MySQL中以用户执行存储过程的权限为EXECUTE

  比如我们在名为configdb的数据库下创建了如下存储过程,存储过程的定义者为user_admin

  use configdb;

  drop procedure if exists sp_dev_test_user_add;

  delimiter $$

  CREATE DEFINER=`user_admin`@`%` PROCEDURE `sp_dev_test_user_add`(

  in var_user varchar(30),

  in var_ip varchar(15),

  in var_username varchar(30),

  in var_email varchar(30),

  in var_orginfo varchar(30)

  )

  BEGIN

  create temporary table errors (error varchar(500));

  if exists ( select user from mysql.user where user=var_user) then

  insert into errors values (concat('用户名 "',var_user,'" 已存在!'));

  end if;

  if exists (select * from errors) then

  select error from errors;

  else

  set @user=concat(var_user,'@\'',var_ip,'\'');

  set @s=concat('create user ',@user,' identified by ''12345'';');

  prepare cmd from @s;

  execute cmd;

  set @s=concat('GRANT SELECT ON `mysql`.`func` TO ',@user,';');

  prepare cmd from @s;

  execute cmd;

  set @s=concat('GRANT SELECT ON `mysql`.`proc` TO ',@user,';');

  prepare cmd from @s;

  execute cmd;

  replace into dev_test_userinfo values (var_user,var_username,var_email,var_orginfo);

  end if;

  drop temporary table errors;

  END

  $$

  delimiter ;

  试着创建一个普通用户user_test1

  mysql>create user user_test1 identified by '12345';

  查看其权限

  mysql>show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  +-----------------------------------------------------------------------------------------------------------+

  赋予其configdb上的select\insert\delete\update权限

  mysql>grant select,insert,delete,update on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9'

  mysql> show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  使用此用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql>call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1370 (42000): execute command denied to user 'user_test1'@'%' for routine 'configdb.sp_dev_test_user_add'

  看来是权限不足,继续赋予其configdb上的execute权限

  mysql> grant execute on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_test1;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用此用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql>call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1449 (HY000): The user specified as a definer ('user_admin'@'%') does not exist

  这次可以调用该存储过程了,但是提示存储过程定义中的definer不存在,原来仅仅是连接到MySQL服务器的用户具有执行存储过程的权限是远远不够的,最终要通过存储过程定义中指定的definer来执行存储过程。

  创建user_admin'@'%'这个用户,并赋予configdb上相应的权限

  mysql>create user user_admin identified by '12345';

  mysql> grant select,insert,delete,update on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_admin;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1370 (42000): execute command denied to user 'user_admin'@'%' for routine 'configdb.sp_dev_test_user_add'

  看来不仅仅是连接到MySQL服务器的用户需要具有存储过程上的执行权限,存储过程定义者同样需要该权限。

  mysql> grant execute on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for user_admin;

  +-----------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------+

  | GRANT USAGE ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' |

  | GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1044 (42000): Access denied for user 'user_admin'@'%' to database 'configdb'

  可以执行存储过程了,但是提示权限不足,仔细查看存储过程的定义可以看到,存储过程中包含创建用户和赋予权限的语句,而我们赋给'user_test1'@'%'用户和'user_admin'@'%'都不具有这样的权限。

  赋予'user_test1'@'%'创建用户的权限和赋权的权限,以及创建临时表的权限

  mysql> grant create user on *.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' with grant option;

  mysql> grant create temporary tables on configdb.* to 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_test1'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_test1@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_test1'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_test1'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1044 (42000): Access denied for user 'user_admin'@'%' to database 'configdb'

  对了,不管你是以什么账户登录的MySQL,最后是使用存储过程的definer执行存储过程的,所以应当把创建用户和赋权的权限付给definer,这里为user_admin'@'%'这个账户。

  赋予'user_admin'@'%'创建用户的权限和赋权的权限

  mysql> grant create user on *.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' with grant option;

  mysql> grant create temporary tables on configdb.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_admin'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  ERROR 1142 (42000): SELECT command denied to user 'user_admin'@'%' for table 'user'

  哦,除了configdb库外还得有mysql库上user表的权限,给加上,看来权限问题还真是棘手,呵呵~

  mysql> grant select,insert,delete,update on mysql.* to 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9';

  mysql> show grants for 'user_admin'@'%';

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | Grants for user_admin@% |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  | GRANT CREATE USER ON *.* TO 'user_admin'@'%' IDENTIFIED BY PASSWORD '*00A51F3F48415C7D4E8908980D443C29C69B60C9' WITH GRANT OPTION |

  | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, EXECUTE ON `configdb`.* TO 'user_admin'@'%' |

  | GRANT SELECT, INSERT, UPDATE, DELETE ON `mysql`.* TO 'user_admin'@'%' |

  +-----------------------------------------------------------------------------------------------------------------------------------+

  重新使用'user_test1'@'%'用户登录MySQL执行刚才定义的存储过程

  mysql>use configdb;

  mysql> call sp_dev_test_user_add('uapp_yzz','172.16.%','yzz','yzz@email','MySQL DBA');

  Query OK, 0 rows affected (0.05 sec)

  终于OK了,相信通过这一系列过程,大家应该能够很清楚的了解MySQL存储过程相关的执行权限了。另外,定义该存储过程还需要有CREATE ROUTINE的权限、更该存储过程需要有ALTER ROUTINE的权限(这里是用超级用户在configdb创建的存储过程,上述权限都是具备的),调用存储过程的用户需要有EXECUTE权限,最终执行存储过程的用户也即存储过程定义者要具备存储过程定义语句中相关的各种权限。

  MySQL的权限分的比较细,大致可分为表权限、列权限、过程权限具体可参考MySQL官方手册。

[转]MySQL中存储过程权限问题的更多相关文章

  1. SqlServer和MySQL中存储过程out返回值处理C#代码

    1.SqlServer中out处理 C#代码 #region"SqlServer中存储过程处理out返回值" //public void getdata() //{ // stri ...

  2. Mysql中五级权限小结

    mysql的权限控制主要是通过mysql库下的db,user,host,table_priv,column_priv表控制. 由于权限信息数据量比较小,所以mysql在启动时会将所有的权限消息加载到内 ...

  3. Mysql中存储过程和函数的写法

    MySQL中,创建存储过程的基本形式如下: CREATE PROCEDURE sp_name ([proc_parameter[,...]]) [characteristic ...] routine ...

  4. MYSQL中存储过程的创建,调用及语法

    MySQL 存储过程是从 MySQL 5.0 开始增加的新功能.存储过程的优点有一箩筐.不过最主要的还是执行效率和SQL 代码封装.特别是 SQL 代码封装功能,如果没有存储过程,在外部程序访问数据库 ...

  5. MySQL中存储过程+事件的使用方法

    一.背景 将界面操作日志存储在MySQL数据库中的operationlog表中,如果该表不能自动备份,表中的数据会越来越多,影响速度.可以定期将表中数据备份到另外一个表中来解决. 二.解决方案 1.使 ...

  6. 详细解读MySQL中的权限

    一.前言 很多文章中会说,数据库的权限按最小权限为原则,这句话本身没有错,但是却是一句空话.因为最小权限,这个东西太抽象,很多时候你并弄不清楚具体他需要哪 些权限. 现在很多mysql用着root账户 ...

  7. 如何创建新用户和授予MySQL中的权限

    原创官网http://www.howtoing.com/how-to-create-a-new-user-and-grant-permissions-in-mysql/ 关于MySQL MySQL是一 ...

  8. MySql中存储过程的理解

    到底什么是存储过程,又为什么需要使用存储过程? 存储过程简单来说,就是为以后的使用而保存的一条或多条MySQL语句的集合,可将其视为批文件,虽然它们的作用不仅限与批处理. 使用存储过程有3个主要的好处 ...

  9. MySql中存储过程中的@变量总是无法执行,提示Parameter '@XXX' must be defined

    一.情形: 在.net调用Mysql时,比如如下的一句SQL,总是无法执行,可是在其它SQL客户端窗口中是能正确执行的. drop procedure if exists AddColumnUnles ...

随机推荐

  1. 27. Best Time to Buy and Sell Stock && Best Time to Buy and Sell Stock II && Best Time to Buy and Sell Stock III

    Best Time to Buy and Sell Stock (onlineJudge: https://oj.leetcode.com/problems/best-time-to-buy-and- ...

  2. EXT学习之——获取下拉框combobox的值与显示名

    //申请科室 var comboboxdept = new Ext.form.ComboBox({ xtype: "combobox", name: "Gender&qu ...

  3. json和字符串转换

    json对象转js字符串 JSON.stringify(json) js字符串转json对象 var json= $.parseJSON(str);

  4. Eclipse 和 HSQLDB: 将关系数据库服务器嵌入到 Eclipse 中,第 2 部分

    HSQLDB 开发者角色 对 HSQLDB 与 Eclipse 工作台的集成感兴趣的开发者可以很容易地被分为两类: 客户机开发者,他们只是用 HSQLDB 来存储数据. 引擎开发者,他们通过添加新的标 ...

  5. apache+tomcat分布式集群搭建

    今天搭建apche+tomcat分布式集群,遇到很多问题,在网上找到的很多都不成功,然后和同事一起研究了一下,最终搭建成功了.做个笔记,以备自己以后参考. 1,下载apache.在下载Apache(2 ...

  6. Egret 压缩与解压(jszip)

    一 jszip是什么 二 为什么要用jszip 三 如果使用zip 一 jszip是什么 jszip 是一个 JavaScript 库,可直接在浏览器上创建 zip 压缩档. 二 为什么要用jszip ...

  7. checkinstall打包工具使用

    checkinstall官网: http://asic-linux.com.mx/~izto/checkinstall/ 下载安装checkinstall: # git clone http://ch ...

  8. html a tag's href javascript issue

    a标签的href中写js中遇到的问题(ie中有问题,chrome没问题) <a class="free" href="javascript:{$('#suiteTy ...

  9. 浅谈Eclipse寻找JVM(JRE)的顺序机制(转)

    转自:http://blog.csdn.net/teedry/article/details/6666850 Eclipse也是一个普通的Java程序,因此必须有一个JRE做为运行环境.        ...

  10. VC++ 如何在显示对话框的时候,指定焦点控件!

    很简单: 在你的CAddDlg类的OnInitDialog函数中加上你上面的代码GetDlgItem(IDC_EDIT1)->SetFocus();最后记得return FALSE; 其实,不知 ...