MySQL 中什么时候执行 FLUSH PRIVILEGES

最近看到不少文章在 MySQL 8.0 中 通过 alert user、create user 之后每次都执行一次 flush privileges; 语句，实际上这是没必要的，来看下官方文档：

https://dev.mysql.com/doc/refman/8.0/en/privilege-changes.html

6.2.13 When Privilege Changes Take Effect

If the mysqld server is started without the --skip-grant-tables option, it reads all grant table contents into memory during its startup sequence. The in-memory tables become effective for access control at that point.

If you modify the grant tables indirectly using an account-management statement, the server notices these changes and loads the grant tables into memory again immediately. Account-management statements are described in ==Section 13.7.1, “Account Management Statements”. Examples include GRANT, REVOKE, SET PASSWORD, and RENAME USER.==

If you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE (which is not recommended), the changes have no effect on privilege checking until you either tell the server to reload the tables or restart it. Thus, if you change the grant tables directly but forget to reload them, the changes have no effect until you restart the server. This may leave you wondering why your changes seem to make no difference!

To tell the server to reload the grant tables, perform a flush-privileges operation. This can be done by issuing a FLUSH PRIVILEGES statement or by executing a mysqladmin flush-privileges or mysqladmin reload command.

A grant table reload affects privileges for each existing client session as follows:

• Table and column privilege changes take effect with the client’s next request.

• Database privilege changes take effect the next time the client executes a USE *db_name* statement.

Note

Client applications may cache the database name; thus, this effect may not be visible to them without actually changing to a different database.

• Static global privileges and passwords are unaffected for a connected client. These changes take effect only in sessions for subsequent connections. Changes to dynamic global privileges apply immediately. For information about the differences between static and dynamic privileges, see Static Versus Dynamic Privileges.)

Changes to the set of active roles within a session take effect immediately, for that session only. The SET ROLE statement performs session role activation and deactivation (see Section 13.7.1.11, “SET ROLE Statement”).

If the server is started with the --skip-grant-tables option, it does not read the grant tables or implement any access control. Any user can connect and perform any operation, which is insecure. To cause a server thus started to read the tables and enable access checking, flush the privileges.

Account Management Statements 如下：

13.7.1 Account Management Statements

• 13.7.1.1 ALTER USER Statement
• 13.7.1.2 CREATE ROLE Statement
• 13.7.1.3 CREATE USER Statement
• 13.7.1.4 DROP ROLE Statement
• 13.7.1.5 DROP USER Statement
• 13.7.1.6 GRANT Statement
• 13.7.1.7 RENAME USER Statement
• 13.7.1.8 REVOKE Statement
• 13.7.1.9 SET DEFAULT ROLE Statement
• 13.7.1.10 SET PASSWORD Statement
• 13.7.1.11 SET ROLE Statement

也就是说通过以上的 ALERT USER、CREATE USER、SET PASSWORD 等 11 个用户管理的命令执行后会自动加载到内存生效，而不需要进行手动执行 FLUSH PRIVILEGES 。

那什么时候需要执行 FLUSH PRIVILEGES ,就是在进行手工直接使用INSERT、UPDATE或DELETE（不建议）等语句修改授权表，这些是无法直接生效的，如果要让这些修改生效就需要手工执行 FLUSH PRIVILEGES ，告诉服务器重新加载表或重新启动表。因此，如果您直接更改授权表，但忘记重新加载它们，则在您重新启动服务器之前，更改不会生效。

原文作者: liups.com

原文链接: http://liups.com/posts/8b74dba3/

许可协议: 知识共享署名-非商业性使用 4.0 国际许可协议