GRANT <role>

Assigns a previously created role to an existing user. The user can use then use the statement SET ROLE <rolename> to assume the privileges of the role, or SET ROLE ALL to assume all roles that have been assigned.

Synopsis

GrantRoleStmt

GRANT <role> - 图1

RolenameList

GRANT <role> - 图2

UsernameList

GRANT <role> - 图3

  1. GrantRoleStmt ::=
  2.     'GRANT' RolenameList 'TO' UsernameList
  4. RolenameList ::=
  5.     Rolename ( ',' Rolename )*
  7. UsernameList ::=
  8.     Username ( ',' Username )*

Examples

Connect to TiDB as the root user:

  1. mysql -h 127.0.0.1 -P 4000 -u root

Create a new role analyticsteam and a new user jennifer:

  1. CREATE ROLE analyticsteam;
  2. Query OK, 0 rows affected (0.02 sec)
  4. GRANT SELECT ON test.* TO analyticsteam;
  5. Query OK, 0 rows affected (0.02 sec)
  7. CREATE USER jennifer;
  8. Query OK, 0 rows affected (0.01 sec)
  10. GRANT analyticsteam TO jennifer;
  11. Query OK, 0 rows affected (0.01 sec)

Connect to TiDB as the jennifer user:

  1. mysql -h 127.0.0.1 -P 4000 -u jennifer

Note that by default jennifer needs to execute SET ROLE analyticsteam in order to be able to use the privileges associated with the analyticsteam role:

  1. SHOW GRANTS;
  2. +---------------------------------------------+
  3. | Grants for User                             |
  4. +---------------------------------------------+
  5. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  6. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  7. +---------------------------------------------+
  8. 2 rows in set (0.00 sec)
  10. SHOW TABLES in test;
  11. ERROR 1044 (42000): Access denied for user 'jennifer'@'%' to database 'test'
  12. SET ROLE analyticsteam;
  13. Query OK, 0 rows affected (0.00 sec)
  15. SHOW GRANTS;
  16. +---------------------------------------------+
  17. | Grants for User                             |
  18. +---------------------------------------------+
  19. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  20. | GRANT SELECT ON test.* TO 'jennifer'@'%'    |
  21. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  22. +---------------------------------------------+
  23. 3 rows in set (0.00 sec)
  25. SHOW TABLES IN test;
  26. +----------------+
  27. | Tables_in_test |
  28. +----------------+
  29. | t1             |
  30. +----------------+
  31. 1 row in set (0.00 sec)

Connect to TiDB as the root user:

  1. mysql -h 127.0.0.1 -P 4000 -u root

The statement SET DEFAULT ROLE can be used to associate the role analyticsteam to jennifer:

  1. SET DEFAULT ROLE analyticsteam TO jennifer;
  2. Query OK, 0 rows affected (0.02 sec)

Connect to TiDB as the jennifer user:

  1. mysql -h 127.0.0.1 -P 4000 -u jennifer

After this, the user jennifer has the privileges associated with the role analyticsteam and jennifer does not have to execute the statement SET ROLE:

  1. SHOW GRANTS;
  2. +---------------------------------------------+
  3. | Grants for User                             |
  4. +---------------------------------------------+
  5. | GRANT USAGE ON *.* TO 'jennifer'@'%'        |
  6. | GRANT SELECT ON test.* TO 'jennifer'@'%'    |
  7. | GRANT 'analyticsteam'@'%' TO 'jennifer'@'%' |
  8. +---------------------------------------------+
  9. 3 rows in set (0.00 sec)
  11. SHOW TABLES IN test;
  12. +----------------+
  13. | Tables_in_test |
  14. +----------------+
  15. | t1             |
  16. +----------------+
  17. 1 row in set (0.00 sec)

MySQL compatibility

The GRANT <role> statement in TiDB is fully compatible with the roles feature in MySQL 8.0. If you find any compatibility differences, report a bug.

See also