首页 > 数据库 >Mysql 访问视图却报ERROR 1356 (HY000)错误

Mysql 访问视图却报ERROR 1356 (HY000)错误

时间:2023-01-03 23:23:00浏览次数:67  
标签:name GRANT CREATE 1356 视图 asher drm Mysql test

目录

1.适用范围

MYSQL 8.0

2.问题概述

普通业务用户,在自己用户下创建了表和视图,表可以正常访问,而访问视图却报ERROR 1356 (HY000)错误,测试如下:

mysql> desc asher_test ;
+-----------+-------------+------+-----+---------+-------+
| Field     | Type        | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+-------+
| name      | varchar(50) | YES  |     | NULL    |       |
| purchased | date        | YES  |     | NULL    |       |
+-----------+-------------+------+-----+---------+-------+
2 rows in set (0.00 sec)

mysql> select * from asher_test;
+-------------+------------+
| name        | purchased  |
+-------------+------------+
| fullbackup  | 2022-11-27 |
+-------------+------------+
1 row in set (0.00 sec)

mysql> select * from ray ;
ERROR 1356 (HY000): View 'drm.ray' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them



3.问题原因

3.1.通过root 用户查询问题仍然存在,且所有视图问题都是相同的。

mysql> select * from ray ;
ERROR 1356 (HY000): View 'drm.ray' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them

3.2.root 自己的创建的视图可以正常访问


CREATE VIEW asher_v2   
     (v_name,v_purchased )
     AS SELECT name, purchased
     FROM asher_test;

mysql> select * from asher_v2   ;
+-------------+-------------+
| v_name      | v_purchased |
+-------------+-------------+
| fullbackup  | 2022-11-27  |
+-------------+-------------+
1 row in set (0.00 sec)

drop VIEW asher_v2   ;

3.3.查看用户权限

mysql> show grants for `drm_admin`@`%` ;
+------------------------------------------------------------------------------------+
| Grants for drm_admin@%                                                             |
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `drm_admin`@`%`                                              |
| GRANT SELECT ON `performance_schema`.`user_variables_by_thread` TO `drm_admin`@`%` |
| GRANT `drm_admin_role`@`%` TO `drm_admin`@`%`                                      |
+------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

mysql> show grants for drm_admin_role ;
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for drm_admin_role@%                                                                                                                                                                                                         |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT PROCESS, CREATE USER ON *.* TO `drm_admin_role`@`%`                                                                                                                                                                           |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, 
CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO `drm_admin_role`@`%` WITH GRANT OPTION |
|                                                                                                                                                         |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

3.4.以为是权限问题,重新授权问题仍然存在

grant all privileges on drm.* to drm_admin_role ;

CREATE VIEW asher_v3  
     (v_name,v_purchased )
     AS SELECT name, purchased
     FROM asher_test;

mysql> select * from asher_v3   ;
ERROR 1356 (HY000): View 'drm.asher_v3' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them

3.5.创建普通用户直接授权,可以正常查询

create user test@'%' identified by 'xxxxxx';
Query OK, 0 rows affected (0.00 sec)

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO test@'%' WITH GRANT OPTION ;


CREATE VIEW asher_v4
     AS SELECT name, purchased
     FROM asher_test;

select * from asher_v4 ;
mysql> select * from asher_v4 ;
+-------------+------------+
| name        | purchased  |
+-------------+------------+
| fullbackup  | 2022-11-27 |
+-------------+------------+
1 row in set (0.00 sec)

3.6.通过角色授权,问题存在


mysql> show grants for  test@'%' ;
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test@%                                                                                                                                                                                                         |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test`@`%`                                                                                                                                                                                          |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO `test`@`%` WITH GRANT OPTION |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

revoke   SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* from `test`@`%` ;


mysql> show grants for  test@'%' ;
+--------------------------------------------------------+
| Grants for test@%                                      |
+--------------------------------------------------------+
| GRANT USAGE ON *.* TO `test`@`%`                       |
| GRANT USAGE ON `drm`.* TO `test`@`%` WITH GRANT OPTION |
+--------------------------------------------------------+
2 rows in set (0.01 sec)

GRANT  `drm_admin_role`@`%` TO test@'%'   ;

  show grants for  test@'%' ;
+--------------------------------------------------------+
| Grants for test@%                                      |
+--------------------------------------------------------+
| GRANT USAGE ON *.* TO `test`@`%`                       |
| GRANT USAGE ON `drm`.* TO `test`@`%` WITH GRANT OPTION |
| GRANT `drm_admin_role`@`%` TO `test`@`%`               |
+--------------------------------------------------------+
3 rows in set (0.00 sec)


drop VIEW asher_v5 ; 
  CREATE VIEW asher_v5
        AS SELECT name, purchased
        FROM asher_test;
 

mysql> select * from asher_v5 ;
ERROR 1356 (HY000): View 'drm.asher_v5' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
同样的权限给角色 不能解决问题 

3.7.重建角色问题仍然存在

revoke `drm_admin_role`@`%` from  `test`@`%` ; 
create role test_role ; 

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO test_role  WITH GRANT OPTION ;

mysql> show grants for test_role ;
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test_role@%                                                                                                                                                                                                         |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `test_role`@`%`                                                                                                                                                                                          |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO `test_role`@`%` WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> show grants for drm_admin_role ;
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for drm_admin_role@%                                                                                                                                                                                                         |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT PROCESS, CREATE USER ON *.* TO `drm_admin_role`@`%`                                                                                                                                                                           |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `drm`.* TO `drm_admin_role`@`%` WITH GRANT OPTION |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> 

grant test_role  to  `test`@`%` ;
show grants for  `test`@`%` ;
+--------------------------------------------------------+
| Grants for test@%                                      |
+--------------------------------------------------------+
| GRANT USAGE ON *.* TO `test`@`%`                       |
| GRANT USAGE ON `drm`.* TO `test`@`%` WITH GRANT OPTION |
| GRANT `test_role`@`%` TO `test`@`%`                    |
+--------------------------------------------------------+
3 rows in set (0.00 sec)

drop VIEW asher_v6 ; 
  CREATE VIEW asher_v6
        AS SELECT name, purchased
        FROM asher_test;

3.8.将视图 definer改成invoker的

# 把视图 definer改成invoker的 试试
mysql> show create view  asher_v6;
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| View   | Create View                                                                                                                                                                  | character_set_client | collation_connection |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| asher_v6 | CREATE ALGORITHM=UNDEFINED DEFINER=`test`@`%` SQL SECURITY DEFINER VIEW `asher_v6` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` | utf8mb4              | utf8mb4_0900_ai_ci   |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
1 row in set (0.00 sec)


CREATE ALGORITHM=UNDEFINED DEFINER=`test`@`%` SQL SECURITY INVOKER VIEW `asher_v7` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test`

mysql> select * from asher_v7 ;
+-------------+------------+
| name        | purchased  |
+-------------+------------+
| fullbackup  | 2022-11-27 |
+-------------+------------+
1 row in set (0.00 sec)


# 更改现有视图,将视图 definer改成invoker

ALTER
ALGORITHM=UNDEFINED
DEFINER=`test`@`%`
SQL SECURITY INVOKER VIEW `asher_v6` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` ;
 

 select * from asher_v6 ;
+-------------+------------+
| name        | purchased  |
+-------------+------------+
| fullbackup  | 2022-11-27 |
+-------------+------------+
1 row in set (0.00 sec)

4.解决方案

通过以肯方案测试,得知在创建视图或者是存储过程的时候,是需要定义安全验证方式的(也就是安全性SQL SECURITY),其值可以为definer或invoker,表示在执行过程中,使用谁的权限来执行。
definer:由definer(定义者)指定的用户的权限来执行
invoker:由调用这个视图(存储过程)的用户的权限来执行
但是我们这里是用了角色,所以第如果是用的默认definer,就不能用角色,而是直接授权。如果要用角色,就需要将definer改为角色的名字,而不是用户的名字。

4.1 方案一,更definer改成invoker

这里我们可以直接将视图 definer改成invoker ,更改方案如下:

4.1.1直接更改现有视图,将视图 definer改成invoker

ALTER
ALGORITHM=UNDEFINED
DEFINER=`test`@`%`
SQL SECURITY INVOKER VIEW `asher_v6` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` ;
 

4.1.2 创建视图的时候,将视图 definer改成invoker

CREATE ALGORITHM=UNDEFINED DEFINER=`test`@`%` SQL SECURITY INVOKER VIEW `asher_v7` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test`

4.2 方案二,更改DEFINER为角色名

视图默认为definer情况下,指定definer改为角色的名字
直接授权在上面的2.5测试中,是可以执行的,所以这里我们将definer改为角色的名字

mysql> select * from asher_v5 ;
ERROR 1356 (HY000): View 'drm.asher_v5' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
mysql> show create view asher_v5 ;
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| View   | Create View                                                                                                                                                                  | character_set_client | collation_connection |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| asher_v5 | CREATE ALGORITHM=UNDEFINED DEFINER=`test`@`%` SQL SECURITY DEFINER VIEW `asher_v5` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` | utf8mb4              | utf8mb4_0900_ai_ci   |
+--------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
1 row in set (0.00 sec)




ALTER
ALGORITHM=UNDEFINED
DEFINER=`test_role`@`%`
SQL SECURITY DEFINER VIEW `asher_v5` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` ;
 
mysql> show create view asher_v5 ;
+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| View   | Create View                                                                                                                                                                       | character_set_client | collation_connection |
+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
| asher_v5 | CREATE ALGORITHM=UNDEFINED DEFINER=`test_role`@`%` SQL SECURITY DEFINER VIEW `asher_v5` AS select `asher_test`.`name` AS `name`,`asher_test`.`purchased` AS `purchased` from `asher_test` | utf8mb4              | utf8mb4_0900_ai_ci   |
+--------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------+
1 row in set (0.00 sec)

mysql> select * from asher_v5 ;
+-------------+------------+
| name        | purchased  |
+-------------+------------+
| fullbackup  | 2022-11-27 |
+-------------+------------+
1 row in set (0.00 sec)


5.参考文档

https://dev.mysql.com/doc/refman/8.0/en/create-view.html
https://dev.mysql.com/doc/refman/8.0/en/stored-objects-security.html

标签:name,GRANT,CREATE,1356,视图,asher,drm,Mysql,test
From: https://www.cnblogs.com/cqdba/p/17023680.html

相关文章

  • Mysql安装
    1、windows安装mysql有两种安装方式,一种是使用exe安装程序去安装,一种是直接解压安装。推荐使用解压安装的方式,因为exe程序安装的方式,安装过程中会和操作系统有过多的关......
  • Mysql读写分离
    MySQL主从复制介绍:MySQL主从复制是一个异步的复制过程,底层是基于Mysql数据库自带的二进制日志功能。就是一台或多台MySOL数据库(slave,即从库)从另一台MySOL数据库(master......
  • Centos7离线安装Mysql8(rpm安装)
    1.下载:        官网下载: MySQL::DownloadMySQLCommunityServer2.解压将下载好的tar文件放到centos中,目录文件夹名称自定义,解压后得到:[root@localhost......
  • MySQL 日期时间 专题
    1.1获得当前日期+时间(date+time)函数:now()除了now()函数能获得当前的日期时间外,MySQL中还有下面的函数:current_timestamp() current_timestamplocaltime() lo......
  • [MySQL] 索引的使用、SQL语句优化策略
    目录索引什么是索引索引的创建与删除创建索引删除索引索引的使用使用explain分析SQL语句最佳左前缀索引覆盖避免对索引列进行额外运算SQL语句优化小表驱动大表索引什么是......
  • Mysql 8 修改root密码
    sudomysql-uroot-p#使用sudo之后mysql密码为空即可登陆updateusersetauthentication_string=''whereuser='root';flushprivileges;ALTERUSER'root'@'local......
  • k8s运行单实例mysql
    namespacemysql-ns.yamlapiVersion:v1kind:Namespacemetadata:labels:kubernetes.io/metadata.name:wgs-mysqlname:wgs-mysql创建ns#kubectlapply......
  • [clickhouse]同步MySQL
    前言clickhouse的查询速度非常快,而且兼容大部分MySQL的sql语法,因此一般将clickhouse作为MySQL的读库。本文提供两种clickhouse同步MySQL的方式clickhouse版本:21.2.4.6......
  • 软件开发入门教程网之MySQL 删除数据库
       ......
  • Mysql主从同步配置
    一、主数据库的配置1.my.cnf(Linux)/my.ini(Windows)在配置文件参数选项[mysqld]下面添加如下内容log_bin=mysql-binserver_id=1innodb_flush_log_at_trx_commit=......