Mark C. Stafford wrote:
On Mon, 6 Sep 2004 19:53:17 -0400, Rhino <[EMAIL PROTECTED]> wrote:
I just assumed it might work the same in MySQL.
That's where I started as well, Rhino. Here is a simplified version what I did, line for line:
mysql> /* never heard of him, right? */ -> SHOW GRANTS FOR 'jdoe'@'192.168.%'; ERROR 1141: There is no such grant defined for user 'jdoe' on host '192.168.%'
mysql> mysql> /* WITH GRANT OPTION */
-> GRANT SELECT, INSERT, UPDATE
-> ON test.*
-> TO 'jdoe'@'192.168.%'
-> IDENTIFIED BY 'uhoh'
-> WITH GRANT OPTION;
Query OK, 0 rows affected (0.01 sec)
mysql> mysql> /* not spreading the GRANT OPTION, right? */
-> GRANT DELETE
-> ON test.*
-> TO 'jdoe'@'192.168.%';
Query OK, 0 rows affected (0.00 sec)
mysql> mysql> /* applying the changes */
-> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)
You do not need FLUSH PRIVILEGES when you use GRANT and REVOKE. They take care of that automatically. This doesn't hurt anything, but you only need it when you edit the grant tables directly.
mysql> mysql> /* WTF?, over */
-> SHOW GRANTS FOR 'jdoe'@'192.168.%';
+------------------------------------------------------------------------------------------+
| Grants for [EMAIL PROTECTED] |
+------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'jdoe'@'192.168.%' IDENTIFIED BY PASSWORD
'14592d223aea00a7' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO
'jdoe'@'192.168.%' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
I'd suggest a quick trip to the manual, instead of speculating:
| The WITH GRANT OPTION clause gives the user the ability to give to | other users any privileges the user has at the specified privilege | level. You should be careful to whom you give the GRANT OPTION | privilege, because two users with different privileges may be able to | join privileges! | | You cannot grant another user a privilege you don't have yourself; the | GRANT OPTION privilege allows you to give away only those privileges | you possess. | | Be aware that when you grant a user the GRANT OPTION privilege at a | particular privilege level, any privileges the user already possesses | (or is given in the future!) at that level are also grantable by that | user. Suppose that you grant a user the INSERT privilege on a database. | If you then grant the SELECT privilege on the database and specify WITH | GRANT OPTION, the user can give away not only the SELECT privilege, but | also INSERT. If you then grant the UPDATE privilege to the user on the | database, the user can give away INSERT, SELECT, and UPDATE. <http://dev.mysql.com/doc/mysql/en/GRANT.html>
If you have GRANT, you can give away any privilege you have, so if jdoe should not be able to grant the delete priv, he can't have the delete priv.
Michael
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
