Details
-
Type:
Task
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Fix Version/s: 10.1.1
-
Component/s: None
-
Labels:None
Description
Syntax variants (which ones we'll do?):
CREATE USER xxx DEFAULT ROLE yyy; ALTER USER xxx DEFAULT ROLE yyy; SET DEFAULT ROLE yyy; SET DEFAULT ROLE yyy [ FOR xxx ];
When a default role is set, the server implicitly runs SET ROLE yyy for every new connection (or after a COM_CHANGE_USER for a user xxx).
The default role is stored in a new column in the mysql.user table.
Gliffy Diagrams
Attachments
Issue Links
- relates to
-
-
- Closed
-
- links to
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
It would be very non-standard. According to the SQL standard one needs SET ROLE to be able to use role's privileges, and one can have at most one role set at any given point in time.
To have all privileges from all roles one should — to stay within the SQL standard — create a new role, grant all other roles to it, and then SET this new role.
For a note, we ended up with the second variant of syntax:
SET DEFAULT ROLE yyy; SET DEFAULT ROLE yyy [ FOR xxx ];
Hi,
Without Roles, when a normal user logs-in, all his rights are loaded, and visible in the SHOW GRANTS FOR CURRENT_USER();
With roles, a user may want to get ALL privileges from all his ROLES granted at connect time.
This removes the need for default ROLE, and the need to run SET ROLE by applications/users to switch between roles.
What are your thoughts on this ?
Regards,
Joffrey