问题
I find the explanation of DEFINER in the MySQL manual confusing, so I am not sure what privileges are required for the 'execute user' under which the application is running. For security, I like to limit the 'execute user' to the least amount of permissions needed.
I understand that the creator of a trigger/stored procedure requires SUPER privileges, but does the 'execute user' also require SUPER permissions?
I created a trigger under a user that eventually lost privileges to my database. The 'execute user' did Not have SUPER privileges and a MySQL UPDATE that had a trigger failed.
I gave SUPER privileges to the 'execute user' and I changed the DEFINER to root by dropping and creating the triggers and it all works. Did I have to give SUPER privileges to the 'execute user' or do I have to be sure the DEFINER user is still around and has SUPER privileges?
What are the best practices for user management with TRIGGERS and STORED PROCEDURES for MySQL?
回答1:
There are some peculiarities distinguishing between stored routines and triggers. Here I will try to help with the issue of triggers.
I hope the following summary is helpful.
The first thing is to determine the MySQL version you are using.
According to the documentation:
MySQL 5.0: 13.1.11. CREATE TRIGGER Syntax
From MySQL 5.0.17 on, MySQL takes the DEFINER user into account when checking trigger privileges as follows:
At CREATE TRIGGER time, the user who issues the statement must have the SUPER privilege.
At trigger activation time, privileges are checked against the DEFINER user. This user must have these privileges:
The SUPER privilege.
The SELECT privilege for the subject table if references to table columns occur using OLD.col_name or NEW.col_name in the trigger body.
The UPDATE privilege for the subject table if table columns are targets of SET NEW.col_name = value assignments in the trigger body.
Whatever other privileges normally are required for the statements executed by the trigger.
Before MySQL 5.0.17, DEFINER is not available and MySQL checks trigger privileges like this:
At CREATE TRIGGER time, the user who issues the statement must have the SUPER privilege.
At trigger activation time, privileges are checked against the user whose actions cause the trigger to be activated. This user must have whatever privileges normally are required for the statements executed by the trigger.
MySQL 5.1 and above: 13.1.19. CREATE TRIGGER Syntax
MySQL takes the DEFINER user into account when checking trigger privileges as follows:
At CREATE TRIGGER time, the user who issues the statement must have the TRIGGER privilege. (SUPER prior to MySQL 5.1.6.)
At trigger activation time, privileges are checked against the DEFINER user. This user must have these privileges:
The TRIGGER privilege. (SUPER prior to MySQL 5.1.6.)
The SELECT privilege for the subject table if references to table columns occur using OLD.col_name or NEW.col_name in the trigger body.
The UPDATE privilege for the subject table if table columns are targets of SET NEW.col_name = value assignments in the trigger body.
Whatever other privileges normally are required for the statements executed by the trigger.
来源:https://stackoverflow.com/questions/19815837/in-mysql-what-privileges-are-required-for-executing-a-trigger