----------------------------- ----------------------------------------------------------+ | Grants for alice@localhost | +------------------------------------------------------------------------------ ----------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'alice'@'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' WITH GRANT OPTION | | GRANT PROXY ON 'dba'@'localhost' TO 'alice'@'localhost' WITH GRANT OPTION | +------------------------------------------------------------------------------ ----------------------------------------------------------+ GRANT PROXY ON 'dba'@'localhost' TO 'bob'@'localhost'; A user account can grant the PROXY privilege for any other user account if the granter has the PROXY privilege for the ''@'%' anonymous user account, like this: GRANT PROXY ON ''@'%' TO 'dba'@'localhost' WITH GRANT OPTION; For example, the following example succeeds because the user can grant the PROXY privilege for any other user account: SELECT USER(), CURRENT_USER(); +-----------------+-----------------+ | USER() | CURRENT_USER() | +-----------------+-----------------+ | alice@localhost | alice@localhost | +-----------------+-----------------+ SHOW GRANTS; +------------------------------------------------------------------------------ ----------------------------------------------------------+ | Grants for alice@localhost | +------------------------------------------------------------------------------ ----------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'alice'@'localhost' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' WITH GRANT OPTION | | GRANT PROXY ON ''@'%' TO 'alice'@'localhost' WITH GRANT OPTION | +------------------------------------------------------------------------------ ----------------------------------------------------------+ GRANT PROXY ON 'app1_dba'@'localhost' TO 'bob'@'localhost'; Query OK, 0 rows affected (0.004 sec) GRANT PROXY ON 'app2_dba'@'localhost' TO 'carol'@'localhost'; Query OK, 0 rows affected (0.004 sec) The default root user accounts created by mariadb-install-db have this privilege. For example: GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION; GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION; This allows the default root user accounts to grant the PROXY privilege for any other user account, and it also allows the default root user accounts to grant others the privilege to do the same. Authentication Options ---------------------- The authentication options for the GRANT statement are the same as those for the CREATE USER statement. IDENTIFIED BY 'password' ------------------------ The optional IDENTIFIED BY clause can be used to provide an account with a password. The password should be specified in plain text. It will be hashed by the PASSWORD function prior to being stored. For example, if our password is mariadb, then we can create the user with: GRANT USAGE ON *.* TO foo2@test IDENTIFIED BY 'mariadb'; If you do not specify a password with the IDENTIFIED BY clause, the user will be able to connect without a password. A blank password is not a wildcard to match any password. The user must connect without providing a password if no password is set. If the user account already exists and if you provide the IDENTIFIED BY clause, then the user's password will be changed. You must have the privileges needed for the SET PASSWORD statement to change a user's password with GRANT. The only authentication plugins that this clause supports are mysql_native_password and mysql_old_password. IDENTIFIED BY PASSWORD 'password_hash' -------------------------------------- The optional IDENTIFIED BY PASSWORD clause can be used to provide an account with a password that has already beeŽ ˆí