Purpose
You can use this statement to grant privileges to a user or role or grant roles to a user or role.
Limitations and considerations
Loop granting is not supported. For example, if you granted role A to role B and role B to role C, an error will be reported when you grant role C to role A.
Required privileges
Privileges required for granting privileges to a user or role
You must have the privileges that you want to grant. For example, you want to grant the
SELECTprivilege on the tabletbl1touser2asuser1. In this case,user1must have theSELECTprivilege on the tabletbl1.You must have the
GRANT OPTIONprivilege. For more information about privileges in OceanBase Database, see Privilege types in MySQL mode.
Note
After a user is granted a privilege, the privilege takes effect only after the user is reconnected to OceanBase Database.
Privileges required for granting roles to a user or role
- If you have the
SUPERprivilege, you can executeGRANTto grant any roles to any users or roles. - To grant a role to a user or role, you must have the granted role and the
ADMIN OPTIONprivilege. For more information about how to view the privileges that you have, see View user privileges.
Syntax
Grant privileges to a user or role
GRANT {priv_type [, priv_type...]}
ON priv_level
TO {user [, user...]}
[WITH GRANT OPTION];
user:
user_or_role
| user_name IDENTIFIED [WITH auth_plugin] BY password
| user_name IDENTIFIED [WITH auth_plugin] BY PASSWORD password
user_or_role:
user_name | role_name
Grant roles to a user or role
GRANT role_name [, role_name ...]
TO user_or_role [, user_or_role ...]
[WITH ADMIN OPTION];
user_or_role:
user_name | role_name
Parameters
| Parameter | Description |
|---|---|
| priv_type | The type of the privilege to be granted. To grant multiple privileges to a user, separate the privileges with commas (,). For information about privilege types and their description, see Privilege types in MySQL mode. |
| priv_level | The level of the privilege to be granted. You can specify that the privilege takes effect on all databases and all tables (*.*), a specified database or table (db_name.* or *.table_name), or a specific table in a specific database (db_name.table_name). |
| user | The user to which the privilege is granted. To grant privileges to multiple users, separate the usernames with commas (,). If the specified user does not exist, the statement creates the user directly. |
| auth_plugin | The user authentication method. Currently, only the mysql_native_password authentication plug-in is supported. |
| BY password | The password for the user to be authorized. The password is in plaintext and is saved in ciphertext on the server after it is saved to the mysql.user table. Enclose special characters in the password in quotation marks (’‘ or ""). Special characters include the following ones: ~!@#%^&*_-+=`|(){}[]:;’,.?/. |
| BY PASSWORD password | The password for the user to be authorized. The password is in ciphertext and is saved to the mysql.user table directly. |
| WITH GRANT OPTION | Specifies whether to enable privilege delegation. When privilege delegation is enabled, grant revocation cascades to dependent users. |
| role_name | The name of the role. |
| WITH ADMIN OPTION | Specifies whether to enable role delegation. When role delegation is enabled, grant revocation does not cascade to dependent users or roles. |
Examples
Example 1: Grant a privilege
Grant the
CREATE VIEWprivilege on thedb1database to theuser1user and enable privilege delegation.obclient> GRANT CREATE VIEW ON db1.* TO user1 WITH GRANT OPTION;Grant the
CREATEprivilege on thedb1database to theuser1user and change the password foruser1.obclient> GRANT CREATE ON db1.* TO user1 IDENTIFIED by '********';After executing the statement, check the password of
user1in themysql.usertable. The password is updated to the newly set one.Grant the
CREATEprivilege on thedb1database to a non-existing user nameduser2and set the password foruser2.obclient> GRANT CREATE ON db1.* TO user2 IDENTIFIED by '********';
Example 2: Grant a role
Grant the role
role001to the rolerole002and enable role delegation.obclient [test]> GRANT role001 TO role002 WITH ADMIN OPTION;Grant the role
role001to the useruser001and enable role delegation.obclient [test]> GRANT role001 TO user001 WITH ADMIN OPTION;
References
- For more information about how to grant user privileges, see Grant privileges.
- For more information about how to view user privileges, see View user privileges.
- You can query the
mysql.usertable to view information about the created user. For more information about themysql.usertable, see mysql.user. - Add privileges to a role
- Grant a role to a user or role
- Activate a role
- Indirectly grant privileges