MySQL 8.0 : Roles

download MySQL 8.0 : Roles

of 21

  • date post

    14-Apr-2017
  • Category

    Software

  • view

    42
  • download

    2

Embed Size (px)

Transcript of MySQL 8.0 : Roles

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    MySQL 8.0 : Roles

    Harin Vadodaria,Developer,MySQL Server General Team December 16, 2016

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Safe Harbor Statement

    The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

    3

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Program Agenda

    Roles in MySQL 8

    Questions & Answers

    1

    2

    4

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles - Introduction

    Containers for privileges

    Can contain variety of privileges and/or other roles

    Grantable just like regular privileges

    Usually without ability to login

    But pretty similar to users otherwise.

    Confidential Oracle Internal/Restricted/Highly Restricted 5

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles - Introduction

    Makes administration easier

    Less complicated grant structure

    Easy to add/remove privileges

    Confidential Oracle Internal/Restricted/Highly Restricted 6

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles In MySQL

    Shares namespace with users

    Logically similar to a user account : Albeit without ability to login

    Information is stored in mysql.user table

    Grant information Who is granted What and How?

    From mysql.roles_edges table

    Role activation information Which role is to be activated by default?

    From mysql.default_roles table

    Confidential Oracle Internal/Restricted/Highly Restricted 7

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles In MySQL

    Internals

    AuthorizationID: @ Both, user and role are AuthorizationID

    Identical privilege representation

    Role graph is constructed using boost graph library

    Breadth-first search of roles for privilege checking

    New caching mechanism to boost privilege information retrieval in case of roles

    Confidential Oracle Internal/Restricted/Highly Restricted 8

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Creating/Deleting roles

    CREATE ROLE roleA;

    Creates a placeholder in mysql.user as a locked account

    roleA is not actually a role unless it is granted

    Syntax variations

    IF NOT EXISTS

    Creating multiple roles

    DROP ROLE roleA;

    Removes roleA from database

    Including roleAs grants and default activation instructions if any

    Syntax variations IF EXISTS

    Dropping multiple roles

    Confidential Oracle Internal/Restricted/Highly Restricted 9

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Privilege Assignment

    GRANT SELECT ON *.* TO roleA;

    Just like grants for user

    Syntax variations

    Grant to multiple roles

    Supports different privilege levels Global

    Schema

    Object and Sub-object

    REVOKE SELECT ON *.* FROM roleA;

    Syntax variations

    Revoke privileges from multiple roles

    Confidential Oracle Internal/Restricted/Highly Restricted 10

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Management

    GRANT roleA TO userA;

    Grants roleA to userA

    Makes it possible for userA to inherit roleAs properties

    Syntax variations Grant multiple roles to multiple

    users/roles

    WITH ADMIN OPTION More on that later!

    REVOKE roleA FROM userA;

    Revokes roleA from userA

    Syntax variations

    Revoke multiple roles from multiple users/roles

    Confidential Oracle Internal/Restricted/Highly Restricted 11

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Management

    Roles hierarchy

    Possible to grant roles to other roles

    Facilitates composition

    Confidential Oracle Internal/Restricted/Highly Restricted 12

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Management

    WITH ADMIN OPTION

    Delegates ability to control a role

    Create lesser admins to managesubset of roles

    Confidential Oracle Internal/Restricted/Highly Restricted 13

    GRANT roleA TO userA

    WITH ADMIN OPTION

    GRANT roleA TO userB

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Activation/Deactivation

    Principle of least privilege : Dont always use the big guns!

    SET ROLE roleA

    Roles are not active by default

    Syntax variations

    SET ROLE

    SET ROLE ALL

    SET ROLE NONE

    Deactivate all active roles

    Confidential Oracle Internal/Restricted/Highly Restricted 14

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Activation/Deactivation

    Confidential Oracle Internal/Restricted/Highly Restricted 15

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Default Activation

    Activate common minimum set by default

    SET DEFAULT ROLE roleA TO userA | ALTER USER userA SET DEFAULT ROLE roleA

    Roles are activated automatically upon successful login

    Possible to activate multiple roles by default

    Confidential Oracle Internal/Restricted/Highly Restricted 16

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Information

    New extension:SHOW GRANTS FOR USING

    Confidential Oracle Internal/Restricted/Highly Restricted 17

    SHOW GRANTS

    Direct grants

    SHOW GRANTS USING

    Direct grants + grants from given role

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Roles Information

    ROLES_GRAPHML() : graphml representation of entire role graph

    Confidential Oracle Internal/Restricted/Highly Restricted 18

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Questions & Answers

  • Copyright 2016, Oracle and/or its affiliates. All rights reserved. |

    Safe Harbor Statement

    The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

    20