
这篇文章主要为大家详细介绍了MyEclipse连接MySQL数据库图文教程,具有一定的参考价值,感兴趣的小伙伴们可以参考一下2016-10-10
本文针对 MySQL 数据库的 InnoDB 存储引擎,介绍其中索引的实现以及索引在慢 SQL 优化中的作用,本文主要讨论不同场景下索引生效与失效的原因,感兴趣的小伙伴可以跟着小编一起来探讨2023-05-05
这篇文章主要介绍了MySQL 8.0统计信息不准确的原因,帮助大家更好的理解和学习MySQL8.0的相关内容,感兴趣的朋友可以了解下2020-08-08
这篇文章主要介绍了深入解析MySQL的窗口函数,窗口可以理解为记录集合,窗口函数就是在满足某种条件的记录集合上执行的特殊函数,即:应用在窗口内的函数,需要的朋友可以参考下2023-07-07
MySQL Proxy最强大的一项功能是实现“读写分离(Read/Write Splitting)”。2009-04-04
这篇文章主要介绍了MySql减少内存占用的方法详解,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下2019-07-07
mysql命令行还原phpMyAdmin导出的含有中文的SQL文件
最近得到了一个数十M的MySQL脚本文件,准备还原为数据库。2010-05-05
今天学习python连接数据库,就想安装一下mysql数据库,没想到小小的数据库也遇到了不少挫折,所以我就把自己的安装过程以及问题写出来分享给大家,需要的朋友可以参考下2019-06-06
在遇到数据之间的联系很复杂,建表就很纠结,到底该怎么去处理这些复杂的数据呢,是单表查询,然后在业务层去处理数据间的关系,还是直接通过多表连接查询来处理数据关系呢2021-09-09
这篇文章主要介绍了MySql数据表之间的连接、查询,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧2019-04-04
最新评论