Roles Overview
MariaDB starting with 10.0.5
Roles were introduced in MariaDB 10.0.5.
A role bundles a number of privileges together. It assists larger organizations where, typically, a number of users would have the same privileges, and, previously, the only way to change the privileges for a group of users was by changing each user's privileges individually.
Alternatively, multiple external users could have been assigned the same user, and there would have been no way to see which actual user was responsible for which action.
With roles, managing this is easy. For example, there could be a number of users assigned to a journalist role, with identical privileges. Changing the privileges for all the journalists is a matter of simply changing the role's privileges, while the individual user is still linked with any changes that take place.
Roles are created with the CREATE ROLE statement, and dropped with the DROP-ROLE statement. Roles are then assigned to a user with an extension to the GRANT statement, while privileges are assigned to a role in the regular way with GRANT. Similarly, the REVOKE statement can be used to both revoke a role from a user, or revoke a privilege from a role.
Once a user has connected, they can activate a role for a session with the SET ROLE statement, while the CURRENT_ROLE function returns the current role for the session, if any.
Roles were implemented as a GSoC 2013 project by Vicentiu Ciorbaru.
Examples
Creating a role and granting a permission:
CREATE ROLE journalist; GRANT SHOW DATABASES ON *.* TO journalist; GRANT journalist to hulda;
User hulda setting the role for a session in order to access a permission:
SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ SELECT CURRENT_ROLE; +--------------+ | CURRENT_ROLE | +--------------+ | NULL | +--------------+ SET ROLE journalist; SELECT CURRENT_ROLE; +--------------+ | CURRENT_ROLE | +--------------+ | journalist | +--------------+ SHOW DATABASES; +--------------------+ | Database | +--------------------+ | ... | | information_schema | | mysql | | performance_schema | | test | | ... | +--------------------+ SET ROLE NONE;
Other resources
- Roles Review by Peter Gulutzan