- Docs Home
- About TiDB
- Quick Start
- Develop
- Overview
- Quick Start
- Build a TiDB Cluster in TiDB Cloud (Developer Tier)
- CRUD SQL in TiDB
- Build a Simple CRUD App with TiDB
- Example Applications
- Connect to TiDB
- Design Database Schema
- Write Data
- Read Data
- Transaction
- Optimize
- Troubleshoot
- Reference
- Cloud Native Development Environment
- Third-party Support
- Deploy
- Software and Hardware Requirements
- Environment Configuration Checklist
- Plan Cluster Topology
- Install and Start
- Verify Cluster Status
- Test Cluster Performance
- Migrate
- Overview
- Migration Tools
- Migration Scenarios
- Migrate from Aurora
- Migrate MySQL of Small Datasets
- Migrate MySQL of Large Datasets
- Migrate and Merge MySQL Shards of Small Datasets
- Migrate and Merge MySQL Shards of Large Datasets
- Migrate from CSV Files
- Migrate from SQL Files
- Migrate from One TiDB Cluster to Another TiDB Cluster
- Migrate from TiDB to MySQL-compatible Databases
- Advanced Migration
- Integrate
- Maintain
- Monitor and Alert
- Troubleshoot
- TiDB Troubleshooting Map
- Identify Slow Queries
- Analyze Slow Queries
- SQL Diagnostics
- Identify Expensive Queries Using Top SQL
- Identify Expensive Queries Using Logs
- Statement Summary Tables
- Troubleshoot Hotspot Issues
- Troubleshoot Increased Read and Write Latency
- Save and Restore the On-Site Information of a Cluster
- Troubleshoot Cluster Setup
- Troubleshoot High Disk I/O Usage
- Troubleshoot Lock Conflicts
- Troubleshoot TiFlash
- Troubleshoot Write Conflicts in Optimistic Transactions
- Troubleshoot Inconsistency Between Data and Indexes
- Performance Tuning
- Tuning Guide
- Configuration Tuning
- System Tuning
- Software Tuning
- SQL Tuning
- Overview
- Understanding the Query Execution Plan
- SQL Optimization Process
- Overview
- Logic Optimization
- Physical Optimization
- Prepare Execution Plan Cache
- Control Execution Plans
- Tutorials
- TiDB Tools
- Overview
- Use Cases
- Download
- TiUP
- Documentation Map
- Overview
- Terminology and Concepts
- Manage TiUP Components
- FAQ
- Troubleshooting Guide
- Command Reference
- Overview
- TiUP Commands
- TiUP Cluster Commands
- Overview
- tiup cluster audit
- tiup cluster check
- tiup cluster clean
- tiup cluster deploy
- tiup cluster destroy
- tiup cluster disable
- tiup cluster display
- tiup cluster edit-config
- tiup cluster enable
- tiup cluster help
- tiup cluster import
- tiup cluster list
- tiup cluster patch
- tiup cluster prune
- tiup cluster reload
- tiup cluster rename
- tiup cluster replay
- tiup cluster restart
- tiup cluster scale-in
- tiup cluster scale-out
- tiup cluster start
- tiup cluster stop
- tiup cluster template
- tiup cluster upgrade
- TiUP DM Commands
- Overview
- tiup dm audit
- tiup dm deploy
- tiup dm destroy
- tiup dm disable
- tiup dm display
- tiup dm edit-config
- tiup dm enable
- tiup dm help
- tiup dm import
- tiup dm list
- tiup dm patch
- tiup dm prune
- tiup dm reload
- tiup dm replay
- tiup dm restart
- tiup dm scale-in
- tiup dm scale-out
- tiup dm start
- tiup dm stop
- tiup dm template
- tiup dm upgrade
- TiDB Cluster Topology Reference
- DM Cluster Topology Reference
- Mirror Reference Guide
- TiUP Components
- PingCAP Clinic Diagnostic Service
- TiDB Operator
- Dumpling
- TiDB Lightning
- TiDB Data Migration
- About TiDB Data Migration
- Architecture
- Quick Start
- Deploy a DM cluster
- Tutorials
- Advanced Tutorials
- Maintain
- Cluster Upgrade
- Tools
- Performance Tuning
- Manage Data Sources
- Manage Tasks
- Export and Import Data Sources and Task Configurations of Clusters
- Handle Alerts
- Daily Check
- Reference
- Architecture
- Command Line
- Configuration Files
- OpenAPI
- Compatibility Catalog
- Secure
- Monitoring and Alerts
- Error Codes
- Glossary
- Example
- Troubleshoot
- Release Notes
- Backup & Restore (BR)
- TiDB Binlog
- TiCDC
- Dumpling
- sync-diff-inspector
- TiSpark
- Reference
- Cluster Architecture
- Key Monitoring Metrics
- Secure
- Privileges
- SQL
- SQL Language Structure and Syntax
- SQL Statements
ADD COLUMN
ADD INDEX
ADMIN
ADMIN CANCEL DDL
ADMIN CHECKSUM TABLE
ADMIN CHECK [TABLE|INDEX]
ADMIN SHOW DDL [JOBS|QUERIES]
ADMIN SHOW TELEMETRY
ALTER DATABASE
ALTER INDEX
ALTER INSTANCE
ALTER PLACEMENT POLICY
ALTER TABLE
ALTER TABLE COMPACT
ALTER USER
ANALYZE TABLE
BACKUP
BATCH
BEGIN
CHANGE COLUMN
COMMIT
CHANGE DRAINER
CHANGE PUMP
CREATE [GLOBAL|SESSION] BINDING
CREATE DATABASE
CREATE INDEX
CREATE PLACEMENT POLICY
CREATE ROLE
CREATE SEQUENCE
CREATE TABLE LIKE
CREATE TABLE
CREATE USER
CREATE VIEW
DEALLOCATE
DELETE
DESC
DESCRIBE
DO
DROP [GLOBAL|SESSION] BINDING
DROP COLUMN
DROP DATABASE
DROP INDEX
DROP PLACEMENT POLICY
DROP ROLE
DROP SEQUENCE
DROP STATS
DROP TABLE
DROP USER
DROP VIEW
EXECUTE
EXPLAIN ANALYZE
EXPLAIN
FLASHBACK TABLE
FLUSH PRIVILEGES
FLUSH STATUS
FLUSH TABLES
GRANT <privileges>
GRANT <role>
INSERT
KILL [TIDB]
LOAD DATA
LOAD STATS
MODIFY COLUMN
PREPARE
RECOVER TABLE
RENAME INDEX
RENAME TABLE
REPLACE
RESTORE
REVOKE <privileges>
REVOKE <role>
ROLLBACK
SELECT
SET DEFAULT ROLE
SET [NAMES|CHARACTER SET]
SET PASSWORD
SET ROLE
SET TRANSACTION
SET [GLOBAL|SESSION] <variable>
SHOW ANALYZE STATUS
SHOW [BACKUPS|RESTORES]
SHOW [GLOBAL|SESSION] BINDINGS
SHOW BUILTINS
SHOW CHARACTER SET
SHOW COLLATION
SHOW [FULL] COLUMNS FROM
SHOW CONFIG
SHOW CREATE PLACEMENT POLICY
SHOW CREATE SEQUENCE
SHOW CREATE TABLE
SHOW CREATE USER
SHOW DATABASES
SHOW DRAINER STATUS
SHOW ENGINES
SHOW ERRORS
SHOW [FULL] FIELDS FROM
SHOW GRANTS
SHOW INDEX [FROM|IN]
SHOW INDEXES [FROM|IN]
SHOW KEYS [FROM|IN]
SHOW MASTER STATUS
SHOW PLACEMENT
SHOW PLACEMENT FOR
SHOW PLACEMENT LABELS
SHOW PLUGINS
SHOW PRIVILEGES
SHOW [FULL] PROCESSSLIST
SHOW PROFILES
SHOW PUMP STATUS
SHOW SCHEMAS
SHOW STATS_HEALTHY
SHOW STATS_HISTOGRAMS
SHOW STATS_META
SHOW STATUS
SHOW TABLE NEXT_ROW_ID
SHOW TABLE REGIONS
SHOW TABLE STATUS
SHOW [FULL] TABLES
SHOW [GLOBAL|SESSION] VARIABLES
SHOW WARNINGS
SHUTDOWN
SPLIT REGION
START TRANSACTION
TABLE
TRACE
TRUNCATE
UPDATE
USE
WITH
- Data Types
- Functions and Operators
- Overview
- Type Conversion in Expression Evaluation
- Operators
- Control Flow Functions
- String Functions
- Numeric Functions and Operators
- Date and Time Functions
- Bit Functions and Operators
- Cast Functions and Operators
- Encryption and Compression Functions
- Locking Functions
- Information Functions
- JSON Functions
- Aggregate (GROUP BY) Functions
- Window Functions
- Miscellaneous Functions
- Precision Math
- Set Operations
- List of Expressions for Pushdown
- TiDB Specific Functions
- Clustered Indexes
- Constraints
- Generated Columns
- SQL Mode
- Table Attributes
- Transactions
- Garbage Collection (GC)
- Views
- Partitioning
- Temporary Tables
- Cached Tables
- Character Set and Collation
- Placement Rules in SQL
- System Tables
mysql
- INFORMATION_SCHEMA
- Overview
ANALYZE_STATUS
CLIENT_ERRORS_SUMMARY_BY_HOST
CLIENT_ERRORS_SUMMARY_BY_USER
CLIENT_ERRORS_SUMMARY_GLOBAL
CHARACTER_SETS
CLUSTER_CONFIG
CLUSTER_HARDWARE
CLUSTER_INFO
CLUSTER_LOAD
CLUSTER_LOG
CLUSTER_SYSTEMINFO
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
DATA_LOCK_WAITS
DDL_JOBS
DEADLOCKS
ENGINES
INSPECTION_RESULT
INSPECTION_RULES
INSPECTION_SUMMARY
KEY_COLUMN_USAGE
METRICS_SUMMARY
METRICS_TABLES
PARTITIONS
PLACEMENT_POLICIES
PROCESSLIST
REFERENTIAL_CONSTRAINTS
SCHEMATA
SEQUENCES
SESSION_VARIABLES
SLOW_QUERY
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_STORAGE_STATS
TIDB_HOT_REGIONS
TIDB_HOT_REGIONS_HISTORY
TIDB_INDEXES
TIDB_SERVERS_INFO
TIDB_TRX
TIFLASH_REPLICA
TIKV_REGION_PEERS
TIKV_REGION_STATUS
TIKV_STORE_STATUS
USER_PRIVILEGES
VIEWS
METRICS_SCHEMA
- UI
- TiDB Dashboard
- Overview
- Maintain
- Access
- Overview Page
- Cluster Info Page
- Top SQL Page
- Key Visualizer Page
- Metrics Relation Graph
- SQL Statements Analysis
- Slow Queries Page
- Cluster Diagnostics
- Search Logs Page
- Instance Profiling
- Session Management and Configuration
- FAQ
- CLI
- Command Line Flags
- Configuration File Parameters
- System Variables
- Storage Engines
- Telemetry
- Errors Codes
- Table Filter
- Schedule Replicas by Topology Labels
- FAQs
- Release Notes
- All Releases
- Release Timeline
- TiDB Versioning
- v6.1
- v6.0
- v5.4
- v5.3
- v5.2
- v5.1
- v5.0
- v4.0
- v3.1
- v3.0
- v2.1
- v2.0
- v1.0
- Glossary
Privilege Management
TiDB supports MySQL 5.7's privilege management system, including the syntax and privilege types. The following features from MySQL 8.0 are also supported:
- SQL Roles, starting with TiDB 3.0.
- Dynamic privileges, starting with TiDB 5.1.
This document introduces privilege-related TiDB operations, privileges required for TiDB operations and implementation of the privilege system.
Privilege-related operations
Grant privileges
The GRANT
statement grants privileges to the user accounts.
For example, use the following statement to grant the xxx
user the privilege to read the test
database.
GRANT SELECT ON test.* TO 'xxx'@'%';
Use the following statement to grant the xxx
user all privileges on all databases:
GRANT ALL PRIVILEGES ON *.* TO 'xxx'@'%';
By default, GRANT
statements will return an error if the user specified does not exist. This behavior depends on if the SQL Mode NO_AUTO_CREATE_USER
is specified:
mysql> SET sql_mode=DEFAULT;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT @@sql_mode;
+-------------------------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode |
+-------------------------------------------------------------------------------------------------------------------------------------------+
| ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
+-------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM mysql.user WHERE user='idontexist';
Empty set (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON test.* TO 'idontexist';
ERROR 1105 (HY000): You are not allowed to create a user with GRANT
mysql> SELECT user,host,authentication_string FROM mysql.user WHERE user='idontexist';
Empty set (0.00 sec)
In the following example, the user idontexist
is automatically created with an empty password because the SQL Mode NO_AUTO_CREATE_USER
was not set. This is not recommended since it presents a security risk: miss-spelling a username will result in a new user created with an empty password:
mysql> SET @@sql_mode='ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION';
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT @@sql_mode;
+-----------------------------------------------------------------------------------------------------------------------+
| @@sql_mode |
+-----------------------------------------------------------------------------------------------------------------------+
| ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION |
+-----------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM mysql.user WHERE user='idontexist';
Empty set (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON test.* TO 'idontexist';
Query OK, 1 row affected (0.05 sec)
mysql> SELECT user,host,authentication_string FROM mysql.user WHERE user='idontexist';
+------------+------+-----------------------+
| user | host | authentication_string |
+------------+------+-----------------------+
| idontexist | % | |
+------------+------+-----------------------+
1 row in set (0.01 sec)
You can use fuzzy matching in GRANT
to grant privileges to databases.
mysql> GRANT ALL PRIVILEGES ON `te%`.* TO genius;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user,host,db FROM mysql.db WHERE user='genius';
+--------|------|-----+
| user | host | db |
+--------|------|-----+
| genius | % | te% |
+--------|------|-----+
1 row in set (0.00 sec)
In this example, because of the %
in te%
, all the databases starting with te
are granted the privilege.
Revoke privileges
The REVOKE
statement enables system administrators to revoke privileges from the user accounts.
The REVOKE
statement corresponds with the REVOKE
statement:
REVOKE ALL PRIVILEGES ON `test`.* FROM 'genius'@'localhost';
To revoke privileges, you need the exact match. If the matching result cannot be found, an error will be displayed:
mysql> REVOKE ALL PRIVILEGES ON `te%`.* FROM 'genius'@'%';
ERROR 1141 (42000): There is no such grant defined for user 'genius' on host '%'
About fuzzy matching, escape, string and identifier:
mysql> GRANT ALL PRIVILEGES ON `te\%`.* TO 'genius'@'localhost';
Query OK, 0 rows affected (0.00 sec)
This example uses exact match to find the database named te%
. Note that the %
uses the \
escape character so that %
is not considered as a wildcard.
A string is enclosed in single quotation marks(''), while an identifier is enclosed in backticks (``). See the differences below:
mysql> GRANT ALL PRIVILEGES ON 'test'.* TO 'genius'@'localhost';
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''test'.* to 'genius'@'localhost'' at line 1
mysql> GRANT ALL PRIVILEGES ON `test`.* TO 'genius'@'localhost';
Query OK, 0 rows affected (0.00 sec)
If you want to use special keywords as table names, enclose them in backticks (``). For example:
mysql> CREATE TABLE `select` (id int);
Query OK, 0 rows affected (0.27 sec)
Check privileges granted to users
You can use the SHOW GRANTS
statement to see what privileges are granted to a user. For example:
SHOW GRANTS; -- show grants for the current user
+-------------------------------------------------------------+
| Grants for User |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------+
SHOW GRANTS FOR 'root'@'%'; -- show grants for a specific user
For example, create a user rw_user@192.168.%
and grant the user with write privilege on the test.write_table
table and global read privilege.
CREATE USER `rw_user`@`192.168.%`;
GRANT SELECT ON *.* TO `rw_user`@`192.168.%`;
GRANT INSERT, UPDATE ON `test`.`write_table` TO `rw_user`@`192.168.%`;
Show granted privileges of the rw_user@192.168.%
user:
SHOW GRANTS FOR `rw_user`@`192.168.%`;
+------------------------------------------------------------------+
| Grants for rw_user@192.168.% |
+------------------------------------------------------------------+
| GRANT Select ON *.* TO 'rw_user'@'192.168.%' |
| GRANT Insert,Update ON test.write_table TO 'rw_user'@'192.168.%' |
+------------------------------------------------------------------+
Dynamic privileges
Since v5.1, TiDB features support dynamic privileges, a feature borrowed from MySQL 8.0. Dynamic privileges are intended to replace the SUPER
privilege by implementing more fine-grained access to certain operations. For example, using dynamic privileges, system administrators can create a user account that can only perform BACKUP
and RESTORE
operations.
Dynamic privileges include:
BACKUP_ADMIN
RESTORE_ADMIN
ROLE_ADMIN
CONNECTION_ADMIN
SYSTEM_VARIABLES_ADMIN
RESTRICTED_REPLICA_WRITER_ADMIN
allows privilege owners to perform write or update operations without being affected when the read-only mode is enabled in the TiDB cluster. For details, seetidb_restricted_read_only
.
To see the full set of dynamic privileges, execute the SHOW PRIVILEGES
statement. Because plugins are permitted to add new privileges, the list of privileges that are assignable might differ based on your TiDB installation.
Privileges required for TiDB operations
You can check privileges of TiDB users in the INFORMATION_SCHEMA.USER_PRIVILEGES
table. For example:
mysql> SELECT * FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE grantee = "'root'@'%'";
+------------+---------------+-------------------------+--------------+
| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE |
+------------+---------------+-------------------------+--------------+
| 'root'@'%' | def | Select | YES |
| 'root'@'%' | def | Insert | YES |
| 'root'@'%' | def | Update | YES |
| 'root'@'%' | def | Delete | YES |
| 'root'@'%' | def | Create | YES |
| 'root'@'%' | def | Drop | YES |
| 'root'@'%' | def | Process | YES |
| 'root'@'%' | def | References | YES |
| 'root'@'%' | def | Alter | YES |
| 'root'@'%' | def | Show Databases | YES |
| 'root'@'%' | def | Super | YES |
| 'root'@'%' | def | Execute | YES |
| 'root'@'%' | def | Index | YES |
| 'root'@'%' | def | Create User | YES |
| 'root'@'%' | def | Create Tablespace | YES |
| 'root'@'%' | def | Trigger | YES |
| 'root'@'%' | def | Create View | YES |
| 'root'@'%' | def | Show View | YES |
| 'root'@'%' | def | Create Role | YES |
| 'root'@'%' | def | Drop Role | YES |
| 'root'@'%' | def | CREATE TEMPORARY TABLES | YES |
| 'root'@'%' | def | LOCK TABLES | YES |
| 'root'@'%' | def | CREATE ROUTINE | YES |
| 'root'@'%' | def | ALTER ROUTINE | YES |
| 'root'@'%' | def | EVENT | YES |
| 'root'@'%' | def | SHUTDOWN | YES |
| 'root'@'%' | def | RELOAD | YES |
| 'root'@'%' | def | FILE | YES |
| 'root'@'%' | def | CONFIG | YES |
| 'root'@'%' | def | REPLICATION CLIENT | YES |
| 'root'@'%' | def | REPLICATION SLAVE | YES |
+------------+---------------+-------------------------+--------------+
31 rows in set (0.00 sec)
ALTER
- For all
ALTER
statements, users must have theALTER
privilege for the corresponding table. - For statements except
ALTER...DROP
andALTER...RENAME TO
, users must have theINSERT
andCREATE
privileges for the corresponding table. - For the
ALTER...DROP
statement, users must have theDROP
privilege for the corresponding table. - For the
ALTER...RENAME TO
statement, users must have theDROP
privilege for the table before renaming, and theCREATE
andINSERT
privileges for the table after renaming.
In MySQL 5.7 documentation, users need INSERT
and CREATE
privileges to perform the ALTER
operation on a table. But in reality for MySQL 5.7.25, only the ALTER
privilege is required in this case. Currently, the ALTER
privilege in TiDB is consistent with the actual behavior in MySQL.
BACKUP
Requires the SUPER
or BACKUP_ADMIN
privilege.
CREATE DATABASE
Requires the CREATE
privilege for the database.
CREATE INDEX
Requires the INDEX
privilege for the table.
CREATE TABLE
Requires the CREATE
privilege for the table.
To execute the CREATE TABLE...LIKE...
statement, the SELECT
privilege for the table is required.
CREATE VIEW
Requires the CREATE VIEW
privilege.
If the current user is not the user that creates the View, both the CREATE VIEW
and SUPER
privileges are required.
DROP DATABASE
Requires the DROP
privilege for the table.
DROP INDEX
Requires the INDEX
privilege for the table.
DROP TABLES
Requires the DROP
privilege for the table.
LOAD DATA
Requires the INSERT
privilege for the table. When you use REPLACE INTO
, the DELETE
privilege is also required.
TRUNCATE TABLE
Requires the DROP
privilege for the table.
RENAME TABLE
Requires the ALTER
and DROP
privileges for the table before renaming and the CREATE
and INSERT
privileges for the table after renaming.
ANALYZE TABLE
Requires the INSERT
and SELECT
privileges for the table.
SHOW
SHOW CREATE TABLE
requires any single privilege to the table.
SHOW CREATE VIEW
requires the SHOW VIEW
privilege.
SHOW GRANTS
requires the SELECT
privilege to the mysql
database. If the target user is current user, SHOW GRANTS
does not require any privilege.
SHOW PROCESSLIST
requires SUPER
to show connections belonging to other users.
CREATE ROLE/USER
CREATE ROLE
requires the CREATE ROLE
privilege.
CREATE USER
requires the CREATE USER
privilege.
DROP ROLE/USER
DROP ROLE
requires the DROP ROLE
privilege.
DROP USER
requires the CREATE USER
privilege.
ALTER USER
Requires the CREATE USER
privilege.
GRANT
Requires the GRANT
privilege with the privileges granted by GRANT
.
Requires additional CREATE USER
privilege to create a user implicitly.
GRANT ROLE
requires SUPER
or ROLE_ADMIN
privilege.
REVOKE
Requires the GRANT
privilege and those privileges targeted by the REVOKE
statement.
REVOKE ROLE
requires SUPER
or ROLE_ADMIN
privilege.
SET GLOBAL
Requires SUPER
or SYSTEM_VARIABLES_ADMIN
privilege to set global variables.
ADMIN
Requires SUPER
privilege.
SET DEFAULT ROLE
Requires SUPER
privilege.
KILL
Requires SUPER
or CONNECTION_ADMIN
privilege to kill other user sessions.
Implementation of the privilege system
Privilege table
The following system tables are special because all the privilege-related data is stored in them:
mysql.user
(user account, global privilege)mysql.db
(database-level privilege)mysql.tables_priv
(table-level privilege)mysql.columns_priv
(column-level privilege; not currently supported)
These tables contain the effective range and privilege information of the data. For example, in the mysql.user
table:
mysql> SELECT User,Host,Select_priv,Insert_priv FROM mysql.user LIMIT 1;
+------|------|-------------|-------------+
| User | Host | Select_priv | Insert_priv |
+------|------|-------------|-------------+
| root | % | Y | Y |
+------|------|-------------|-------------+
1 row in set (0.00 sec)
In this record, Host
and User
determine that the connection request sent by the root
user from any host (%
) can be accepted. Select_priv
and Insert_priv
mean that the user has global Select
and Insert
privilege. The effective range in the mysql.user
table is global.
Host
and User
in mysql.db
determine which databases users can access. The effective range is the database.
It is recommended to only update the privilege tables via the supplied syntax such as GRANT
, CREATE USER
and DROP USER
. Making direct edits to the underlying privilege tables will not automatically update the privilege cache, leading to unpredictable behavior until FLUSH PRIVILEGES
is executed.
Connection verification
When the client sends a connection request, TiDB server will verify the login operation. TiDB server first checks the mysql.user
table. If a record of User
and Host
matches the connection request, TiDB server then verifies the authentication_string
.
User identity is based on two pieces of information: Host
, the host that initiates the connection, and User
, the user name. If the user name is not empty, the exact match of user named is a must.
User
+Host
may match several rows in user
table. To deal with this scenario, the rows in the user
table are sorted. The table rows will be checked one by one when the client connects; the first matched row will be used to verify. When sorting, Host is ranked before User.
Request verification
When the connection is successful, the request verification process checks whether the operation has the privilege.
For database-related requests (INSERT
, UPDATE
), the request verification process first checks the user's global privileges in the mysql.user
table. If the privilege is granted, you can access directly. If not, check the mysql.db
table.
The user
table has global privileges regardless of the default database. For example, the DELETE
privilege in user
can apply to any row, table, or database.
In the db
table, an empty user is to match the anonymous user name. Wildcards are not allowed in the User
column. The value for the Host
and Db
columns can use %
and _
, which can use pattern matching.
Data in the user
and db
tables is also sorted when loaded into memory.
The use of %
in tables_priv
and columns_priv
is similar, but column value in Db
, Table_name
and Column_name
cannot contain %
. The sorting is also similar when loaded.
Time of effect
When TiDB starts, some privilege-check tables are loaded into memory, and then the cached data is used to verify the privileges. Executing privilege management statements such as GRANT
, REVOKE
, CREATE USER
, DROP USER
will take effect immediately.
Manually editing tables such as mysql.user
with statements such as INSERT
, DELETE
, UPDATE
will not take effect immediately. This behavior is compatible with MySQL, and privilege cache can be updated with the following statement:
FLUSH PRIVILEGES;