使用Show Effective Grants查看權(quán)限

作者：醒嘞 2023-07-26 08:14:05

根據(jù)精確匹配原則，user1可以從172.%主機(jī)連接數(shù)據(jù)庫(kù)，全局權(quán)限為N(mysql.user)，db權(quán)限匹配上user1@'%'，擁有sbtest庫(kù)的所有操作權(quán)限。

1、問(wèn)題描述

用戶 show grants 顯示只有連接權(quán)限，但該用戶卻能執(zhí)行 sbtest.*下的所有操作。

GreatSQL> \s
...
Server version:  8.0.32-24 GreatSQL, Release 24, Revision 3714067bc8c
...
GreatSQL> show grants;
+---------------------------------------+
| Grants for user1@172.%                |
+---------------------------------------+
| GRANT USAGE ON *.* TO `user1`@`172.%` |
+---------------------------------------+
1 row in set (0.00 sec)

GreatSQL> select * from sbtest.sbtest1 limit 1;
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
| id | k   | c                                                                                                                       | pad                                                         |
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
|  1 | 250 | 50739423477-59896895752-91121550334-25071371310-03454727381-25307272676-12883025003-48844794346-97662793974-67443907837 | 10824941535-62754685647-36430831520-45812593797-70371571680 |
+----+-----+-------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------+
1 row in set (0.00 sec)

2、官方文檔

MySQL 官方手冊(cè)，有這樣一段話

https://dev.mysql.com/doc/refman/8.0/en/show-grants.htmlSHOW GRANTS does not display privileges that are available to the named account but are granted to a different account. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS does not display them.

Percona Server 官方手冊(cè)，有類(lèi)似一段話

https://docs.percona.com/percona-server/8.0/management/extended_show_grants.htmlIn Oracle MySQL SHOW GRANTS displays only the privileges granted explicitly to the named account. Other privileges might be available to the account, but they are not displayed. For example, if an anonymous account exists, the named account might be able to use its privileges, but SHOW GRANTS will not display them. Percona Server for MySQL offers the SHOW EFFECTIVE GRANTS command to display all the effectively available privileges to the account, including those granted to a different account.

概括如下：

用戶 A 的 user 與用戶 B 的 user 相同，或者用戶 A 是匿名用戶
用戶 B 的 host 范圍是用戶 A 的 host 范圍的子集

滿足上述兩個(gè)條件，此時(shí)用戶 B 擁有顯式授予給用戶 A 的權(quán)限，但 SHOW GRANTS 不會(huì)顯示這部分權(quán)限。在 Percona Server 可以通過(guò) SHOW EFFECTIVE GRANTS 查看。

3、測(cè)試驗(yàn)證

3.1、同 user 用戶

1)創(chuàng)建用戶并授權(quán)

# 創(chuàng)建用戶
GreatSQL> CREATE USER grantee@localhost IDENTIFIED BY 'grantee1';
Query OK, 0 rows affected (0.05 sec)

GreatSQL> CREATE USER grantee@'%' IDENTIFIED BY 'grantee2';
Query OK, 0 rows affected (0.01 sec)

# 創(chuàng)建數(shù)據(jù)庫(kù)
GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest;
Query OK, 1 row affected, 1 warning (0.00 sec)

GreatSQL> CREATE DATABASE IF NOT EXISTS sbtest1;
Query OK, 1 row affected (0.05 sec)

# 授權(quán)
GreatSQL> GRANT ALL PRIVILEGES ON sbtest.* TO grantee@'%';
Query OK, 0 rows affected (0.02 sec)

2)查看權(quán)限

GreatSQL> show grants for grantee@localhost;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.01 sec)

權(quán)限列表沒(méi)有顯示 grantee@localhost 對(duì) sbtest 庫(kù)的權(quán)限，但實(shí)際 grantee@localhost 已經(jīng)擁有 sbtest 庫(kù)下所有操作權(quán)限

3)grantee@localhost 登錄，執(zhí)行操作

GreatSQL> show grants;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.00 sec)

GreatSQL> create table sbtest.t1(id int primary key);
Query OK, 0 rows affected (0.04 sec)

GreatSQL> insert into sbtest.t1 select 1;
Query OK, 1 row affected (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

4)使用 SHOW EFFECTIVE GRANTS 查看權(quán)限

GreatSQL> show effective grants;
+-------------------------------------------------------------+
| Effective grants for grantee@localhost                      |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` |
+-------------------------------------------------------------+
2 rows in set (0.01 sec)

SHOW EFFECTIVE GRANTS顯示出擁有的同 user 用戶權(quán)限

3.2、匿名用戶

匿名用戶請(qǐng)參考：https://dev.mysql.com/doc/refman/8.0/en/connection-access.html

1)創(chuàng)建匿名用戶并授權(quán)

# 未指定host，默認(rèn)為%
GreatSQL> CREATE USER '';
Query OK, 0 rows affected (0.04 sec)

GreatSQL> GRANT ALL ON sbtest1.* TO '';
Query OK, 0 rows affected (0.02 sec)

2)查看權(quán)限

GreatSQL> show grants for grantee@localhost;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.01 sec)

權(quán)限列表沒(méi)有顯示 grantee@localhost 對(duì) sbtest1 庫(kù)的權(quán)限，但實(shí)際 grantee@localhost 已經(jīng)擁有 sbtest1 庫(kù)下所有操作權(quán)限

3)grantee@localhost 登錄，執(zhí)行操作

GreatSQL> select user(), current_user();
+-------------------+-------------------+
| user()            | current_user()    |
+-------------------+-------------------+
| grantee@localhost | grantee@localhost |
+-------------------+-------------------+
1 row in set (0.00 sec)

GreatSQL> show grants;
+---------------------------------------------+
| Grants for grantee@localhost                |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost` |
+---------------------------------------------+
1 row in set (0.00 sec)

GreatSQL> create table sbtest1.t2(id int primary key);
Query OK, 0 rows affected (0.03 sec)

GreatSQL> insert into sbtest1.t2 select 2;
Query OK, 1 row affected (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

4)使用 SHOW EFFECTIVE GRANTS 查看權(quán)限

GreatSQL> show effective grants;
+-------------------------------------------------------------+
| Effective grants for grantee@localhost                      |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO `grantee`@`localhost`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `grantee`@`localhost` |
+-------------------------------------------------------------+
2 rows in set (0.01 sec)

注意：SHOW EFFECTIVE GRANTS沒(méi)有顯示出擁有的匿名用戶權(quán)限，sbtest.*是擁有的同 user 用戶權(quán)限

4、建議

1)使用 SHOW EFFECTIVE GRANTS 代替 SHOW GRANTS(GreatDB、GreatSQL、Percona Server)

GreatSQL> show effective grants for user1@`172.%`;
+-------------------------------------------------------+
| Effective grants for user1@172.%                      |
+-------------------------------------------------------+
| GRANT USAGE ON *.* TO `user1`@`172.%`                 |
| GRANT ALL PRIVILEGES ON `sbtest`.* TO `user1`@`172.%` |
+-------------------------------------------------------+
2 rows in set (0.00 sec)

2)賬號(hào)加固

匿名用戶，禁止匿名用戶登錄

GreatSQL> select user, host from mysql.user where user='';
+------+------+
| user | host |
+------+------+
|      | %    |
+------+------+
1 row in set (0.02 sec)

同 user 不同 host

GreatSQL> select u.user, u.host, p.user priv_user, p.host priv_host from (
    -> select user, host from mysql.db
    -> union
    -> select user, host from mysql.tables_priv
    -> union
    -> select user, host from mysql.columns_priv) p
    -> left join mysql.user u on p.user=u.user 
    -> where p.host<>u.host;
+---------+-----------+-----------+-----------+
| user    | host      | priv_user | priv_host |
+---------+-----------+-----------+-----------+
| user1   | 172.%     | user1     | %         |
| grantee | localhost | grantee   | %         |
+---------+-----------+-----------+-----------+
2 rows in set (0.01 sec)

到各權(quán)限表查看對(duì)應(yīng)user信息，核實(shí)權(quán)限'錯(cuò)亂'的原因

GreatSQL> select * from mysql.user where user='user1'\G
*************************** 1. row ***************************
                    Host: 172.%
                    User: user1
             Select_priv: N
             ...
1 row in set (0.05 sec)

GreatSQL> select * from mysql.db where user='user1'\G
*************************** 1. row ***************************
                 Host: %
                   Db: sbtest
                 User: user1
          Select_priv: Y
          ...
1 row in set (0.01 sec)

user 表只有 user1@'172.%'，db 表只有 user1@'%'，對(duì)應(yīng)算兩個(gè)用戶。
可能是手動(dòng)更新過(guò)權(quán)限表：例如創(chuàng)建用戶xx@'%'，授權(quán)db.*所有權(quán)限，后來(lái)更新mysql.user表中的記錄為xx@'172.%'限制登錄來(lái)源。
根據(jù)精確匹配原則，user1可以從172.%主機(jī)連接數(shù)據(jù)庫(kù)，全局權(quán)限為N(mysql.user)，db權(quán)限匹配上user1@'%'，擁有sbtest庫(kù)的所有操作權(quán)限。

責(zé)任編輯：武曉燕來(lái)源： GreatSQL社區(qū)