mysql - 允许在程序中授予权限吗？

Question

我创建了一个过程，该过程将准备一个语句来向具有密码的用户授予权限。我创建此过程是为了避免向管理员用户授予显式 GRANT 权限，而是让他们使用完全符合我期望他们执行的操作的过程。

流程如下:

CREATE PROCEDURE grantPermission (perm VARCHAR(30), target VARCHAR(30), id VARCHAR(8), host VARCHAR(45), passwd VARCHAR(45))
  BEGIN
    SET @setPermissionCmd = CONCAT('GRANT ', perm, ' ON ', target, ' TO ''', id, '''@''', host, ''' IDENTIFIED BY ''', passwd, ''';');
    PREPARE setPermissionStmt FROM @setPermissionCmd;
    EXECUTE setPermissionStmt;
    DEALLOCATE PREPARE setPermissionStmt;
    FLUSH PRIVILEGES;
  END

当我CALL此过程时，收到错误代码 1142，我无权GRANT。这里有两个问题。第一，我以 root 身份执行此操作，它应该拥有所有权限(我没有剥夺任何权限，而 root 是创建该过程的人)。第二，拥有执行该过程的权限应该意味着有权执行其中的任何操作。

Answer 1

我的测试:

$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.5.35-1ubuntu1 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use test;
Database changed

mysql> CREATE TABLE `tableTest`(`id` INT UNSIGNED);
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER 'userTest'@'localhost' IDENTIFIED BY 'mypass';
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost                                                                                   |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
+-----------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> DELIMITER //

mysql> DROP PROCEDURE IF EXISTS `grantPermission`//
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> CREATE PROCEDURE `grantPermission` (`perm` VARCHAR(30),
    ->                                     `target` VARCHAR(30),
    ->                                     `id` VARCHAR(8),
    ->                                     `host` VARCHAR(45),
    ->                                     `passwd` VARCHAR(45))
    -> BEGIN
    ->     SET @`setPermissionCmd` = CONCAT(
    ->     'GRANT ', `perm`, ' ON `', `target`, '`
     >      TO ''', `id`, '''@''', `host`, ''' 
     >     IDENTIFIED BY ''', `passwd`, ''';');
    ->     PREPARE `setPermissionStmt` FROM @`setPermissionCmd`;
    ->     EXECUTE `setPermissionStmt`;
    ->     DEALLOCATE PREPARE `setPermissionStmt`;
    ->     FLUSH PRIVILEGES;
    -> END//
Query OK, 0 rows affected (0.00 sec)

mysql> DELIMITER ;

mysql> CALL `grantPermission`('SELECT', 'tableTest', 'userTest', 'localhost', 'mypass');
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GRANTS FOR 'userTest'@'localhost';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for userTest@localhost                                                                                   |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'userTest'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4' |
| GRANT SELECT ON `test`.`tableTest` TO 'userTest'@'localhost'                                                    |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)