A MySQL role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them.
A user account can be granted roles, which grants to the account the privileges associated with each role. This enables assignment of sets of privileges to accounts and provides a convenient alternative to granting individual privileges, both for conceptualizing desired privilege assignments and implementing them.
The following list summarizes role-management capabilities provided by MySQL:
CREATE ROLE
andDROP ROLE
create and remove roles.GRANT
andREVOKE
assign privileges to revoke privileges from user accounts and roles.SHOW GRANTS
displays privilege and role assignments for user accounts and roles.SET DEFAULT ROLE
specifies which account roles are active by default.SET ROLE
changes the active roles within the current session.The
CURRENT_ROLE()
function displays the active roles within the current session.The
mandatory_roles
andactivate_all_roles_on_login
system variables enable defining mandatory roles and automatic activation of granted roles when users log in to the server.
For descriptions of individual role-manipulation statements
(including the privileges required to use them), see
Section 15.7.1, “Account Management Statements”. The following
discussion provides examples of role usage. Unless otherwise
specified, SQL statements shown here should be executed using a
MySQL account with sufficient administrative privileges, such as
the root
account.
Consider this scenario:
An application uses a database named
app_db
.Associated with the application, there can be accounts for developers who create and maintain the application, and for users who interact with it.
Developers need full access to the database. Some users need only read access, others need read/write access.
To avoid granting privileges individually to possibly many user accounts, create roles as names for the required privilege sets. This makes it easy to grant the required privileges to user accounts, by granting the appropriate roles.
To create the roles, use the CREATE
ROLE
statement:
CREATE ROLE 'app_developer', 'app_read', 'app_write';
Role names are much like user account names and consist of a
user part and host part in
'
format. The host part, if omitted, defaults to
user_name
'@'host_name
''%'
. The user and host parts can be unquoted
unless they contain special characters such as
-
or %
. Unlike account
names, the user part of role names cannot be blank. For
additional information, see Section 8.2.5, “Specifying Role Names”.
To assign privileges to the roles, execute
GRANT
statements using the same
syntax as for assigning privileges to user accounts:
GRANT ALL ON app_db.* TO 'app_developer';
GRANT SELECT ON app_db.* TO 'app_read';
GRANT INSERT, UPDATE, DELETE ON app_db.* TO 'app_write';
Now suppose that initially you require one developer account,
two user accounts that need read-only access, and one user
account that needs read/write access. Use
CREATE USER
to create the
accounts:
CREATE USER 'dev1'@'localhost' IDENTIFIED BY 'dev1pass';
CREATE USER 'read_user1'@'localhost' IDENTIFIED BY 'read_user1pass';
CREATE USER 'read_user2'@'localhost' IDENTIFIED BY 'read_user2pass';
CREATE USER 'rw_user1'@'localhost' IDENTIFIED BY 'rw_user1pass';
To assign each user account its required privileges, you could
use GRANT
statements of the same
form as just shown, but that requires enumerating individual
privileges for each user. Instead, use an alternative
GRANT
syntax that permits
granting roles rather than privileges:
GRANT 'app_developer' TO 'dev1'@'localhost';
GRANT 'app_read' TO 'read_user1'@'localhost', 'read_user2'@'localhost';
GRANT 'app_read', 'app_write' TO 'rw_user1'@'localhost';
The GRANT
statement for the
rw_user1
account grants the read and write
roles, which combine to provide the required read and write
privileges.
The GRANT
syntax for granting
roles to an account differs from the syntax for granting
privileges: There is an ON
clause to assign
privileges, whereas there is no ON
clause to
assign roles. Because the syntaxes are distinct, you cannot mix
assigning privileges and roles in the same statement. (It is
permitted to assign both privileges and roles to an account, but
you must use separate GRANT
statements, each with syntax appropriate to what is to be
granted.) Roles cannot be granted to anonymous users.
A role when created is locked, has no password, and is assigned
the default authentication plugin. (These role attributes can be
changed later with the ALTER USER
statement, by users who have the global
CREATE USER
privilege.)
While locked, a role cannot be used to authenticate to the server. If unlocked, a role can be used to authenticate. This is because roles and users are both authorization identifiers with much in common and little to distinguish them. See also User and Role Interchangeability.
It is possible to specify roles as mandatory by naming them in
the value of the
mandatory_roles
system
variable. The server treats a mandatory role as granted to all
users, so that it need not be granted explicitly to any account.
To specify mandatory roles at server startup, define
mandatory_roles
in your server
my.cnf
file:
[mysqld]
mandatory_roles='role1,role2@localhost,r3@%.example.com'
To set and persist
mandatory_roles
at runtime, use
a statement like this:
SET PERSIST mandatory_roles = 'role1,role2@localhost,r3@%.example.com';
SET
PERSIST
sets a value for the running MySQL instance.
It also saves the value, causing it to carry over to subsequent
server restarts. To change the value for the running MySQL
instance without having it carry over to subsequent restarts,
use the GLOBAL
keyword rather than
PERSIST
. See Section 15.7.6.1, “SET Syntax for Variable Assignment”.
Setting mandatory_roles
requires the ROLE_ADMIN
privilege, in addition to the
SYSTEM_VARIABLES_ADMIN
privilege
(or the deprecated SUPER
privilege) normally required to set a global system variable.
Mandatory roles, like explicitly granted roles, do not take
effect until activated (see Activating Roles).
At login time, role activation occurs for all granted roles if
the activate_all_roles_on_login
system variable is enabled, or for roles that are set as default
roles otherwise. At runtime, SET
ROLE
activates roles.
Roles named in the value of
mandatory_roles
cannot be
revoked with REVOKE
or dropped
with DROP ROLE
or
DROP USER
.
To prevent sessions from being made system sessions by default,
a role that has the SYSTEM_USER
privilege cannot be listed in the value of the
mandatory_roles
system
variable:
If
mandatory_roles
is assigned a role at startup that has theSYSTEM_USER
privilege, the server writes a message to the error log and exits.If
mandatory_roles
is assigned a role at runtime that has theSYSTEM_USER
privilege, an error occurs and themandatory_roles
value remains unchanged.
Even with this safeguard, it is better to avoid granting the
SYSTEM_USER
privilege through a
role in order to guard against the possibility of privilege
escalation.
If a role named in
mandatory_roles
is not present
in the mysql.user
system table, the role is
not granted to users. When the server attempts role activation
for a user, it does not treat the nonexistent role as mandatory
and writes a warning to the error log. If the role is created
later and thus becomes valid, FLUSH
PRIVILEGES
may be necessary to cause the server to
treat it as mandatory.
SHOW GRANTS
displays mandatory
roles according to the rules described in
Section 15.7.7.22, “SHOW GRANTS Statement”.
To verify the privileges assigned to an account, use
SHOW GRANTS
. For example:
mysql> SHOW GRANTS FOR 'dev1'@'localhost';
+-------------------------------------------------+
| Grants for dev1@localhost |
+-------------------------------------------------+
| GRANT USAGE ON *.* TO `dev1`@`localhost` |
| GRANT `app_developer`@`%` TO `dev1`@`localhost` |
+-------------------------------------------------+
However, that shows each granted role without
“expanding” it to the privileges the role
represents. To show role privileges as well, add a
USING
clause naming the granted roles for
which to display privileges:
mysql> SHOW GRANTS FOR 'dev1'@'localhost' USING 'app_developer';
+----------------------------------------------------------+
| Grants for dev1@localhost |
+----------------------------------------------------------+
| GRANT USAGE ON *.* TO `dev1`@`localhost` |
| GRANT ALL PRIVILEGES ON `app_db`.* TO `dev1`@`localhost` |
| GRANT `app_developer`@`%` TO `dev1`@`localhost` |
+----------------------------------------------------------+
Verify each other type of user similarly:
mysql> SHOW GRANTS FOR 'read_user1'@'localhost' USING 'app_read';
+--------------------------------------------------------+
| Grants for read_user1@localhost |
+--------------------------------------------------------+
| GRANT USAGE ON *.* TO `read_user1`@`localhost` |
| GRANT SELECT ON `app_db`.* TO `read_user1`@`localhost` |
| GRANT `app_read`@`%` TO `read_user1`@`localhost` |
+--------------------------------------------------------+
mysql> SHOW GRANTS FOR 'rw_user1'@'localhost' USING 'app_read', 'app_write';
+------------------------------------------------------------------------------+
| Grants for rw_user1@localhost |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `rw_user1`@`localhost` |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `app_db`.* TO `rw_user1`@`localhost` |
| GRANT `app_read`@`%`,`app_write`@`%` TO `rw_user1`@`localhost` |
+------------------------------------------------------------------------------+
SHOW GRANTS
displays mandatory
roles according to the rules described in
Section 15.7.7.22, “SHOW GRANTS Statement”.
Roles granted to a user account can be active or inactive within
account sessions. If a granted role is active within a session,
its privileges apply; otherwise, they do not. To determine which
roles are active within the current session, use the
CURRENT_ROLE()
function.
By default, granting a role to an account or naming it in the
mandatory_roles
system variable
value does not automatically cause the role to become active
within account sessions. For example, because thus far in the
preceding discussion no rw_user1
roles have
been activated, if you connect to the server as
rw_user1
and invoke the
CURRENT_ROLE()
function, the
result is NONE
(no active roles):
mysql> SELECT CURRENT_ROLE();
+----------------+
| CURRENT_ROLE() |
+----------------+
| NONE |
+----------------+
To specify which roles should become active each time a user
connects to the server and authenticates, use
SET DEFAULT ROLE
. To set the
default to all assigned roles for each account created earlier,
use this statement:
SET DEFAULT ROLE ALL TO
'dev1'@'localhost',
'read_user1'@'localhost',
'read_user2'@'localhost',
'rw_user1'@'localhost';
Now if you connect as rw_user1
, the initial
value of CURRENT_ROLE()
reflects
the new default role assignments:
mysql> SELECT CURRENT_ROLE();
+--------------------------------+
| CURRENT_ROLE() |
+--------------------------------+
| `app_read`@`%`,`app_write`@`%` |
+--------------------------------+
To cause all explicitly granted and mandatory roles to be
automatically activated when users connect to the server, enable
the activate_all_roles_on_login
system variable. By default, automatic role activation is
disabled.
Within a session, a user can execute SET
ROLE
to change the set of active roles. For example,
for rw_user1
:
mysql> SET ROLE NONE; SELECT CURRENT_ROLE();
+----------------+
| CURRENT_ROLE() |
+----------------+
| NONE |
+----------------+
mysql> SET ROLE ALL EXCEPT 'app_write'; SELECT CURRENT_ROLE();
+----------------+
| CURRENT_ROLE() |
+----------------+
| `app_read`@`%` |
+----------------+
mysql> SET ROLE DEFAULT; SELECT CURRENT_ROLE();
+--------------------------------+
| CURRENT_ROLE() |
+--------------------------------+
| `app_read`@`%`,`app_write`@`%` |
+--------------------------------+
The first SET ROLE
statement
deactivates all roles. The second makes
rw_user1
effectively read only. The third
restores the default roles.
The effective user for stored program and view objects is
subject to the DEFINER
and SQL
SECURITY
attributes, which determine whether execution
occurs in invoker or definer context (see
Section 27.6, “Stored Object Access Control”):
Stored program and view objects that execute in invoker context execute with the roles that are active within the current session.
Stored program and view objects that execute in definer context execute with the default roles of the user named in their
DEFINER
attribute. Ifactivate_all_roles_on_login
is enabled, such objects execute with all roles granted to theDEFINER
user, including mandatory roles. For stored programs, if execution should occur with roles different from the default, the program body can executeSET ROLE
to activate the required roles. This must be done with caution since the privileges assigned to roles can be changed.
Just as roles can be granted to an account, they can be revoked from an account:
REVOKE role FROM user;
Roles named in the
mandatory_roles
system variable
value cannot be revoked.
REVOKE
can also be applied to a
role to modify the privileges granted to it. This affects not
only the role itself, but any account granted that role. Suppose
that you want to temporarily make all application users read
only. To do this, use REVOKE
to
revoke the modification privileges from the
app_write
role:
REVOKE INSERT, UPDATE, DELETE ON app_db.* FROM 'app_write';
As it happens, that leaves the role with no privileges at all,
as can be seen using SHOW GRANTS
(which demonstrates that this statement can be used with roles,
not just users):
mysql> SHOW GRANTS FOR 'app_write';
+---------------------------------------+
| Grants for app_write@% |
+---------------------------------------+
| GRANT USAGE ON *.* TO `app_write`@`%` |
+---------------------------------------+
Because revoking privileges from a role affects the privileges
for any user who is assigned the modified role,
rw_user1
now has no table modification
privileges (INSERT
,
UPDATE
, and
DELETE
are no longer present):
mysql> SHOW GRANTS FOR 'rw_user1'@'localhost'
USING 'app_read', 'app_write';
+----------------------------------------------------------------+
| Grants for rw_user1@localhost |
+----------------------------------------------------------------+
| GRANT USAGE ON *.* TO `rw_user1`@`localhost` |
| GRANT SELECT ON `app_db`.* TO `rw_user1`@`localhost` |
| GRANT `app_read`@`%`,`app_write`@`%` TO `rw_user1`@`localhost` |
+----------------------------------------------------------------+
In effect, the rw_user1
read/write user has
become a read-only user. This also occurs for any other accounts
that are granted the app_write
role,
illustrating how use of roles makes it unnecessary to modify
privileges for individual accounts.
To restore modification privileges to the role, simply re-grant them:
GRANT INSERT, UPDATE, DELETE ON app_db.* TO 'app_write';
Now rw_user1
again has modification
privileges, as do any other accounts granted the
app_write
role.
To drop roles, use DROP ROLE
:
DROP ROLE 'app_read', 'app_write';
Dropping a role revokes it from every account to which it was granted.
Roles named in the
mandatory_roles
system variable
value cannot be dropped.
As has been hinted at earlier for SHOW
GRANTS
, which displays grants for user accounts or
roles, accounts and roles can be used interchangeably.
One difference between roles and users is that
CREATE ROLE
creates an
authorization identifier that is locked by default, whereas
CREATE USER
creates an
authorization identifier that is unlocked by default. You should
keep in mind that this distinction is not immutable; a user with
appropriate privileges can lock or unlock roles or (other) users
after they have been created.
If a database administrator has a preference that a specific
authorization identifier must be a role, a name scheme can be
used to communicate this intention. For example, you could use a
r_
prefix for all authorization identifiers
that you intend to be roles and nothing else.
Another difference between roles and users lies in the privileges available for administering them:
The
CREATE ROLE
andDROP ROLE
privileges enable only use of theCREATE ROLE
andDROP ROLE
statements, respectively.The
CREATE USER
privilege enables use of theALTER USER
,CREATE ROLE
,CREATE USER
,DROP ROLE
,DROP USER
,RENAME USER
, andREVOKE ALL PRIVILEGES
statements.
Thus, the CREATE ROLE
and
DROP ROLE
privileges are not as
powerful as CREATE USER
and may
be granted to users who should only be permitted to create and
drop roles, and not perform more general account manipulation.
With regard to privileges and interchangeability of users and roles, you can treat a user account like a role and grant that account to another user or a role. The effect is to grant the account's privileges and roles to the other user or role.
This set of statements demonstrates that you can grant a user to a user, a role to a user, a user to a role, or a role to a role:
CREATE USER 'u1';
CREATE ROLE 'r1';
GRANT SELECT ON db1.* TO 'u1';
GRANT SELECT ON db2.* TO 'r1';
CREATE USER 'u2';
CREATE ROLE 'r2';
GRANT 'u1', 'r1' TO 'u2';
GRANT 'u1', 'r1' TO 'r2';
The result in each case is to grant to the grantee object the
privileges associated with the granted object. After executing
those statements, each of u2
and
r2
have been granted privileges from a user
(u1
) and a role (r1
):
mysql> SHOW GRANTS FOR 'u2' USING 'u1', 'r1';
+-------------------------------------+
| Grants for u2@% |
+-------------------------------------+
| GRANT USAGE ON *.* TO `u2`@`%` |
| GRANT SELECT ON `db1`.* TO `u2`@`%` |
| GRANT SELECT ON `db2`.* TO `u2`@`%` |
| GRANT `u1`@`%`,`r1`@`%` TO `u2`@`%` |
+-------------------------------------+
mysql> SHOW GRANTS FOR 'r2' USING 'u1', 'r1';
+-------------------------------------+
| Grants for r2@% |
+-------------------------------------+
| GRANT USAGE ON *.* TO `r2`@`%` |
| GRANT SELECT ON `db1`.* TO `r2`@`%` |
| GRANT SELECT ON `db2`.* TO `r2`@`%` |
| GRANT `u1`@`%`,`r1`@`%` TO `r2`@`%` |
+-------------------------------------+
The preceding example is illustrative only, but interchangeability of user accounts and roles has practical application, such as in the following situation: Suppose that a legacy application development project began before the advent of roles in MySQL, so all user accounts associated with the project are granted privileges directly (rather than granted privileges by virtue of being granted roles). One of these accounts is a developer account that was originally granted privileges as follows:
CREATE USER 'old_app_dev'@'localhost' IDENTIFIED BY 'old_app_devpass';
GRANT ALL ON old_app.* TO 'old_app_dev'@'localhost';
If this developer leaves the project, it becomes necessary to assign the privileges to another user, or perhaps multiple users if development activities have expanded. Here are some ways to deal with the issue:
Without using roles: Change the account password so the original developer cannot use it, and have a new developer use the account instead:
ALTER USER 'old_app_dev'@'localhost' IDENTIFIED BY 'new_password';
Using roles: Lock the account to prevent anyone from using it to connect to the server:
ALTER USER 'old_app_dev'@'localhost' ACCOUNT LOCK;
Then treat the account as a role. For each developer new to the project, create a new account and grant to it the original developer account:
CREATE USER 'new_app_dev1'@'localhost' IDENTIFIED BY 'new_password'; GRANT 'old_app_dev'@'localhost' TO 'new_app_dev1'@'localhost';
The effect is to assign the original developer account privileges to the new account.