Normally, you manipulate the contents of the grant tables in the
mysql
database indirectly by using statements
such as GRANT
and
REVOKE
to set up accounts and
control the privileges available to each one. See
Account Management Statements. The discussion here
describes the underlying structure of the grant tables and how the
server uses their contents when interacting with clients.
Some tables in the mysql
database do not hold
grant information and are discussed elsewhere:
The event
table contains information about
Event Scheduler events: See Using the Event Scheduler.
The func
table contains information about
user-defined functions: See
Adding New Functions to MySQL.
The help_
tables are used for server-side help: See
Server-Side Help.
xxx
The plugin
table contains information about
server plugins: See The MySQL Plugin API.
The proc
table contains information about
stored functions and procedures: See
Using Stored Routines (Procedures and Functions).
The servers
table is used by the
FEDERATED
storage engine: See
Creating a FEDERATED
Table Using CREATE SERVER
.
The
time_zone_
tables contain time zone information: See
MySQL Server Time Zone Support.
xxx
Tables with _log
in their name are used for
logging: See MySQL Server Logs.
Each grant table contains scope columns and privilege columns:
Scope columns determine the scope of each row (entry) in the
tables; that is, the context in which the row applies. For
example, a user
table row with
Host
and User
values of
'thomas.loc.gov'
and
'bob'
would be used for authenticating
connections made to the server from the host
thomas.loc.gov
by a client that specifies a
user name of bob
. Similarly, a
db
table row with Host
,
User
, and Db
column
values of 'thomas.loc.gov'
,
'bob'
and 'reports'
would be used when bob
connects from the
host thomas.loc.gov
to access the
reports
database. The
tables_priv
and
columns_priv
tables contain scope columns
indicating tables or table/column combinations to which each
row applies. The procs_priv
scope columns
indicate the stored routine to which each row applies.
Privilege columns indicate which privileges are granted by a table row; that is, what operations can be performed. The server combines the information in the various grant tables to form a complete description of a user's privileges. Section 3.5, “Access Control, Stage 2: Request Verification”, describes the rules that are used to do this.
The server uses the grant tables in the following manner:
The user
table scope columns determine
whether to reject or allow incoming connections. For allowed
connections, any privileges granted in the
user
table indicate the user's global
(superuser) privileges. Any privilege granted in this table
applies to all databases on the server.
Because any global privilege is considered a privilege for
all databases, any global privilege enables a user to see
all database names with SHOW
DATABASES
or by examining the
SCHEMATA
table of
INFORMATION_SCHEMA
.
The db
table scope columns determine which
users can access which databases from which hosts. The
privilege columns determine which operations are allowed. A
privilege granted at the database level applies to the
database and to all objects in the database, such as tables
and stored programs.
The host
table is used in conjunction with
the db
table when you want a given
db
table row to apply to several hosts. For
example, if you want a user to be able to use a database from
several hosts in your network, leave the
Host
value empty in the user's
db
table row, then populate the
host
table with a row for each of those
hosts. This mechanism is described more detail in
Section 3.5, “Access Control, Stage 2: Request Verification”.
The tables_priv
and
columns_priv
tables are similar to the
db
table, but are more fine-grained: They
apply at the table and column levels rather than at the
database level. A privilege granted at the table level applies
to the table and to all its columns. A privilege granted at
the column level applies only to a specific column.
The procs_priv
table applies to stored
routines. A privilege granted at the routine level applies
only to a single routine.
The server uses the user
,
db
, and host
tables in the
mysql
database at both the first and second
stages of access control (see Chapter 3, The MySQL Access Privilege System).
The columns in the user
and
db
tables are shown here. The
host
table is similar to the
db
table but has a specialized use as described
in Section 3.5, “Access Control, Stage 2: Request Verification”.
Table Name | user | db |
Scope columns | Host |
Host |
User |
Db |
|
Password |
User |
|
Privilege columns | Select_priv |
Select_priv |
Insert_priv |
Insert_priv |
|
Update_priv |
Update_priv |
|
Delete_priv |
Delete_priv |
|
Index_priv |
Index_priv |
|
Alter_priv |
Alter_priv |
|
Create_priv |
Create_priv |
|
Drop_priv |
Drop_priv |
|
Grant_priv |
Grant_priv |
|
Create_view_priv |
Create_view_priv |
|
Show_view_priv |
Show_view_priv |
|
Create_routine_priv |
Create_routine_priv |
|
Alter_routine_priv |
Alter_routine_priv |
|
Execute_priv |
Execute_priv |
|
Trigger_priv |
Trigger_priv |
|
Event_priv |
Event_priv |
|
Create_tmp_table_priv |
Create_tmp_table_priv |
|
Lock_tables_priv |
Lock_tables_priv |
|
References_priv |
References_priv |
|
Reload_priv |
||
Shutdown_priv |
||
Process_priv |
||
File_priv |
||
Show_db_priv |
||
Super_priv |
||
Repl_slave_priv |
||
Repl_client_priv |
||
Create_user_priv |
||
Security columns | ssl_type |
|
ssl_cipher |
||
x509_issuer |
||
x509_subject |
||
Resource control columns | max_questions |
|
max_updates |
||
max_connections |
||
max_user_connections |
During the second stage of access control, the server performs
request verification to make sure that each client has sufficient
privileges for each request that it issues. In addition to the
user
, db
, and
host
grant tables, the server may also consult
the tables_priv
and
columns_priv
tables for requests that involve
tables. The latter tables provide finer privilege control at the
table and column levels. They have the columns shown in the
following table.
Table Name | tables_priv | columns_priv |
Scope columns | Host |
Host |
Db |
Db |
|
User |
User |
|
Table_name |
Table_name |
|
Column_name |
||
Privilege columns | Table_priv |
Column_priv |
Column_priv |
||
Other columns | Timestamp |
Timestamp |
Grantor |
The Timestamp
and Grantor
columns currently are unused and are discussed no further here.
For verification of requests that involve stored routines, the
server may consult the procs_priv
table, which
has the columns shown in the following table.
Table Name | procs_priv |
Scope columns | Host |
Db |
|
User |
|
Routine_name |
|
Routine_type |
|
Privilege columns | Proc_priv |
Other columns | Timestamp |
Grantor |
The Routine_type
column is an
ENUM
column with values of
'FUNCTION'
or 'PROCEDURE'
to
indicate the type of routine the row refers to. This column
enables privileges to be granted separately for a function and a
procedure with the same name.
The Timestamp
and Grantor
columns currently are unused and are discussed no further here.
Scope columns in the grant tables contain strings. They are declared as shown here; the default value for each is the empty string.
Column Name | Type |
Host |
CHAR(60) |
User |
CHAR(16) |
Password |
CHAR(41) |
Db |
CHAR(64) |
Table_name |
CHAR(64) |
Column_name |
CHAR(64) |
Routine_name |
CHAR(64) |
For access-checking purposes, comparisons of
User
, Password
,
Db
, and Table_name
values
are case sensitive. Comparisons of Host
,
Column_name
, and
Routine_name
values are not case sensitive.
In the user
, db
, and
host
tables, each privilege is listed in a
separate column that is declared as ENUM('N','Y') DEFAULT
'N'
. In other words, each privilege can be disabled or
enabled, with the default being disabled.
In the tables_priv
,
columns_priv
, and procs_priv
tables, the privilege columns are declared as
SET
columns. Values in these
columns can contain any combination of the privileges controlled
by the table. Only those privileges listed in the column value are
enabled.
Table Name | Column Name | Possible Set Elements |
tables_priv |
Table_priv |
'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop',
'Grant', 'References', 'Index', 'Alter', 'Create View',
'Show view', 'Trigger' |
tables_priv |
Column_priv |
'Select', 'Insert', 'Update', 'References' |
columns_priv |
Column_priv |
'Select', 'Insert', 'Update', 'References' |
procs_priv |
Proc_priv |
'Execute', 'Alter Routine', 'Grant' |
Administrative privileges (such as
RELOAD
or
SHUTDOWN
) are specified only in the
user
table. Administrative operations are
operations on the server itself and are not database-specific, so
there is no reason to list these privileges in the other grant
tables. Consequently, to determine whether you can perform an
administrative operation, the server need consult only the
user
table.
The FILE
privilege also is
specified only in the user
table. It is not an
administrative privilege as such, but your ability to read or
write files on the server host is independent of the database you
are accessing.
The mysqld server reads the contents of the
grant tables into memory when it starts. You can tell it to reload
the tables by issuing a
FLUSH PRIVILEGES
statement or executing a mysqladmin
flush-privileges or mysqladmin reload
command. Changes to the grant tables take effect as indicated in
Section 3.6, “When Privilege Changes Take Effect”.
When you modify an account's privileges, it is a good idea to
verify that the changes set up privileges the way you want. To
check the privileges for a given account, use the
SHOW GRANTS
statement (see
SHOW GRANTS
Syntax). For example, to determine the
privileges that are granted to an account with user name and host
name values of bob
and
pc84.example.com
, use this statement:
SHOW GRANTS FOR 'bob'@'pc84.example.com';