permission granting syntax does not support this function, and you need to
use CREATE USER and ALTER USER to set user attributes.
● MySQL supports permission granting with a user proxy. GRANT PROXY ON is
used to manage permissions of users in a unied manner. MySQL 5.7 does
not provide the role mechanism, but MySQL 8.0 and M-compatible databases
provide the role mechanism. If a role can manage and control the permissions
of users in a unied manner, it can replace GRANT PROXY ON.
● M-compatible databases have a concept called public. All users have public
permissions and they can query some system catalogs and system views.
Users can grant or revoke public permissions. In MySQL, newly created users
have only the global usage permission, which is almost low to none. They
have only the permission to connect to the database and query the
information_schema database.
● In M-compatible databases, the owner of an object has all permissions on the
object by default. For security purposes, the owner can discard some
permissions. However, ALTER, DROP, COMMENT, INDEX, VACUUM, and re-
grantable permissions on the object are implicitly inherent permissions of the
owner: MySQL does not have a concept called owner. Even if a user creates a
table, the user cannot perform operations such as IUD on the table without
being granted the corresponding permissions.
● In MySQL, All users have the USAGE permission, which indicates no
permission. When REVOKE or GRANT USAGE is executed, no modication is
performed. In M-compatible databases, the USAGE permission has the
following meanings:
– For schemas, USAGE allows access to objects contained in the schema.
Without this permission, it is still possible to see the object names.
– For sequences, USAGE allows use of the nextval function.
● In M-compatible databases, administrator roles can be set for users, including
system administrator (SYSADMIN), security administrator (CREATEROLE),
audit administrator (AUDITADMIN), monitoring administrator (MONADMIN),
O&M administrator (OPRADMIN), and security policy administrator
(POLADMIN). By default, the system administrator with the SYSADMIN
attribute has the highest permission in the system. After separation of duties
is enabled, the system administrator does not have the CREATEROLE attribute
(security administrator) or the AUDITADMIN attribute (audit administrator).
That is, the system administrator can neither create roles or users, nor view or
maintain database audit logs. In MySQL, administrator roles cannot be set for
users, and there is no design for separation of duties.
● In M-compatible databases, the ANY permission can be granted to a user,
indicating that the user can have the corresponding permission in non-system
mode, including CREATE ANY TABLE, SELECT ANY TABLE, and CREATE ANY
INDEX. In MySQL, ANY permission cannot be granted.
● MySQL provides SHOW GRANTS to query user permissions. In M-compatible
databases, you can run a gsql client meta-command '\l+', '\dn+', or '\dp' to
query permission information, or query related columns in system catalogs
such as pg_namespace, pg_class, and pg_attribute for permission information.
● When a database, table, or column is deleted from MySQL, the related
permission granting information is still retained in the system catalog. If an
object with the same name is created again, the user still has the original
permissions. In M-compatible databases, when a database, table, or column is
GaussDB
Service Overview 8 Compatibility with MySQL Databases
Issue 01 (2024-04-30) Copyright © Huawei Cloud Computing Technologies Co., Ltd. 684