stackoom
  简体   繁体   中英

Revoke only delete from user with all privileges on MySQL

 原文  2021-05-07 07:53:20       mysql/ database/ grant

Question

I have a user with all privileges for a specific DB in MySQL 8:

GRANT ALL PRIVILEGES ON `mydatabase`.* TO `foo`@`localhost`

I can check the grants with SHOW GRANTS FOR 'foo'@'localhost'; and I get:

+-------------------------------------------------------------+
| Grants for foo@localhost                                    |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO `foo`@`localhost`                     |
| GRANT ALL PRIVILEGES ON `mydatabase`.* TO `foo`@`localhost` |
+-------------------------------------------------------------+

Now I need to remove the DELETE grant on a specific table, so I've tried with:

REVOKE DELETE ON `mydatabase`.`mytable` FROM 'foo'@'localhost';

but I get the following error:

ERROR 1147 (42000): There is no such grant defined for user 'foo' on host 'localhost' on table 'mytable'

How can I remove the delete grant? I have to add all grants one by one (which ones are they?) and then remove the delete grant?

1 answers

solution1
 1 ACCPTED  2021-05-07 08:19:08

GRANT adds according row into privileges table.

REVOKE deletes the row with specified privilege from this table, not add another row with removing the privilege. So you can revoke only those privilege which is present in a table. Precisely.

You may:

  1. Add separate privileges list with all privileges included into ALL PRIVILEGES except DELETE privilege on the database level
  2. Add DELETE privilege on all tables except mytable
  3. Remove ALL PRIVILEGES privilege

This is too complex. But correct.

Alternatively you may simplify the solution, do not use privileges system (of course this is not good practice), and forbid the deletion on the programming level using according trigger:

CREATE TRIGGER forbid_delete_for_user
BEFORE DELETE 
ON mytable
FOR EACH ROW
BEGIN
    IF LOCATE(USER(), 'foo@localhost,bar@localhost') THEN
        SIGNAL SQLSTATE '45000'
            SET MESSAGE_TEXT = 'Deletion from 'mytable' not allowed for current user.';
    END IF;
END

But you must remember that cascaded foreign key actions do not activate triggers . So the user can find the way for to delete the rows from this table nevertheless.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Revoke privileges from user in mySQL how to revoke privileges for a MySQL user How do you revoke all EXECUTE privileges for a user in MySQL? Revoke all privileges for all users on a MySQL DB How to revoke MySQL user privileges for one table? mysql revoke root privileges carefully Mysql grant all privileges to user Revoke MySQL Privileges on no longer existing Table Mysql Revoke Privileges Not Affecting For Existed Connections revoke all privileges, grant option not working?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM