MySQL 8.0 : Roles

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

MySQL 8.0 : Roles

Harin Vadodaria,Developer,MySQL Server General Team December 16, 2016


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Program Agenda

Roles in MySQL 8

Questions & Answers

1

2

4


Roles - Introduction

• Containers for privileges

– Can contain variety of privileges and/or other roles

• Grantable – just like regular privileges

• Usually – without ability to login

– But pretty similar to users otherwise.

Confidential – Oracle Internal/Restricted/Highly Restricted 5


Roles - Introduction

• Makes administration easier

• Less complicated grant structure

• Easy to add/remove privileges



Roles – In MySQL

• Shares namespace with users

– Logically similar to a user account : Albeit without ability to login

– Information is stored in mysql.user table

• Grant information• Who is granted What and How?

• From mysql.roles_edges table

• Role activation information• Which role is to be activated by default?

• From mysql.default_roles table



Roles – In MySQL

• Internals

– AuthorizationID: <user_identifier>@<host_identifier>• Both, user and role are AuthorizationID

• Identical privilege representation

– Role graph is constructed using boost graph library

– Breadth-first search of roles for privilege checking

–New caching mechanism to boost privilege information retrieval in case of roles



Roles – Creating/Deleting roles

• CREATE ROLE roleA;

– Creates a placeholder in mysql.user as a locked account

– roleA is not actually a role unless it is granted

• Syntax variations

– IF NOT EXISTS

– Creating multiple roles

• DROP ROLE roleA;

– Removes roleA from database

– Including roleA’s grants and default activation instructions if any

• Syntax variations– IF EXISTS

– Dropping multiple roles



Roles – Privilege Assignment

• GRANT SELECT ON *.* TO roleA;

– Just like grants for user


– Grant to multiple roles

– Supports different privilege levels• Global

• Schema

• Object and Sub-object

• REVOKE SELECT ON *.* FROM roleA;


– Revoke privileges from multiple roles



Roles – Management

• GRANT roleA TO userA;

– Grants roleA to userA

–Makes it possible for userA to inherit roleA’s properties

• Syntax variations– Grant multiple roles to multiple

users/roles

–WITH ADMIN OPTION• More on that later!

• REVOKE roleA FROM userA;

– Revokes roleA from userA


– Revoke multiple roles from multiple users/roles




• Roles hierarchy

– Possible to grant roles to other roles

– Facilitates composition




• WITH ADMIN OPTION

– Delegates ability to control a role

– Create lesser admins to managesubset of roles


GRANT roleA TO userA

WITH ADMIN OPTION

GRANT roleA TO userB


Roles – Activation/Deactivation

• Principle of least privilege : Don’t always use the big guns!

• SET ROLE roleA

– Roles are not active by default


– SET ROLE <role_list>

– SET ROLE ALL

• SET ROLE NONE

– Deactivate all active roles



Roles – Activation/Deactivation



Roles – Default Activation

• Activate common minimum set by default

– SET DEFAULT ROLE roleA TO userA | ALTER USER userA SET DEFAULT ROLE roleA

– Roles are activated automatically upon successful login

– Possible to activate multiple roles by default



Roles – Information

• New extension:SHOW GRANTS FOR <user>USING <role>


• SHOW GRANTS

– Direct grants

• SHOW GRANTS … USING …

– Direct grants + grants from given role


Roles – Information

• ROLES_GRAPHML() : graphml representation of entire role graph



Questions & Answers


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

20

MySQL 8.0 : Roles

Software

Transcript of MySQL 8.0 : Roles