mysql中触发器的创建与修改权限管理

创建触发器需要哪些权限

在 MySQL 中，

CREATE TRIGGER

TRIGGER

TRIGGER

INSERT

UPDATE

DELETE

常见错误现象：

ERROR 1227 (42000): Access denied; you need (at least one of) the SUPER or TRIGGER privilege(s) for this operation

TRIGGER

ALL PRIVILEGES

TRIGGER

GRANT TRIGGER ON `database_name`.`table_name` TO 'user'@'host';

INSERT

GRANT INSERT ON `database_name`.`table_name` TO 'user'@'host';

sql_log_bin=OFF

修改触发器只能删了重建

MySQL 不支持

ALTER TRIGGER

DROP TRIGGER

CREATE TRIGGER

TRIGGER

DROP

容易踩的坑：

DROP TRIGGER

DROP

ERROR 1142 (42000): DROP command denied to user ... for table ...

DROP

GRANT DROP ON `database_name`.`table_name` TO 'user'@'host';

SHOW CREATE TRIGGER trigger_name;

TRIGGER 权限的作用范围很窄

TRIGGER

ALL PRIVILEGES

GRANT TRIGGER ON db.tbl

典型误操作：

GRANT ALL PRIVILEGES ON `mydb`.* TO 'dev'@'%';

TRIGGER

GRANT TRIGGER ON `mydb`.`users` TO 'dev'@'%';

SELECT * FROM information_schema.ROLE_TABLE_GRANTS WHERE PRIVILEGE_TYPE = 'TRIGGER';

information_schema

TRIGGER

TRIGGER

TRIGGER

DROP

DEFINER 和 SQL SECURITY 影响权限校验时机

触发器的

DEFINER

DEFINER = CURRENT_USER

SQL SECURITY DEFINER

INVOKER

关键点：触发器内执行的语句（如

INSERT INTO log_table

DEFINER

DEFINER

ERROR 1449 (HY000): The user specified as a definer ('xxx'@'%') does not exist

CREATE DEFINER = 'admin'@'localhost' TRIGGER tr_after_insert AFTER INSERT ON orders FOR EACH ROW INSERT INTO audit_log(...) VALUES(...);

CURRENT_USER

DEFINER

SQL SECURITY INVOKER

权限细节容易被忽略的地方在于：TRIGGER 权限必须精确到表，且和 DML 权限分离；修改等于删重建，DROP 权限不可少；DEFINER 用户一旦失效，触发器立即瘫痪——这些都不是语法报错，而是运行时静默失败或拒绝执行。