REVOKE <role>

REVOKE <role> 语句用于从指定的用户(或用户列表)中收回之前授予的角色。

语法图

RevokeRoleStmt
REVOKERolenameListFROMUsernameList
RolenameList
Rolename,
UsernameList
Username,

示例

root 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u root

创建新角色 analyticsteam 和新用户 jennifer

CREATE ROLE analyticsteam; Query OK, 0 rows affected (0.02 sec) GRANT SELECT ON test.* TO analyticsteam; Query OK, 0 rows affected (0.02 sec) CREATE USER jennifer; Query OK, 0 rows affected (0.01 sec) GRANT analyticsteam TO jennifer; Query OK, 0 rows affected (0.01 sec)

jennifer 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u jennifer

需要注意的是,默认情况下,用户 jennifer 需要执行 SET ROLE analyticsteam 语句才能使用与角色相关联的权限:

SHOW GRANTS; +---------------------------------------------+ | Grants for User | +---------------------------------------------+ | GRANT USAGE ON *.* TO 'jennifer'@'%' | | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | +---------------------------------------------+ 2 rows in set (0.00 sec) SHOW TABLES in test; ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test' SET ROLE analyticsteam; Query OK, 0 rows affected (0.00 sec) SHOW GRANTS; +---------------------------------------------+ | Grants for User | +---------------------------------------------+ | GRANT USAGE ON *.* TO 'jennifer'@'%' | | GRANT SELECT ON test.* TO 'jennifer'@'%' | | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | +---------------------------------------------+ 3 rows in set (0.00 sec) SHOW TABLES IN test; +----------------+ | Tables_in_test | +----------------+ | t1 | +----------------+ 1 row in set (0.00 sec)

root 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u root

执行 SET DEFAULT ROLE 语句将用户 jenniferanalyticsteam 角色相关联:

SET DEFAULT ROLE analyticsteam TO jennifer; Query OK, 0 rows affected (0.02 sec)

jennifer 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u jennifer

此时 jennifer 用户无需执行 SET ROLE 语句就能拥有 analyticsteam 角色相关联的权限:

SHOW GRANTS; +---------------------------------------------+ | Grants for User | +---------------------------------------------+ | GRANT USAGE ON *.* TO 'jennifer'@'%' | | GRANT SELECT ON test.* TO 'jennifer'@'%' | | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' | +---------------------------------------------+ 3 rows in set (0.00 sec) SHOW TABLES IN test; +----------------+ | Tables_in_test | +----------------+ | t1 | +----------------+ 1 row in set (0.00 sec)

root 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u root

收回角色 analyticsteam

REVOKE analyticsteam FROM jennifer; Query OK, 0 rows affected (0.01 sec)

jennifer 用户连接 TiDB:

mysql -h 127.0.0.1 -P 4000 -u jennifer

查看 jennifer 用户的权限:

SHOW GRANTS; +--------------------------------------+ | Grants for User | +--------------------------------------+ | GRANT USAGE ON *.* TO 'jennifer'@'%' | +--------------------------------------+ 1 row in set (0.00 sec)

MySQL 兼容性

REVOKE <role> 语句与 MySQL 8.0 的角色功能完全兼容。如发现任何兼容性差异,请尝试 TiDB 支持资源

另请参阅