CREATE ROLE

This statement creates a new role, which can be assigned to users as part of role-based access control.

Synopsis

CreateRoleStmt

CREATE ROLE - 图1

IfNotExists

CREATE ROLE - 图2

RoleSpec

CREATE ROLE - 图3

  1. CreateRoleStmt ::=
  2.     'CREATE' 'ROLE' IfNotExists RoleSpec (',' RoleSpec)*
  4. IfNotExists ::=
  5.     ('IF' 'NOT' 'EXISTS')?
  7. RoleSpec ::=
  8.     Rolename

Examples

Connect to TiDB as the root user:

  1. mysql -h 127.0.0.1 -P 4000 -u root

Create a new role analyticsteam and a new user jennifer:

  1. CREATE ROLE analyticsteam;
  2. Query OK, 0 rows affected (0.02 sec)
  4. GRANT SELECT ON test.* TO analyticsteam;
  5. Query OK, 0 rows affected (0.02 sec)
  7. CREATE USER jennifer;
  8. Query OK, 0 rows affected (0.01 sec)
  10. GRANT analyticsteam TO jennifer;
  11. Query OK, 0 rows affected (0.01 sec)

Connect to TiDB as the jennifer user:

  1. mysql -h 127.0.0.1 -P 4000 -u jennifer

Note that by default jennifer needs to execute SET ROLE analyticsteam in order to be able to use the privileges associated with the analyticsteam role:

  1. SHOW GRANTS;
  2. +---------------------------------------------+
  3. | Grants for User                             |
  4. +---------------------------------------------+
  5. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  6. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  7. +---------------------------------------------+
  8. 2 rows in set (0.00 sec)
  10. SHOW TABLES in test;
  11. ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test'
  12. SET ROLE analyticsteam;
  13. Query OK, 0 rows affected (0.00 sec)
  15. SHOW GRANTS;
  16. +---------------------------------------------+
  17. | Grants for User                             |
  18. +---------------------------------------------+
  19. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  20. | GRANT SELECT ON test.* TO 'jennifer'@'%'    |
  21. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  22. +---------------------------------------------+
  23. 3 rows in set (0.00 sec)
  25. SHOW TABLES IN test;
  26. +----------------+
  27. | Tables_in_test |
  28. +----------------+
  29. | t1             |
  30. +----------------+
  31. 1 row in set (0.00 sec)

Connect to TiDB as the root user:

  1. mysql -h 127.0.0.1 -P 4000 -u root

The statement SET DEFAULT ROLE can be used to associate the role analyticsteam to jennifer:

  1. SET DEFAULT ROLE analyticsteam TO jennifer;
  2. Query OK, 0 rows affected (0.02 sec)

Connect to TiDB as the jennifer user:

  1. mysql -h 127.0.0.1 -P 4000 -u jennifer

After this, the user jennifer has the privileges associated with the role analyticsteam and jennifer does not have to execute the statement SET ROLE:

  1. SHOW GRANTS;
  2. +---------------------------------------------+
  3. | Grants for User                             |
  4. +---------------------------------------------+
  5. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  6. | GRANT SELECT ON test.* TO 'jennifer'@'%'    |
  7. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  8. +---------------------------------------------+
  9. 3 rows in set (0.00 sec)
  11. SHOW TABLES IN test;
  12. +----------------+
  13. | Tables_in_test |
  14. +----------------+
  15. | t1             |
  16. +----------------+
  17. 1 row in set (0.00 sec)

MySQL compatibility

The CREATE ROLE statement in TiDB is fully compatible with the roles feature in MySQL 8.0. If you find any compatibility differences, report a bug.

See also