Author: paul
Date: 2006-02-02 00:34:06 +0100 (Thu, 02 Feb 2006)
New Revision: 1175
Log:
r7053@frost: paul | 2006-02-01 17:32:37 -0600
Document TRIGGER privilege.
Modified:
trunk/
trunk/refman-4.1/database-administration.xml
trunk/refman-4.1/sql-syntax.xml
trunk/refman-5.0/database-administration.xml
trunk/refman-5.0/sql-syntax.xml
trunk/refman-5.0/triggers.xml
trunk/refman-5.1/database-administration.xml
trunk/refman-5.1/installing.xml
trunk/refman-5.1/sql-syntax.xml
trunk/refman-5.1/triggers.xml
trunk/refman-common/news-5.1.xml
Property changes on: trunk
___________________________________________________________________
Name: svk:merge
- b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:7026
bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:2775
+ b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:7053
bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:2775
Modified: trunk/refman-4.1/database-administration.xml
===================================================================
--- trunk/refman-4.1/database-administration.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-4.1/database-administration.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -10796,6 +10796,12 @@
</row>
<row>
<entry/>
+ <entry><literal>Execute_priv</literal></entry>
+ <entry/>
+ <entry/>
+ </row>
+ <row>
+ <entry/>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
@@ -10850,12 +10856,6 @@
</row>
<row>
<entry/>
- <entry><literal>Execute_priv</literal></entry>
- <entry/>
- <entry/>
- </row>
- <row>
- <entry/>
<entry><literal>Repl_slave_priv</literal></entry>
<entry/>
<entry/>
Modified: trunk/refman-4.1/sql-syntax.xml
===================================================================
--- trunk/refman-4.1/sql-syntax.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-4.1/sql-syntax.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -10420,7 +10420,10 @@
have the <literal>GRANT OPTION</literal> privilege, and you
must have the privileges that you are granting.
<literal>GRANT</literal> is implemented in MySQL 3.22.11 or
- later. For earlier MySQL versions, it does nothing.
+ later. For earlier MySQL versions, it does nothing. The
+ <literal>REVOKE</literal> statement is related and enables
+ administrators to remove account privileges. See
+ <xref linkend="revoke"/>.
</para>
<para>
Modified: trunk/refman-5.0/database-administration.xml
===================================================================
--- trunk/refman-5.0/database-administration.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.0/database-administration.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -12824,6 +12824,12 @@
</row>
<row>
<entry/>
+ <entry><literal>Execute_priv</literal></entry>
+ <entry><literal>Execute_priv</literal></entry>
+ <entry><literal>Execute_priv</literal></entry>
+ </row>
+ <row>
+ <entry/>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
@@ -12878,12 +12884,6 @@
</row>
<row>
<entry/>
- <entry><literal>Execute_priv</literal></entry>
- <entry><literal>Execute_priv</literal></entry>
- <entry><literal>Execute_priv</literal></entry>
- </row>
- <row>
- <entry/>
<entry><literal>Repl_slave_priv</literal></entry>
<entry/>
<entry/>
@@ -13247,7 +13247,8 @@
<entry><literal>tables_priv</literal></entry>
<entry><literal>Table_priv</literal></entry>
<entry><literal>'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop',
- 'Grant', 'References', 'Index', 'Alter'</literal></entry>
+ 'Grant', 'References', 'Index', 'Alter', 'Create View',
+ 'Show view'</literal></entry>
</row>
<row>
<entry><literal>tables_priv</literal></entry>
Modified: trunk/refman-5.0/sql-syntax.xml
===================================================================
--- trunk/refman-5.0/sql-syntax.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.0/sql-syntax.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -11482,7 +11482,10 @@
administrators to create MySQL user accounts and to grant
rights to from accounts. To use <literal>GRANT</literal>, you
must have the <literal>GRANT OPTION</literal> privilege, and
- you must have the privileges that you are granting.
+ you must have the privileges that you are granting. The
+ <literal>REVOKE</literal> statement is related and enables
+ administrators to remove account privileges. See
+ <xref linkend="revoke"/>.
</para>
<para>
@@ -11812,7 +11815,9 @@
<literal>INSERT</literal>, <literal>UPDATE</literal>,
<literal>DELETE</literal>, <literal>CREATE</literal>,
<literal>DROP</literal>, <literal>GRANT OPTION</literal>,
- <literal>INDEX</literal>, and <literal>ALTER</literal>.
+ <literal>INDEX</literal>, <literal>ALTER</literal>,
+ <literal>CREATE VIEW</literal> and <literal>SHOW
+ VIEW</literal>.
</para>
<para>
Modified: trunk/refman-5.0/triggers.xml
===================================================================
--- trunk/refman-5.0/triggers.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.0/triggers.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -366,18 +366,19 @@
Note: Because MySQL currently requires the
<literal>SUPER</literal> privilege for the use of <literal>CREATE
TRIGGER</literal>, only the second of the preceding rules applies.
+ (MySQL 5.1.6 implements the <literal>TRIGGER</literal> privilege
+ and requires that privilege for trigger creation, so at that point
+ both rules come into play and SUPER is required only for
+ specifying a DEFINER value other than your own account.)
</para>
<remark role="todo">
- For future implementation in trigger privilege checking: (i) When
- we have a TRIGGER privilege, that will be required for the subject
- table. SUPER will be required only for specifying a DEFINER value
- other than your own account. (ii) Better UPDATE checking, so that
- the privilege will be required for SET NEW.col_name only for the
- named columns rather than for the subject table. (iii) Possibly
- also limit the SELECT privilege so that it required only for
- individual NEW/OLD column references rather than for the subject
- table.
+ For future implementation in trigger privilege checking: (i)
+ Better UPDATE checking, so that the privilege will be required for
+ SET NEW.col_name only for the named columns rather than for the
+ subject table. (ii) Possibly also limit the SELECT privilege so
+ that it required only for individual NEW/OLD column references
+ rather than for the subject table.
</remark>
<para>
@@ -703,11 +704,12 @@
<para>
A column named with <literal>OLD</literal> is read-only. You can
- refer to it but not modify it. A column named with
- <literal>NEW</literal> can be referred to if you have the
- <literal>SELECT</literal> privilege for it. In a
- <literal>BEFORE</literal> trigger, you can also change its value
- with <literal>SET NEW.<replaceable>col_name</replaceable> =
+ refer to it (if you have the <literal>SELECT</literal> privilege),
+ but not modify it. A column named with <literal>NEW</literal> can
+ be referred to if you have the <literal>SELECT</literal> privilege
+ for it. In a <literal>BEFORE</literal> trigger, you can also
+ change its value with <literal>SET
+ NEW.<replaceable>col_name</replaceable> =
<replaceable>value</replaceable></literal> if you have the
<literal>UPDATE</literal> privilege for it. This means you can use
a trigger to modify the values to be inserted into a new row or
Modified: trunk/refman-5.1/database-administration.xml
===================================================================
--- trunk/refman-5.1/database-administration.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.1/database-administration.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -12912,6 +12912,18 @@
</row>
<row>
<entry/>
+ <entry><literal>Execute_priv</literal></entry>
+ <entry><literal>Execute_priv</literal></entry>
+ <entry><literal>Execute_priv</literal></entry>
+ </row>
+ <row>
+ <entry/>
+ <entry><literal>Trigger_priv</literal></entry>
+ <entry><literal>Trigger_priv</literal></entry>
+ <entry><literal>Trigger_priv</literal></entry>
+ </row>
+ <row>
+ <entry/>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
<entry><literal>References_priv</literal></entry>
@@ -12966,12 +12978,6 @@
</row>
<row>
<entry/>
- <entry><literal>Execute_priv</literal></entry>
- <entry><literal>Execute_priv</literal></entry>
- <entry><literal>Execute_priv</literal></entry>
- </row>
- <row>
- <entry/>
<entry><literal>Repl_slave_priv</literal></entry>
<entry/>
<entry/>
@@ -13035,6 +13041,11 @@
</informaltable>
<para>
+ The <literal>Trigger_priv</literal> column was added in MySQL
+ 5.1.6.
+ </para>
+
+ <para>
During the second stage of access control, the server performs
request verification to make sure that each client has
sufficient privileges for each request that it issues. In
@@ -13316,7 +13327,8 @@
<entry><literal>tables_priv</literal></entry>
<entry><literal>Table_priv</literal></entry>
<entry><literal>'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop',
- 'Grant', 'References', 'Index', 'Alter'</literal></entry>
+ 'Grant', 'References', 'Index', 'Alter', 'Create View',
+ 'Show view', 'Trigger'</literal></entry>
</row>
<row>
<entry><literal>tables_priv</literal></entry>
@@ -13575,6 +13587,11 @@
<entry>tables</entry>
</row>
<row>
+ <entry><literal>TRIGGER</literal></entry>
+ <entry><literal>trigger_priv</literal></entry>
+ <entry>tables</entry>
+ </row>
+ <row>
<entry><literal>CREATE VIEW</literal></entry>
<entry><literal>Create_view_priv</literal></entry>
<entry>views</entry>
@@ -13668,6 +13685,11 @@
</para>
<para>
+ The <literal>TRIGGER</literal> privilege was added in MySQL
+ 5.1.6.
+ </para>
+
+ <para>
To create or alter stored functions if binary logging is
enabled, you may also need the <literal>SUPER</literal>
privilege, as described in
@@ -13730,6 +13752,14 @@
</para>
<para>
+ The <literal>TRIGGER</literal> privilege enables you to create
+ and drop triggers. You must have this privilege for a table to
+ create or drop triggers for that table. (Prior to MySQL 5.1.6,
+ these operations required the <literal>SUPER</literal>
+ privilege.)
+ </para>
+
+ <para>
The <literal>GRANT</literal> privilege enables you to give to
other users those privileges that you yourself possess. It can
be used for databases, tables, and stored routines.
Modified: trunk/refman-5.1/installing.xml
===================================================================
--- trunk/refman-5.1/installing.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.1/installing.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -12122,6 +12122,39 @@
<listitem>
<para>
+ <emphasis role="bold">Incompatible change</emphasis>: MySQL
+ 5.1.6 introduced the <literal>TRIGGER</literal> privilege.
+ Previously, the <literal>SUPER</literal> privilege was
+ needed to create or drop triggers. Now those operations
+ require the <literal>TRIGGER</literal> privilege. This is a
+ security improvement because you no longer need to grant
+ users the <literal>SUPER</literal> privilege to enable them
+ to create triggers. However, the requirement that the
+ account named in a trigger's <literal>DEFINER</literal>
+ clause must have the <literal>SUPER</literal> privilege has
+ changed to a requirement for the <literal>TRIGGER</literal>
+ privilege. When upgrading from a previous version of MySQL 5
+ to MySQL 5.1.6 or newer, you should check which accounts are
+ named in the <literal>DEFINER</literal> clause of existing
+ triggers and make sure that those accounts have the
+ <literal>TRIGGER</literal> privilege. Otherwise, they will
+ fail when activated. To see which accounts are listed in
+ <literal>DEFINER</literal> clauses, use this statement:
+ </para>
+
+<programlisting>
+SELECT DISTINCT DEFINER FROM INFORMATION_SCHEMA.TRIGGERS;
+</programlisting>
+
+ <para>
+ After granting those accounts the <literal>TRIGGER</literal>
+ privilege, you can revoke the <literal>SUPER</literal>
+ privilege from those that do not otherwise require it.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
Some keywords are reserved in MySQL ¤t-series; that
were not reserved in MySQL &previous-series;. See
<xref linkend="reserved-words"/>.
Modified: trunk/refman-5.1/sql-syntax.xml
===================================================================
--- trunk/refman-5.1/sql-syntax.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.1/sql-syntax.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -11968,7 +11968,10 @@
administrators to create MySQL user accounts and to grant
rights to from accounts. To use <literal>GRANT</literal>, you
must have the <literal>GRANT OPTION</literal> privilege, and
- you must have the privileges that you are granting.
+ you must have the privileges that you are granting. The
+ <literal>REVOKE</literal> statement is related and enables
+ administrators to remove account privileges. See
+ <xref linkend="revoke"/>.
</para>
<para>
@@ -12161,6 +12164,10 @@
<entry>Enables the user to run stored routines</entry>
</row>
<row>
+ <entry><literal>TRIGGER</literal></entry>
+ <entry>Enables the user to create or drop triggers</entry>
+ </row>
+ <row>
<entry><literal>FILE</literal></entry>
<entry>Enables use of <literal>SELECT ... INTO OUTFILE</literal> and
<literal>LOAD DATA INFILE</literal></entry>
@@ -12242,6 +12249,14 @@
</informaltable>
<para>
+ The <literal>TRIGGER</literal> privilege was added in MySQL
+ 5.1.6. You must have this privilege for a table to create or
+ drop triggers for that table. (Previously, the
+ <literal>SUPER</literal> privilege was required to create or
+ drop triggers.)
+ </para>
+
+ <para>
The <literal>REFERENCES</literal> privilege currently is
unused.
</para>
@@ -12289,7 +12304,9 @@
<literal>INSERT</literal>, <literal>UPDATE</literal>,
<literal>DELETE</literal>, <literal>CREATE</literal>,
<literal>DROP</literal>, <literal>GRANT OPTION</literal>,
- <literal>INDEX</literal>, and <literal>ALTER</literal>.
+ <literal>INDEX</literal>, <literal>ALTER</literal>,
+ <literal>CREATE VIEW</literal>, <literal>SHOW VIEW</literal>
+ and <literal>TRIGGER</literal>.
</para>
<para>
Modified: trunk/refman-5.1/triggers.xml
===================================================================
--- trunk/refman-5.1/triggers.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-5.1/triggers.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -83,7 +83,8 @@
database object that is associated with a table, and that
activates when a particular event occurs for the table. Currently,
<literal>CREATE TRIGGER</literal> requires the
- <literal>SUPER</literal> privilege.
+ <literal>TRIGGER</literal> privilege. (This requires the
+ <literal>SUPER</literal> privilege prior to MySQL 5.1.6.)
</para>
<para>
@@ -359,21 +360,21 @@
</itemizedlist>
<para>
- Note: Because MySQL currently requires the
+ Note: Prior to MySQL 5.1.6, MySQL requires the
<literal>SUPER</literal> privilege for the use of <literal>CREATE
- TRIGGER</literal>, only the second of the preceding rules applies.
+ TRIGGER</literal>, so only the second of the preceding rules
+ applies for older releases. As of 5.1.6, <literal>SUPER</literal>
+ is required only to be able to set <literal>DEFINER</literal> to a
+ value other than your own account.
</para>
<remark role="todo">
- For future implementation in trigger privilege checking: (i) When
- we have a TRIGGER privilege, that will be required for the subject
- table. SUPER will be required only for specifying a DEFINER value
- other than your own account. (ii) Better UPDATE checking, so that
- the privilege will be required for SET NEW.col_name only for the
- named columns rather than for the subject table. (iii) Possibly
- also limit the SELECT privilege so that it required only for
- individual NEW/OLD column references rather than for the subject
- table.
+ For future implementation in trigger privilege checking: (i)
+ Better UPDATE checking, so that the privilege will be required for
+ SET NEW.col_name only for the named columns rather than for the
+ subject table. (ii) Possibly also limit the SELECT privilege so
+ that it required only for individual NEW/OLD column references
+ rather than for the subject table.
</remark>
<para>
@@ -385,8 +386,8 @@
<listitem>
<para>
At <literal>CREATE TRIGGER</literal> time, the user that
- issues the statement must have the <literal>SUPER</literal>
- privilege.
+ issues the statement must have the <literal>TRIGGER</literal>
+ privilege. (<literal>SUPER</literal> prior to MySQL 5.1.6.)
</para>
</listitem>
@@ -401,7 +402,8 @@
<listitem>
<para>
- The <literal>SUPER</literal> privilege.
+ The <literal>TRIGGER</literal> privilege.
+ (<literal>SUPER</literal> prior to MySQL 5.1.6.)
</para>
</listitem>
@@ -474,8 +476,8 @@
This statement drops a trigger. The schema (database) name is
optional. If the schema is omitted, the trigger is dropped from
the default schema. <literal>DROP TRIGGER</literal> was added in
- MySQL 5.0.2. Its use requires the <literal>SUPER</literal>
- privilege.
+ MySQL 5.0.2. Its use requires the <literal>TRIGGER</literal>
+ privilege. (<literal>SUPER</literal> prior to MySQL 5.1.6.)
</para>
<remark role="help-description-end"/>
@@ -663,11 +665,12 @@
<para>
A column named with <literal>OLD</literal> is read-only. You can
- refer to it but not modify it. A column named with
- <literal>NEW</literal> can be referred to if you have the
- <literal>SELECT</literal> privilege for it. In a
- <literal>BEFORE</literal> trigger, you can also change its value
- with <literal>SET NEW.<replaceable>col_name</replaceable> =
+ refer to it (if you have the <literal>SELECT</literal> privilege),
+ but not modify it. A column named with <literal>NEW</literal> can
+ be referred to if you have the <literal>SELECT</literal> privilege
+ for it. In a <literal>BEFORE</literal> trigger, you can also
+ change its value with <literal>SET
+ NEW.<replaceable>col_name</replaceable> =
<replaceable>value</replaceable></literal> if you have the
<literal>UPDATE</literal> privilege for it. This means you can use
a trigger to modify the values to be inserted into a new row or
Modified: trunk/refman-common/news-5.1.xml
===================================================================
--- trunk/refman-common/news-5.1.xml 2006-02-01 22:28:24 UTC (rev 1174)
+++ trunk/refman-common/news-5.1.xml 2006-02-01 23:34:06 UTC (rev 1175)
@@ -69,6 +69,27 @@
<listitem>
<para>
+ <emphasis role="bold">Incompatible change</emphasis>: This
+ release introduced the <literal>TRIGGER</literal> privilege.
+ Previously, the <literal>SUPER</literal> privilege was needed
+ to create or drop triggers. Now those operations require the
+ <literal>TRIGGER</literal> privilege. This is a security
+ improvement because you no longer need to grant users the
+ <literal>SUPER</literal> privilege to enable them to create
+ triggers. However, the requirement that the account named in a
+ trigger's <literal>DEFINER</literal> clause must have the
+ <literal>SUPER</literal> privilege has changed to a
+ requirement for the <literal>TRIGGER</literal> privilege. You
+ should check which accounts are named in the
+ <literal>DEFINER</literal> clause of existing triggers and
+ make sure that those accounts have the
+ <literal>TRIGGER</literal> privilege. Otherwise, they will
+ fail when activated. (Bug #9142)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
<emphasis role="bold">Incompatible change</emphasis>: Due to a
change in the naming scheme for partitioning and
subpartitioning files, it is not possible for the server to
| Thread |
|---|
| • svn commit - mysqldoc@docsrva: r1175 - in trunk: . refman-4.1 refman-5.0 refman-5.1 refman-common | paul | 2 Feb |
