Purpose
You can use this statement to grant privileges to a user or role or grant roles to a user or role.
Limitations and considerations
Circular role granting is not supported. For example, if you have granted role A to role B and role B to role C, an error will be reported when you grant role C to role A.
Required privileges
Privileges required for granting privileges to a user or role
You must have the privileges that you want to grant. For example, if you want to grant the
SELECTprivilege on thetbl1table touser2asuser1,user1must have theSELECTprivilege on thetbl1table.You must have the
GRANT OPTIONprivilege. For more information about privileges in OceanBase Database, see Privilege types in MySQL mode.
Note
After a user is granted a privilege, the privilege takes effect only after the user is reconnected to OceanBase Database.
Privileges required for granting roles to a user or another role
- If you have the
SUPERprivilege, you can executeGRANTto grant any roles to any users or roles. - To grant a role to a user or role, you must have the granted role and the
ADMIN OPTIONprivilege. For more information about how to view your privileges, see View user privileges.
Syntax
Grant privileges to a user or role
GRANT priv_type[(column_name_list)] [, priv_type[(column_name_list)] ...]
ON priv_level
TO {user [, user...]}
[WITH GRANT OPTION];
column_name_list:
column_name [, column_name ...]
user:
user_or_role
| user_name IDENTIFIED [WITH auth_plugin] BY password
| user_name IDENTIFIED [WITH auth_plugin] BY PASSWORD password
user_or_role:
user_name | role_name
Grant a role to a user or another role
GRANT role_name [, role_name ...]
TO user_or_role [, user_or_role ...]
[WITH ADMIN OPTION];
user_or_role:
user_name | role_name
Parameters
| Parameter | Description |
|---|---|
| priv_type | The type of the privilege to be granted. To grant multiple privileges to a user, separate the privileges with commas (,). For information about privilege types and their description, see Privilege types in MySQL mode. |
| column_name_list | Optional. The list of columns on which the granted column-level privileges take effect. If you do not specify this parameter, the granted privilege takes effect on the entire table or object. For more information, see Grant direct privileges. |
| priv_level | The level of the privilege to be granted. You can specify that the privilege takes effect on all databases and all tables (.), a specified database or table (db_name.* or *.table_name), or a specific table in a specific database (db_name.table_name). |
| user | The user to which the privilege is granted. To grant privileges to multiple users, separate the usernames with commas (,). If the specified user does not exist, the statement creates the user directly. |
| auth_plugin | The user authentication method. Currently, only the mysql_native_password authentication plug-in is supported. |
| BY password | The password for the user to which the privilege is to be granted. The password is in plaintext and is saved in ciphertext on the server after it is saved to the mysql.user table. Enclose special characters in the password in quotation marks ('' or ""). Special characters are ~!@#%^&*_-+=`|(){}[]:;',.?/. |
| BY PASSWORD password | The password for the user to which the privilege is to be granted. The password is in ciphertext and is directly saved to the mysql.user table. |
| WITH GRANT OPTION | Specifies whether to enable privilege delegation. When privilege delegation is enabled, grant revocation extends to dependent users. |
| role_name | The name of the role. |
| WITH ADMIN OPTION | Specifies whether to enable role delegation. When role delegation is enabled, grant revocation does not cascade to dependent users or roles. |
Examples
Example 1: Grant object privileges
Grant the
CREATE VIEWprivilege on thedb1database to theuser1user and enable privilege delegation.GRANT CREATE VIEW ON db1.* TO user1 WITH GRANT OPTION;Grant the
CREATEprivilege on thedb1database to theuser1user and change the password foruser1.GRANT CREATE ON db1.* TO user1 IDENTIFIED by '********';Check the password of
user1in themysql.usertable. The password is updated to the new one.Grant the
CREATEprivilege on thedb1database to a nonexistent user nameduser2and set a password foruser2.GRANT CREATE ON db1.* TO user2 IDENTIFIED by '********';Grant the
SELECTprivilege on thecol1column of thetbl1table in thetestdatabase to theuser001user.GRANT SELECT(col1) ON test.tbl1 TO user001;
Example 2: Grant a role to a user or another role
Grant the role
role001to the rolerole002and enable role delegation.GRANT role001 TO role002 WITH ADMIN OPTION;Grant the role
role001to the useruser001and enable role delegation.GRANT role001 TO user001 WITH ADMIN OPTION;
References
- For more information about how to grant user privileges, see Grant direct privileges.
- For more information about how to view user privileges, see View user privileges.
- You can query the information about the created user in the
mysql.usertable. For more information about themysql.usertable, see mysql.user. - Grant privileges to a role
- Grant a role to a user or another role
- Activate a role
- Grant indirect privileges