【 TiDB 使用环境】线上、测试、调研
【 TiDB 版本】
v5.4.1
【遇到的问题】
tidb中的grant与mysql中不同,好像是grant后权限覆盖了。
【复现路径】做过哪些操作出现的问题
在tidb中创建测试库与测试用户如下:
mysql [root@tidbdev.syk:(none)]> create database syk_db_test;
Query OK, 0 rows affected (0.16 sec)
mysql [root@tidbdev.syk:(none)]> create database syk_db_temp;
Query OK, 0 rows affected (0.11 sec)
mysql [root@tidbdev.syk:(none)]> create database syk_db_dev;
Query OK, 0 rows affected (0.13 sec)
mysql [root@tidbdev.syk:(none)]> create database syk_db_sit;
Query OK, 0 rows affected (0.12 sec)
mysql [root@tidbdev.syk:(none)]> CREATE USER IF NOT EXISTS ‘syk_usr_test’@‘%’ IDENTIFIED BY ‘PWD_syk_test’;
Query OK, 0 rows affected (0.06 sec)
mysql [root@tidbdev.syk:(none)]> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX,CREATE VIEW,SHOW VIEW ON syk_db_test.* TO ‘syk_usr_test’@‘%’;
Query OK, 0 rows affected (0.05 sec)
mysql [root@tidbdev.syk:(none)]> GRANT select ON syk_db_%.* TO ‘syk_usr_test’@‘%’;
Query OK, 0 rows affected (0.07 sec)
mysql [root@tidbdev.syk:(none)]> show grants for syk_usr_test;
±-----------------------------------------------------------------------------------------------------------------------+
| Grants for syk_usr_test@% |
±-----------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON . TO ‘syk_usr_test’@‘%’ |
| GRANT SELECT ON syk_db_%.* TO ‘syk_usr_test’@‘%’ |
| GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX,CREATE VIEW,SHOW VIEW ON syk_db_test.* TO ‘syk_usr_test’@‘%’ |
±-----------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.02 sec)
另开一个会话,测试如下:
[syk@syk ~]$ mysql -usyk_usr_test -pPWD_syk_test -h tidbdev.syk
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4917801
Server version: 5.7.25-TiDB-v5.4.1 TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql [syk_usr_test@tidbdev.syk:(none)]> show databases; 这里可以看到所有syk_db_开头的库
±-------------------+
| Database |
±-------------------+
| INFORMATION_SCHEMA |
| syk_db_dev |
| syk_db_sit |
| syk_db_temp |
| syk_db_test |
±-------------------+
5 rows in set (0.01 sec)
mysql [syk_usr_test@tidbdev.syk:(none)]> use syk_db_test 切换到syk_db_test后却不能创建表
Database changed
mysql [syk_usr_test@tidbdev.syk:syk_db_test]> create table syk_test(id int,name varchar(10));
ERROR 1142 (42000): CREATE command denied to user ‘syk_usr_test’@‘%’ for table ‘syk_test’
mysql [syk_usr_test@tidbdev.syk:syk_db_test]>
好像是GRANT SELECT ON syk_db_%.* TO ‘syk_usr_test’@‘%’ 覆盖了GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX,CREATE VIEW,SHOW VIEW ON syk_db_test.* TO ‘syk_usr_test’@‘%’,但是在show grants时却可以看到两条grant。
下面是在mysql5.7.38上测试
mysql mysql.sock [(none)]> create database syk_db_test;
Query OK, 1 row affected (0.00 sec)
mysql mysql.sock [(none)]> create database syk_db_temp;
Query OK, 1 row affected (0.00 sec)
mysql mysql.sock [(none)]> create database syk_db_dev;
Query OK, 1 row affected (0.00 sec)
mysql mysql.sock [(none)]> create database syk_db_sit;
Query OK, 1 row affected (0.00 sec)
mysql mysql.sock [(none)]> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX,CREATE VIEW,SHOW VIEW ON syk_db_test.* TO ‘syk_usr_test’@‘%’ identified by ‘PWD_syk_test’;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql mysql.sock [(none)]> GRANT select ON syk_db_%.* TO ‘syk_usr_test’@‘%’;
Query OK, 0 rows affected (0.00 sec)
mysql mysql.sock [(none)]> show grants for syk_usr_test;
±----------------------------------------------------------------------------------------------------------------------------------+
| Grants for syk_usr_test@% |
±----------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON . TO ‘syk_usr_test’@‘%’ |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE VIEW, SHOW VIEW ON syk_db_test.* TO ‘syk_usr_test’@‘%’ |
| GRANT SELECT ON syk_db_%.* TO ‘syk_usr_test’@‘%’ |
±----------------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
另开一个会话,测试如下:
[root@localhost ~]# mysql -usyk_usr_test -pPWD_syk_test -h 127.0.0.1
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.38-log MySQL Community Server (GPL)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql 3306 [(none)]> show databases; 这里可以看到所有syk_db_开头的库
±-------------------+
| Database |
±-------------------+
| information_schema |
| syk_db_dev |
| syk_db_sit |
| syk_db_temp |
| syk_db_test |
±-------------------+
5 rows in set (0.00 sec)
mysql 3306 [(none)]> use syk_db_test 切换到syk_db_test是可以创建表的
Database changed
mysql 3306 [syk_db_test]> create table syk_test(id int,name varchar(10));
Query OK, 0 rows affected (0.02 sec)
mysql 3306 [syk_db_test]> use syk_db_temp 切换到syk_db_temp是不可以创建的,因为只有select权限
Database changed
mysql 3306 [syk_db_temp]> create table syk_test(id int,name varchar(10));
ERROR 1142 (42000): CREATE command denied to user ‘syk_usr_test’@‘127.0.0.1’ for table ‘syk_test’
mysql 3306 [syk_db_temp]>
mysql中的grant没有问题。
请帮忙看看是不是触发bug了,还是有什么地方我这边没有注意到,比如是不是有什么相关参数可以控制,等等,谢谢!
【问题现象及影响】
【附件】
请提供各个组件的 version 信息,如 cdc/tikv,可通过执行 cdc version/tikv-server --version 获取。