Purpose
This statement is used to grant corresponding permissions to a specified user or role, or to grant a role to a user or role.
Limitations and considerations
The GRANT operation does not support cycles. For example, if role A is granted to role B, and role B is granted to role C, then granting role C to role A will result in an error.
Privilege requirements
Privilege requirements for granting object privileges to a user
When executing the
GRANTstatement, the current user must have the privilege being granted. For example, if you want to use useruser1to grant theSELECTprivilege on tabletbl1to useruser2, then useruser1must have theSELECTprivilege on tabletbl1.When executing the
GRANTstatement, the current user must have theGRANT OPTIONprivilege. For more information about OceanBase Database privileges, see Privilege types in MySQL-compatible mode.
Note
After granting privileges to a user, the user needs to reconnect to OceanBase Database for the privileges to take effect.
Privilege requirements for granting roles to a user or role
- If the current user has the
SUPERprivilege, they canGRANTall roles. - When granting a role to another user or role, the current user must have the role being granted and the
ADMIN OPTIONprivilege for the grant to be successful. For information about how to view the privileges of the current user, see View user privileges.
Syntax
Syntax for granting object privileges to a user or role
GRANT priv_type[(column_name_list)] [, priv_type[(column_name_list)] ...]
ON [object_type] priv_level
TO {user [, user...]}
[WITH GRANT OPTION];
priv_type:
READ
| WRITE
column_name_list:
column_name [, column_name ...]
object_type:
TABLE
| FUNCTION
| PROCEDURE
| CATALOG
| LOCATION
user:
user_or_role
| user_name IDENTIFIED [WITH auth_plugin] BY password
| user_name IDENTIFIED [WITH auth_plugin] BY PASSWORD password
user_or_role:
user_name | role_name
Syntax for granting roles to a user or role
GRANT role_name [, role_name ...]
TO user_or_role [, user_or_role ...]
[WITH ADMIN OPTION];
user_or_role:
user_name | role_name
Parameters
| Parameter | Description |
|---|---|
| priv_type | The type of the privilege to be granted. You can grant multiple privileges. Separate the privileges with commas (,). For more information about the privileges, see Privilege types in MySQL-compatible mode. Note: The PROXY parameter is only supported in syntax in the current version. |
| column_name_list | Optional. The list of columns to which column-level privileges are granted. The granted privileges take effect only on the listed columns. If you do not specify this parameter, the privileges take effect on the entire table or object. For more information, see Directly grant privileges. |
| object_type | Optional. The type of the object to which the privilege is granted. For more information, see object_type. |
| priv_level | The level at which the privilege is granted. The format is as follows:
|
| user | The user to which the privilege is granted. You can specify one or more users. Separate the users with commas (,). If the specified user does not exist, the system creates the user. |
| auth_plugin | The authentication method for the user. Only the mysql_native_password authentication plugin is supported. |
| BY password | The password of the user to which the privilege is granted. The password is stored in plaintext in the mysql.user table. After being stored, the password is encrypted. If the password contains special characters ~!@#%^&*_-+=`|(){}[]:;',.?/, enclose the password in double quotation marks (") or single quotation marks ('). |
| BY PASSWORD password | The password of the user to which the privilege is granted. The password is stored in the mysql.user table in encrypted form. |
| WITH GRANT OPTION | Specifies whether the privilege can be granted to other users. If this option is specified, the privilege is revoked from all users who have the privilege. |
| role_name | The name of the role. |
| WITH ADMIN OPTION | Specifies whether the role can be granted to other users. If this option is specified, the role is not revoked from users who have the role. |
object_type
Notice
When you use the object_type clause, make sure that the specified object is of the specified type. Otherwise, a syntax error is returned.
TABLE: The object to which the privilege is granted is a table.FUNCTION: The object to which the privilege is granted is a function.PROCEDURE: The object to which the privilege is granted is a stored procedure.CATALOG: The object to which the privilege is granted is a catalog.LOCATION: The object to which the privilege is granted is a location. You can grant the following privileges to a user for a location object:READ: The read privilege for a location object.WRITE: The write privilege for a location object.
Note
For OceanBase Database V4.4.x, the
GRANTstatement supports theLOCATIONparameter and theREADandWRITEprivileges starting from V4.4.1.
Here are some examples:
Grant the
SELECTprivilege on all objects in thetestdatabase touser001. The specified object is not of the specified type, so an error is returned.GRANT SELECT ON TABLE test.* TO user001;The return result is as follows:
ERROR 1144 (42000): Illegal GRANT/REVOKE command; please consult the manual to see which privileges can be usedGrant the
SELECTprivilege on thetbl1table in thetestdatabase touser001.GRANT SELECT ON TABLE test.tbl1 TO user001;Grant the execute privilege on the
calculate_salaryfunction in thetestdatabase touser002.GRANT EXECUTE ON FUNCTION test.calculate_salary TO user002;Grant the execute privilege on the
pro_generate_datastored procedure in thetestdatabase touser003.GRANT EXECUTE ON PROCEDURE test.pro_generate_data TO user003;Grant the
SELECTandUSE CATALOGprivileges on thetest_odps_catalogcatalog touser004.GRANT SELECT, USE CATALOG ON CATALOG test_odps_catalog TO user004 WITH GRANT OPTION;Grant the
READprivilege on thetest_location_locallocation touser005.GRANT READ ON LOCATION test_location_local TO user005 WITH GRANT OPTION;
Examples
Example 1: Grant object privileges
Grant the
CREATE VIEWprivilege on databasedb1to existing useruser1and allow the privilege to be granted to other users.GRANT CREATE VIEW ON db1.* TO user1 WITH GRANT OPTION;Grant the
CREATEprivilege on databasedb1to existing useruser1and change the password ofuser1.GRANT CREATE ON db1.* TO user1 IDENTIFIED by '********';After execution, check the password of
user1in themysql.usertable. You will see that it has been updated to the new password.Grant the
CREATEprivilege on databasedb1to non-existent useruser2and set a password foruser2.GRANT CREATE ON db1.* TO user2 IDENTIFIED by '********';Grant the
SELECTprivilege on columncol1of tabletbl1in databasetestto existing useruser001.GRANT SELECT(col1) ON test.tbl1 TO user001;Grant the
CREATE CATALOGandUSE CATALOGprivileges at the global level to useruser005.GRANT CREATE CATALOG, USE CATALOG ON *.* TO user004 WITH GRANT OPTION;
Example 2: Grant a role to a user or another role
Grant the privileges of role
role001to rolerole002and allow the privileges to be granted to other users.GRANT role001 TO role002 WITH ADMIN OPTION;Grant the privileges of role
role001to useruser001and allow the privileges to be granted to other users.GRANT role001 TO user001 WITH ADMIN OPTION;
References
- For information about how to grant user privileges, see Grant privileges.
- For information about how to view user privileges, see View user privileges.
- You can view the information about the created users from the
mysql.usertable. For more information about themysql.usertable, see mysql.user. - Add privileges to a role
- Grant a role to a user or another role
- Activate a role
- Indirect authorization