mysql all_同样是MySQL的all privileges有啥不同？

db.* 和 . 上面的all privileges 有啥不一样。

咱当兵的人，有啥不一样...(一起唱)

首先安装MySQL启动

root@pts/0 $ wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm

--2018-08-02 18:13:58-- http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm

Resolving repo.mysql.com (repo.mysql.com)... 23.36.193.224

Connecting to repo.mysql.com (repo.mysql.com)|23.36.193.224|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 6140 (6.0K) [application/x-redhat-package-manager]

Saving to: ‘mysql-community-release-el7-5.noarch.rpm’

100%[====================================================================================================================================================================================================================================>] 6,140 16.6KB/s in 0.4s r

2018-08-02 18:13:59 (16.6 KB/s) - ‘mysql-community-release-el7-5.noarch.rpm’ saved [6140/6140]

vpc-devops-ossimport [~] 2018-08-02 18:13:59

root@pts/0 $ rpm -ivh mysql-community-release-el7-5.noarch.rpm

Preparing... ################################# [100%]

Updating / installing...

1:mysql-community-release-el7-5 ################################# [100%]

vpc-devops-ossimport [~] 2018-08-02 18:14:04

root@pts/0 $ yum install mysql-community-server mysql-community-client mysql-community-devel

Loaded plugins: fastestmirror, priorities

Loading mirror speeds from cached hostfile

mysql-connectors-community | 2.5 kB 00:00:00

mysql-tools-community | 2.5 kB 00:00:00

mysql56-community

root@pts/0 $ systemctl enable mysqld

vpc-devops-ossimport [~] 2018-08-02 18:15:18

root@pts/0 $ systemctl start mysqld

vpc-devops-ossimport [~] 2018-08-02 18:15:30

root@pts/0 $ ps -ef|grep msyql

root 1112 630 0 18:15 pts/0 00:00:00 grep --color msyql

vpc-devops-ossimport [~] 2018-08-02 18:15:44

root@pts/0 $ ps -ef|grep mysql

mysql 898 1 0 18:15 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr

mysql 1079 898 1 18:15 ? 00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock

root 1120 630 0 18:15 pts/0 00:00:00 grep --color mysql

初始化数据库登录。看到三个系统默认的数据库和初始的账号情况

mysql> show databases ;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| performance_schema |

+--------------------+

3 rows in set (0.00 sec)

mysql> use mysql

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select user,host from mysql.user ;

+------+----------------------+

| user | host |

+------+----------------------+

| root | 127.0.0.1 |

| root | ::1 |

| | localhost |

| root | localhost |

| | vpc-devops-ossimport |

| root | vpc-devops-ossimport |

+------+----------------------+

6 rows in set (0.00 sec)

验证过程

平时创建账号的时候，可以分为两大类，一类是业务系统的账号，基于具体的数据库上面做的操作。一类是管理员账号，会涉及到像 mysql、information_schema、performance_schema 用户做统计、分析等

所以创建一个新的数据库。模拟业务数据库。

mysql> create database devops ;

Query OK, 1 row affected (0.00 sec)

分别创建基于“业务”和基于“管理员”的所有权限“all privileges”

grant all privileges

mysql> grant all privileges on devops.* to ops1@'%' identified by 'devops1';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on devops.* to ops2@'%' identified by 'devops2' with grant option;

Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on *.* to ops3@'%' identified by 'devops3';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on *.* to ops4@'%' identified by 'devops4' with grant option ;

Query OK, 0 rows affected (0.00 sec)

check all privileges

mysql> show grants for ops1;

+-----------------------------------------------------------------------------------------------------+

| Grants for ops1@% |

+-----------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'ops1'@'%' IDENTIFIED BY PASSWORD '*52048CCECC477DB7138C2CBCF04AAD3E0397A913' |

| GRANT ALL PRIVILEGES ON `devops`.* TO 'ops1'@'%' |

+-----------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

mysql> show grants for ops2;

+-----------------------------------------------------------------------------------------------------+

| Grants for ops2@% |

+-----------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'ops2'@'%' IDENTIFIED BY PASSWORD '*C6ADDF202AF316082C3193C296860A468B4B87B4' |

| GRANT ALL PRIVILEGES ON `devops`.* TO 'ops2'@'%' WITH GRANT OPTION |

+-----------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

mysql> show grants for ops3;

+--------------------------------------------------------------------------------------------------------------+

| Grants for ops3@% |

+--------------------------------------------------------------------------------------------------------------+

| GRANT ALL PRIVILEGES ON *.* TO 'ops3'@'%' IDENTIFIED BY PASSWORD '*8FE43EF11171F6BD1E6B6DEF0B70B72B40698D43' |

+--------------------------------------------------------------------------------------------------------------+

1 row in set (0.00 sec)

mysql> show grants for ops4;

+--------------------------------------------------------------------------------------------------------------------------------+

| Grants for ops4@% |

+--------------------------------------------------------------------------------------------------------------------------------+

| GRANT ALL PRIVILEGES ON *.* TO 'ops4'@'%' IDENTIFIED BY PASSWORD '*A5CC13BEC1112C49147BE1FABD75849ECD2647A4' WITH GRANT OPTION |

+--------------------------------------------------------------------------------------------------------------------------------+

1 row in set (0.00 sec)

分析

从上面看到大家显示的都会all privilges，实际看不出来什么，所以我们可以反向考虑。我回收一个基本的select 权限。看看剩余的权限都有哪些。

为啥这样呢。可以把all privileges 看成一个整体，拿走一个就不是整体了那就会把其余的全部列出来展现。

revoke select

mysql> revoke select on devops.* from 'ops1'@'%' ;

Query OK, 0 rows affected (0.00 sec)

mysql> revoke select on devops.* from 'ops2'@'%' ;

Query OK, 0 rows affected (0.00 sec)

mysql> revoke select on *.* from 'ops3'@'%' ;

Query OK, 0 rows affected (0.00 sec)

mysql> revoke select on *.* from 'ops4'@'%' ;

Query OK, 0 rows affected (0.00 sec)

check all privileges again

mysql> show grants for ops1;

| Grants for ops1@% |

| GRANT USAGE ON *.* TO 'ops1'@'%' IDENTIFIED BY PASSWORD '*52048CCECC477DB7138C2CBCF04AAD3E0397A913' |

| GRANT INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `devops`.* TO 'ops1'@'%' |

2 rows in set (0.00 sec)

mysql> show grants for ops2;

| Grants for ops2@% |

| GRANT USAGE ON *.* TO 'ops2'@'%' IDENTIFIED BY PASSWORD '*C6ADDF202AF316082C3193C296860A468B4B87B4' |

2 rows in set (0.00 sec)

mysql> show grants for ops3;

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Grants for ops3@% |

| GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'ops3'@'%' IDENTIFIED BY PASSWORD '*8FE43EF11171F6BD1E6B6DEF0B70B72B40698D43' |

1 row in set (0.00 sec)

mysql> show grants for ops4;

| Grants for ops4@% |

| GRANT INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'ops4'@'%' IDENTIFIED BY PASSWORD '*A5CC13BEC1112C49147BE1FABD75849ECD2647A4' WITH GRANT OPTION |

1 row in set (0.00 sec)

整理对比

因为上面四种情况最终的显示不是很对应。这里认为整理下如下

## 基于业务的 all privileges

SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER

## 基于管理员的all privileges

SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER, RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, SUPER, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER, CREATE TABLESPACE

结论

对比之后发现，基于管理员(.) 的所有权限比基于业务库(somedb.*) 上的所有权限多出了一下权限

RELOAD, SHUTDOWN, PROCESS, FILE, SHOW DATABASES, SUPER, REPLICATION SLAVE, REPLICATION CLIENT, CREATE USER, CREATE TABLESPACE