Normally, you manipulate the contents of the grant tables in the
mysql database indirectly by using statements
REVOKE to set up accounts and
control the privileges available to each one. See
Section 12.4.1, “Account Management Statements”. The discussion here
describes the underlying structure of the grant tables and how the
server uses their contents when interacting with clients.
mysql database tables contain grant
user: Contains user accounts, global
privileges, and other non-privilege columns.
db: Contains database-level privileges.
tables_priv: Contains table-level
columns_priv: Contains column-level
Other tables in the
mysql database do not hold
grant information and are discussed elsewhere:
func: Contains information about
user-defined functions: See
Section 18.2, “Adding New Functions to MySQL”.
tables are used for server-side help: See
Section 5.1.7, “Server-Side Help”.
These tables contain time zone information: See
Section 9.7, “MySQL Server Time Zone Support”.
Each grant table contains scope columns and privilege columns:
Scope columns determine the scope of each row (entry) in the
tables; that is, the context in which the row applies. For
user table row with
User values of
'bob' would be used for authenticating
connections made to the server from the host
thomas.loc.gov by a client that specifies a
user name of
bob. Similarly, a
db table row with
would be used when
bob connects from the
thomas.loc.gov to access the
reports database. The
columns_priv tables contain scope columns
indicating tables or table/column combinations to which each
Privilege columns indicate which privileges are granted by a table row; that is, what operations can be performed. The server combines the information in the various grant tables to form a complete description of a user's privileges. Section 5.5.5, “Access Control, Stage 2: Request Verification”, describes the rules that are used to do this.
The server uses the grant tables in the following manner:
user table scope columns determine
whether to reject or permit incoming connections. For
permitted connections, any privileges granted in the
user table indicate the user's global
privileges. Any privilege granted in this table applies to
all databases on the server.
Because any global privilege is considered a privilege for
all databases, any global privilege enables a user to see
all database names with
db table scope columns determine which
users can access which databases from which hosts. The
privilege columns determine which operations are permitted. A
privilege granted at the database level applies to the
database and to all objects in the database, such as tables
and stored programs.
host table is used in conjunction with
db table when you want a given
db table row to apply to several hosts. For
example, if you want a user to be able to use a database from
several hosts in your network, leave the
Host value empty in the user's
db table row, then populate the
host table with a row for each of those
hosts. This mechanism is described more detail in
Section 5.5.5, “Access Control, Stage 2: Request Verification”.
columns_priv tables are similar to the
db table, but are more fine-grained: They
apply at the table and column levels rather than at the
database level. A privilege granted at the table level applies
to the table and to all its columns. A privilege granted at
the column level applies only to a specific column.
The server uses the
host tables in the
mysql database at both the first and second
stages of access control (see Section 5.5, “The MySQL Access Privilege System”).
The columns in the
db tables are shown here. The
host table is similar to the
db table but has a specialized use as described
in Section 5.5.5, “Access Control, Stage 2: Request Verification”.
Table 5.7 user and db Table Columns
|Resource control columns|
x509_subject columns were added in MySQL 4.0.0.
max_connections columns were added in MySQL
Execute_priv is not operational through
During the second stage of access control, the server performs
request verification to make sure that each client has sufficient
privileges for each request that it issues. In addition to the
host grant tables, the server may also consult
columns_priv tables for requests that involve
tables. The latter tables provide finer privilege control at the
table and column levels. They have the columns shown in the
Table 5.8 tables_priv and columns_priv Table Columns
columns are set to the current timestamp and the
CURRENT_USER value, respectively.
However, they are unused and are discussed no further here.
Scope columns in the grant tables contain strings. They are declared as shown here; the default value for each is the empty string.
Table 5.9 Grant Table Scope Column Types
Before MySQL 3.23, the
Db column is
CHAR(32) in some tables and
CHAR(60) in others.
For access-checking purposes, comparisons of
are case sensitive. Comparisons of
are not case sensitive. Comparisons of
Column_name values are not case sensitive as of
host tables, each privilege is listed in a
separate column that is declared as
'N'. In other words, each privilege can be disabled or
enabled, with the default being disabled.
columns_priv tables, the privilege columns are
SET columns. Values in
these columns can contain any combination of the privileges
controlled by the table. Only those privileges listed in the
column value are enabled.
Table 5.10 Set-Type Privilege Column Values
|Table Name||Column Name||Possible Set Elements|
|Table Name||Column Name||Possible Set Elements|
Administrative privileges (such as
SHUTDOWN) are specified only in the
user table. Administrative operations are
operations on the server itself and are not database-specific, so
there is no reason to list these privileges in the other grant
tables. Consequently, to determine whether you can perform an
administrative operation, the server need consult only the
FILE privilege also is
specified only in the
user table. It is not an
administrative privilege as such, but your ability to read or
write files on the server host is independent of the database you
The mysqld server reads the contents of the
grant tables into memory when it starts. You can tell it to reload
the tables by issuing a
statement or executing a mysqladmin
flush-privileges or mysqladmin reload
command. Changes to the grant tables take effect as indicated in
Section 5.5.6, “When Privilege Changes Take Effect”.
When you modify an account's privileges, it is a good idea to
verify that the changes set up privileges the way you want. To
check the privileges for a given account, use the
SHOW GRANTS statement (see
Section 22.214.171.124, “SHOW GRANTS Syntax”). For example, to determine the
privileges that are granted to an account with user name and host
name values of
pc84.example.com, use this statement:
SHOW GRANTS FOR 'bob'@'pc84.example.com';