关于MySQL Proxy Users的功能测试报告
2017-09-14 10:09
435 查看
MySQL的用户权限管理一般都是通过User+Host的形式来区分不同的用户权限,当用户数一多,逐一去修改权限就变得较为繁琐。
实际运用中,很多用户需要的权限极为相似。此时,利用MySQL官方提供的Proxy User功能来实现“用户组权限”进行组内用户权限批量管理,就变得颇有意义了。
先来看下官方的操作文档:
我们分别在5.6和5.7两个版本的MySQL上进行实验
MySQL5.6 测试过程
查看权限
使用新账户登录,由于没有赋予特定权限(只有USAGE权限),登录后只能看到informa
4000
tion_schema
使用管理员账户登录,修改组权限
查看组内用户权限的变动情况
再以组内用户的身份登录MySQL,发现权限并没有从组内继承过来。
MySQL5.7 测试过程
查看组内用户权限
组账号新增SELECT权限
注:在未打开check_proxy_users、mysql_native_password_proxy_users参数的情况下,用户权限将不会映射过来,如下
打开后重新测试
再次以组内用户的身份登录,权限已经继承过来了。
权限继承信息记录在mysql.proxies_priv中
结论
虽然相关文档在MySQL5.6甚至更早的5.5版本中已经存在,但实际Proxy User功能直到5.7版本才真正得以实现。
官方文档:
https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html
MariaDB的Role功能:
https://yq.aliyun.com/articles/50907
实际运用中,很多用户需要的权限极为相似。此时,利用MySQL官方提供的Proxy User功能来实现“用户组权限”进行组内用户权限批量管理,就变得颇有意义了。
先来看下官方的操作文档:
-- create proxy account CREATE USER 'employee_ext'@'localhost' IDENTIFIED WITH my_auth_plugin AS 'my_auth_string'; -- create proxied account and grant its privileges CREATE USER 'employee'@'localhost' IDENTIFIED BY 'employee_pass'; GRANT ALL ON employees.* TO 'employee'@'localhost'; -- grant PROXY privilege to proxy account for proxied account GRANT PROXY ON 'employee'@'localhost' TO 'employee_ext'@'localhost';
我们分别在5.6和5.7两个版本的MySQL上进行实验
MySQL5.6 测试过程
mysql> select version(); +------------+ | version() | +------------+ | 5.6.36-log | +------------+ 1 row in set (0.00 sec) mysql> create user 'group1'; Query OK, 0 rows affected (0.01 sec) mysql> create user 'user1'; Query OK, 0 rows affected (0.01 sec) mysql> create user 'user2'; Query OK, 0 rows affected (0.00 sec) mysql> grant proxy on 'group1' to 'user1'; Query OK, 0 rows affected (0.00 sec) mysql> grant proxy on 'group1' to 'user2'; Query OK, 0 rows affected (0.01 sec)
查看权限
mysql> show grants for 'group1'; +-------------------------------------+ | Grants for group1@% | +-------------------------------------+ | GRANT SELECT ON *.* TO 'group1'@'%' | +-------------------------------------+ 1 row in set (0.00 sec) mysql> show grants for 'user1'; +--------------------------------------------+ | Grants for user1@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO 'user1'@'%' | | GRANT PROXY ON 'group1'@'%' TO 'user1'@'%' | +--------------------------------------------+ 2 rows in set (0.00 sec) mysql> show grants for 'user2'; +--------------------------------------------+ | Grants for user2@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO 'user2'@'%' | | GRANT PROXY ON 'group1'@'%' TO 'user2'@'%' | +--------------------------------------------+ 2 rows in set (0.00 sec)
使用新账户登录,由于没有赋予特定权限(只有USAGE权限),登录后只能看到informa
4000
tion_schema
[root@237_21 ~]# mysql -uuser1 -S /tmp/mysql3306.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.6.36-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec)
使用管理员账户登录,修改组权限
[root@237_21 ~]# mysql -uroot -p -S /tmp/mysql3306.sock Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.6.36-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> grant select on *.* to 'group1'; Query OK, 0 rows affected (0.01 sec) mysql> show grants for 'group1'; +-------------------------------------+ | Grants for group1@% | +-------------------------------------+ | GRANT SELECT ON *.* TO 'group1'@'%' | +-------------------------------------+ 1 row in set (0.00 sec)
查看组内用户权限的变动情况
mysql> show grants for 'user1'; +--------------------------------------------+ | Grants for user1@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO 'user1'@'%' | | GRANT PROXY ON 'group1'@'%' TO 'user1'@'%' | +--------------------------------------------+ 2 rows in set (0.00 sec) mysql> show grants for 'user2'; +--------------------------------------------+ | Grants for user2@% | +--------------------------------------------+ | GRANT USAGE ON *.* TO 'user2'@'%' | | GRANT PROXY ON 'group1'@'%' TO 'user2'@'%' | +--------------------------------------------+ 2 rows in set (0.00 sec)
再以组内用户的身份登录MySQL,发现权限并没有从组内继承过来。
[root@237_21 ~]# mysql -uuser1 -S /tmp/mysql3306.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.6.36-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec)
MySQL5.7 测试过程
mysql> select version(); +------------+ | version() | +------------+ | 5.7.18-log | +------------+ 1 row in set (0.01 sec) mysql> create user 'group1'; Query OK, 0 rows affected (0.01 sec) mysql> create user 'user1'; Query OK, 0 rows affected (0.01 sec) mysql> create user 'user2'; Query OK, 0 rows affected (0.00 sec) mysql> grant proxy on 'group1' to 'user1'; Query OK, 0 rows affected (0.00 sec) mysql> grant proxy on 'group1' to 'user2'; Query OK, 0 rows affected (0.01 sec)
查看组内用户权限
[root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show grants; +------------------------------------+ | Grants for group1@% | +------------------------------------+ | GRANT USAGE ON *.* TO 'group1'@'%' | +------------------------------------+ 1 row in set (0.00 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec)
组账号新增SELECT权限
[root@237_21 mysql3307]# mysql -uroot -p -S /tmp/mysql3307.sock Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> grant select on *.* to 'group1'; Query OK, 0 rows affected (0.00 sec)
注:在未打开check_proxy_users、mysql_native_password_proxy_users参数的情况下,用户权限将不会映射过来,如下
mysql> show variables like "%proxy%"; +-----------------------------------+-------+ | Variable_name | Value | +-----------------------------------+-------+ | check_proxy_users | OFF | | mysql_native_password_proxy_users | OFF | | proxy_user | | | sha256_password_proxy_users | OFF | +-----------------------------------+-------+ 4 rows in set (0.00 sec) [root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec)
打开后重新测试
[root@237_21 mysql3307]# mysql -uroot -p -S /tmp/mysql3307.sock Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> set global check_proxy_users =1; Query OK, 0 rows affected (0.00 sec) mysql> set global mysql_native_password_proxy_users =1; Query OK, 0 rows affected (0.00 sec) mysql> show variables like "%proxy%"; +-----------------------------------+-------+ | Variable_name | Value | +-----------------------------------+-------+ | check_proxy_users | ON | | mysql_native_password_proxy_users | ON | | proxy_user | | | sha256_password_proxy_users | OFF | +-----------------------------------+-------+ 4 rows in set (0.00 sec)
再次以组内用户的身份登录,权限已经继承过来了。
[root@237_21 mysql3307]# mysql -uuser1 -S /tmp/mysql3307.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | +--------------------+ 4 rows in set (0.00 sec)
权限继承信息记录在mysql.proxies_priv中
mysql> select * from mysql.proxies_priv; +-----------+-------+--------------+--------------+------------+----------------------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+-------+--------------+--------------+------------+----------------------+---------------------+ | localhost | root | | | 1 | boot@connecting host | 0000-00-00 00:00:00 | | % | user2 | % | group1 | 0 | root@localhost | 0000-00-00 00:00:00 | | % | user1 | % | group1 | 0 | root@localhost | 0000-00-00 00:00:00 | +-----------+-------+--------------+--------------+------------+----------------------+---------------------+ 3 rows in set (0.00 sec)
结论
虽然相关文档在MySQL5.6甚至更早的5.5版本中已经存在,但实际Proxy User功能直到5.7版本才真正得以实现。
官方文档:
https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html
MariaDB的Role功能:
https://yq.aliyun.com/articles/50907
相关文章推荐
- Citrix XenServer@cloudstack基本功能测试报告1
- MySQL测试报告
- 保存一篇关于MySQL主从复制(Master-Slave)与读写分离(MySQL-Proxy)...
- 关于通过Java连接mysql对反斜杠”\“转义的测试详解
- MySQL 官方 Auto-Failover 功能测试
- VS 2010 测试功能学习(十二) - 如何用MTM写出高质量的Bug报告?(转)
- 关于 iOS Keychain 的部分功能的模拟器测试
- VMware vSphere@cloudstack基本功能测试报告
- 关于mysql主从复制的过滤机制的测试
- mysql-proxy学习(四)——性能测试
- 关于mysql 从库过滤的一些测试
- Phoenix Framework通过FTP上传测试报告到服务器功能配置
- paip.mysql 性能测试 报告 home right
- 性能报告 DotNet测试MYSQL报告(和Java对比)
- 关于字符集的测试报告
- MySQL测试套件中报告缺陷
- 关于syslog的测试使用报告
- 如何写功能测试报告
- (翻译)功能测试解决方案的评估报告
- mysql的安装,关于/etc/init.d/下没有mysqld的命令,及php与mysql的连接测试