A quick tour of Mysql 8 roles
1 like1,258 views
This document provides an overview of roles in MySQL 8.0, including: - Roles were introduced in MySQL 8.0 to simplify user administration and centralize privilege handling. Roles are created and granted like users but do not require login credentials. - The key aspects of using roles are: creating roles, granting privileges to roles, creating users, granting roles to users, and setting the default role for users. - Roles simplify administration but also introduce some complexity, such as roles being stored as users without logins and the need to set a default role for a user's privileges to take effect. The document provides examples and best practices for working with roles.
![The role needs to be activate
Set [default] role
ALTER USER aragorn DEFAULT ROLE
r_lotr_dba;
## OR
SET DEFAULT ROLE r_lotr_dba
TO aragorn;
!14
There is more than one way to do it
Unfortunately](https://image.slidesharecdn.com/mysql8roles-180621095204/85/A-quick-tour-of-Mysql-8-roles-14-320.jpg)
A quick tour of Mysql 8 roles
- 1. A quick tour of MySQL 8.0 roles Giuseppe Maxia Software explorer !1 @datacharmer #dataopsbarcelona
- 2. Who's this guy? About me ‣ Giuseppe Maxia, a.k.a. "The Data Charmer" ‣ Software Explorer at VMware ‣ Several decades development and DB experience ‣ Long timer MySQL community member. ‣ Blog: http://datacharmer.blogspot.com ‣ Twitter: @datacharmer !2
- 3. Disclaimer •None of what I say has anything to do with my company. •I also don’t work for Oracle.
- 4. A long coveted feature finally arrives Roles overview ‣ Available since MySQL 8.0.0 ‣ Created like an user ‣ Granted like privileges ‣ Need to be activated (with tricks) !4
- 5. Up until the current GA (MySQL 5.7) there were no roles Before roles ‣ CREATE USER ‣ GRANT, GRANT, and more granular GRANT ‣ CREATE USER ‣ GRANT, GRANT again, and then GRANT ‣ CREATE USER ‣ GRANT, GRANT, GRANT, GRANT, oops! !5 In short: a lot of work, with many chances to make mistakes
- 6. Why bother with this new feature? Advantages of roles ‣ Faster user administration • define a role once • assign it many times ‣ Centralised grants handling • grant and revoke privileges to roles • No need to edit all users profiles ‣ Easy to understand grants statistics !6
- 7. A BAD example. (1) !7 So far, so good
- 8. A BAD example. (2) !8 WHAT DID JUST HAPPEN ? STAY TUNED TO FIND OUT
- 9. !9 Roles usage 1CREATE ROLE 3CREATE USER 2 GRANT PRIVILEGES to ROLE 4GRANT ROLE TO USER 5SET (DEFAULT) ROLE
- 10. Like creating a user Create role CREATE ROLE r_lotr_dev; ## NOTE: there is no "IDENTIFIED" clause !10
- 11. Same as we do it with users grant privileges to role GRANT ALL ON lotr.* TO r_lotr_dev; !11
- 12. This one is already known Create user CREATE USER aragorn IDENTIFIED BY 'lotrpwd'; !12
- 13. We grant a role in a way similar to granting a privilege Grant role to user GRANT r_lotr_dev TO aragorn; ## NOTE: there is not an "ON" clause ## in the GRANT statement. !13
- 14. The role needs to be activate Set [default] role ALTER USER aragorn DEFAULT ROLE r_lotr_dba; ## OR SET DEFAULT ROLE r_lotr_dba TO aragorn; !14 There is more than one way to do it Unfortunately
- 16. Grants are the total of all roles privileges A user can be granted more roles ‣ User can have many roles ‣ The default role can be a list of roles !16
- 17. This may cause some confusion Roles are saved in 'user' table ‣ Roles are users without login (= account locked and expired password) !17
- 18. It is there, but you can't see it Granting a role to a user is not enough ‣ When we grant a privilege, the user can use it immediately. ‣ When we grant a role, we first need to set the default. !18
- 19. This may look tricky, but it is really simple We can grant a user to a user ‣ Roles are users without login ‣ But roles with login (i.e. users) can be granted. ‣ Privileges are assigned regardless of the host of the user. GRANT root@'localhost' to someuser; ‣ user someuser@'%' has all privileges of root from any host !19
- 20. You can lose track easily here SET ROLE anyone? ‣ SET ROLE role_name is a session assignment of a role ‣ SET DEFAULT ROLE role_name is a permanent assignment of a role for a user ‣ SET ROLE DEFAULT means assign the default role to this user for the session. !20
- 21. Sadly, it's up to the DBA's ingenuity Telling roles from users ‣ Roles are users with expired password and locked account. ‣ A good workaround is using a naming convention to tell roles apart (e.g. "r_something") !21 There is a feature request about this matter, but I haven’t seen any progress on it.
- 22. We have two new tables in 'mysql' DB dedicated to roles Tables for roles ‣ role_edges reports which roles are assigned to which users. ‣ default_roles takes track of the current default roles assigned to users. !22
- 24. !24 Create roles
- 25. !25 Create users and apply roles
- 28. !28 role_edge table (Which roles were assigned)
- 29. !29 default_roles table (Which roles are set as default)
- 30. !30 Who are the DBAs?
- 31. !31 Who are the developers?
- 34. !34 user with default role
- 35. !35 User without default role
- 36. !36 User without default role
- 37. !37 SET ROLE is not permanent
- 38. Back to the BAD example. (2) !38
- 39. Back to the BAD example. (3) !39
- 40. It’s a all-or-nothing option Roles can be active by default ‣ Starting in 8.0.2 ‣ You can use option activate_all_roles_on_login • When enabled, all roles become active by default ‣ And mandatory_roles • When set, all users will get the role(s) defined !40
- 41. Example with mandatory roles (1) mysql> create schema lotr; Query OK, 1 row affected (0.00 sec) mysql> grant select on lotr.* to r_lotr_reader; Query OK, 0 rows affected (0.00 sec) mysql> set global mandatory_roles='r_lotr_reader'; Query OK, 0 rows affected (0.00 sec) mysql> create user dummy identified by 'msandbox'; Query OK, 0 rows affected (0.00 sec) !41
- 42. Example with mandatory roles (2) $ mysql lotr -u dummy -p ERROR 1044 (42000): Access denied for user 'dummy'@'%' to database ‘lotr' # ====== as root ======== mysql> set global activate_all_roles_on_login=1; $ mysql lotr -u dummy -p mysql> show grants; +------------------------------------------+ | Grants for dummy@% | +------------------------------------------+ | GRANT USAGE ON *.* TO `dummy`@`%` | | GRANT SELECT ON `lotr`.* TO `dummy`@`%` | | GRANT `r_lotr_reader`@`%` TO `dummy`@`%` | +------------------------------------------+ 3 rows in set (0.00 sec) !42
- 43. Example with mandatory roles (3) $ mysql lotr -u root -p mysql> show grantsG *** 1. row *** Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION *** 2. row *** Grants for root@localhost: GRANT BACKUP_ADMIN,BINLOG_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPL ICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_ GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_AD MIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION *** 3. row *** Grants for root@localhost: GRANT SELECT ON `lotr`.* TO `root`@`localhost` !43
- 44. Roles are a great feature, but they could be better Wish list ‣ Missing information_schema (or sys) views • List of global roles • List of roles enabled for the current session • List of default roles • List of users for a given role ‣ Roles active by default !44
- 45. Latest additions ‣ In 8.0.3+ ‣ You can set the default role within CREATE USER. !45