当用户对多次赋予权限后,由于各种原因,需要将此用户的权限全部取消,此时,REVOKE 命令可能并不会按照我们的意愿执行,来看下面的例子。
(1)连续赋予用户两次权限,其中,第 2 次是对所有数据库的所有权限。
mysql> grant select,insert on test1.* to z1@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to z1@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for z1@localhost;
+-------------------------------------------------------+
| Grants for z1@localhost |
+-------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'z1'@'localhost' |
| GRANT SELECT, INSERT ON `test1`.* TO 'z1'@'localhost' |
+-------------------------------------------------------+
2 rows in set (0.00 sec)(2)此时,需要取消此用户的所有权限。
mysql> revoke all privileges on *.* from z1@localhost;
Query OK, 0 rows affected (0.00 sec)(3)我们很可能以为,此时用户已经没有任何权限了,而不会再去查看他的权限表。而实际上,此时的用户依然拥有 test1 上的 SELECT 和 INSERT 权限。
mysql> show grants for z1@localhost;
+-------------------------------------------------------+
| Grants for z1@localhost |
+-------------------------------------------------------+
| GRANT USAGE ON *.* TO 'z1'@'localhost' |
| GRANT SELECT, INSERT ON `test1`.* TO 'z1'@'localhost' |
+-------------------------------------------------------+
2 rows in set (0.00 sec)(4)此时,再次用z1登录,测试一下是否能对test1数据库做操作。
[zzx@localhost ~]$ mysql -uz1
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.0.41-community-log MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use test1
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------+
| Tables_in_test1 |
+-----------------+
| t1 |
| t12 |
| t2 |
+-----------------+
3 rows in set (0.00 sec)
mysql> insert into t1 values(1);
Query OK, 1 row affected (0.00 sec)这个是MySQL权限机制造成的隐患,在一个数据库上多次赋予权限,权限会自动合并;但是在多个数据库上多次赋予权限,每个数据库上都会认为是单独的一组权限,必须在此数据库上用REVOKE命令来单独进行权限收回,而REVOKE ALL PRIVILEGES ON.并不会替用户自动完成这个各种。