If the mysqld server is started without the
--skip-grant-tables
option, it
reads all grant table contents into memory during its startup
sequence. The in-memory tables become effective for access control
at that point.
If you modify the grant tables indirectly using an
account-management statement, the server notices these changes and
loads the grant tables into memory again immediately.
Account-management statements are described in
Section 15.7.1, “Account Management Statements”. Examples include
GRANT
,
REVOKE
, SET
PASSWORD
, and RENAME
USER
.
If you modify the grant tables directly using statements such as
INSERT
,
UPDATE
, or
DELETE
(which is not recommended),
the changes have no effect on privilege checking until you either
tell the server to reload the tables or restart it. Thus, if you
change the grant tables directly but forget to reload them, the
changes have no effect until you restart the
server. This may leave you wondering why your changes seem to make
no difference!
To tell the server to reload the grant tables, perform a
flush-privileges operation. This can be done by issuing a
FLUSH PRIVILEGES
statement or by
executing a mysqladmin flush-privileges or
mysqladmin reload command.
A grant table reload affects privileges for each existing client session as follows:
Table and column privilege changes take effect with the client's next request.
Database privilege changes take effect the next time the client executes a
USE
statement.db_name
NoteClient applications may cache the database name; thus, this effect may not be visible to them without actually changing to a different database.
Static global privileges and passwords are unaffected for a connected client. These changes take effect only in sessions for subsequent connections. Changes to dynamic global privileges apply immediately. For information about the differences between static and dynamic privileges, see Static Versus Dynamic Privileges.)
Changes to the set of active roles within a session take effect
immediately, for that session only. The SET
ROLE
statement performs session role activation and
deactivation (see Section 15.7.1.11, “SET ROLE Statement”).
If the server is started with the
--skip-grant-tables
option, it does
not read the grant tables or implement any access control. Any
user can connect and perform any operation, which is
insecure. To cause a server thus started to read the
tables and enable access checking, flush the privileges.