權限系統的工做原理
MySQL權限系統經過下面兩個階段進行認證:mysql
(1)對鏈接的用戶進行身份認證,合法的用戶經過認證、不合法的用戶拒絕鏈接。算法
(2)對經過認證的合法用戶賦予相應的權限,用戶能夠在這些權限範圍內對數據庫作相應的操做。sql
對於身份,MySQL是經過IP地址和用戶名聯合進行確認的,例如MySQL安裝默認建立的用戶root@localhost表示用戶root只能從本地(localhost)進行鏈接才能夠經過認證,此用戶從其餘任何主機對數據庫進行的鏈接都將被拒絕。也就是說,一樣的一個用戶名,若是來自不一樣的IP地址,則MySQL將其視爲不一樣的用戶。shell
MySQL的權限表在數據庫啓動地時候就載入內存,當用戶經過身份認證後,就在內存中進行相應權限的存取,這樣,此用戶就能夠在數據庫中作權限範圍內的各類操做了。數據庫
權限表的存取
在權限存取的兩個過程當中,系統會用到「mysql」數據庫(安裝MySQL時被建立,數據庫名字叫「mysql」)中user、host和db這3個最重要的權限表安全
| 表名 |
user |
db |
host |
| 用戶列 |
User |
Host |
Host |
| |
Password |
Db |
Db |
| 權限列 |
Select_priv |
User |
Select_priv |
| |
Insert_priv |
Select_priv |
Insert_priv |
| |
Update_priv |
Insert_priv |
Update_priv |
| |
Delete_priv |
Update_priv |
Delete_priv |
| |
Create_priv |
Delete_priv |
Create_priv |
| |
Drop_priv |
Create_priv |
Drop_priv |
| |
Reload_priv |
Drop_priv |
Grant_priv |
| |
Shutdown_priv |
Grant_priv |
References_priv |
| |
Process_priv |
References_priv |
Index_priv |
| |
File_priv |
Index_priv |
Alter_priv |
| |
Grant_priv |
Alter_priv |
Create_tmp_table_priv |
| |
References_priv |
Create_tmp_table_priv |
Lock_tables_priv |
| |
Index_priv |
Lock_tables_priv |
Create_view_priv |
| |
Alter_priv |
Create_view_priv |
Show_view_priv |
| |
Show_db_priv |
Show_view_priv |
Create_routine_priv |
| |
Super_priv |
Create_routine_priv |
Alter_routine_priv |
| |
Create_tmp_table_priv |
Alter_routine_priv |
Execute_priv |
| |
Lock_tables_priv |
Execute_priv |
Trigger_priv |
| |
Execute_priv |
Event_priv |
|
| |
Repl_slave_priv |
Trigger_priv |
|
| |
Repl_client_priv |
|
|
| |
Create_view_priv |
|
|
| |
Show_view_priv |
|
|
| |
Create_routine_priv |
|
|
| |
Alter_routine_priv |
|
|
| |
Create_user_priv |
|
|
| |
Event_priv |
|
|
| |
Trigger_priv |
|
|
| |
Create_tablespace_priv |
|
|
| 安全列 |
ssl_type |
|
|
| |
ssl_cipher |
|
|
| |
x509_issuer |
|
|
| |
x509_subject |
|
|
| |
max_questions |
|
|
| |
max_updates |
|
|
| |
max_connections |
|
|
| |
max_user_connections |
|
|
在這個3表中,最重要的表服務器
其中,一般用得最多的是用戶列和權限列,其中權限列在分爲普通權限和管理權限。普通權限主要用於數據庫的操做,好比select_priv、create_priv等。而管理權限主要用來對數據庫進行管理的操做,好比process_priv、super_priv等。ide
當用戶進行鏈接的時候,權限表的存取過程有如下現個階段。函數
- 先從user表中的host、user和passwd這3個字段中判斷鏈接的IP、用戶名和密碼是否存在於表中,若是存在,則經過身份驗證,不然拒絕鏈接。
- 若是經過身份驗證,則按照如下權限表的順序獲得數據庫權限:user->db->tables_priv->coloumns_priv。
在這幾個權限表中,權限範圍依次遞減,全局權限覆蓋局部權限。加密
上面的第一階段好理解,下面以一個例子來詳細解釋一下第二階段。
(1)建立用戶cqh@localhost,並賦予全部數據庫的全部表的select權限。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
mysql> grant select on *.* to cqh@localhost;
Query OK, 0 rows affected (0.05 sec)
mysql> select * from user where user='cqh' and host='localhost' \G
*************************** 1. row ***************************
Host: localhost
User: cqh
Password:
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
...
|
(2)再來看db表:
| 1 2 |
mysql> select * from db where user='cqh';
Empty set (0.00 sec)
|
能夠發現,user表的select_priv列是「Y」,而db表中並無記錄,也就是說,對全部數據庫都具備相同的權限的用戶記錄並不須要記入db表,而僅僅須要將user表中的select_priv改成「Y」便可。換句話,user表中的每一個權限都表明了對全部數據庫都有的權限。
(3)將cqh@localhost上的權限改成只對test數據庫上全部表的select權限。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
mysql> revoke select on *.* from cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> grant select on test.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> select * from user where user='cqh' and host='localhost' \G
*************************** 1. row ***************************
Host: localhost
User: cqh
Password:
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
1 row in set (0.00 sec)
mysql> select * from db where user='cqh'\G
*************************** 1. row ***************************
Host: localhost
Db: test
User: cqh
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)
|
這個時候發現,user表中的select_priv變爲「N」,而db表中則增長了db爲test的一條記錄,也就是說,當只授予數據庫某些權限時,user表中的相應權限時,user表中的相應權限列保持「N」,而將具體的數據庫權限寫入db表。
table和column的權限機制和db相似,這裏就再也不贅述了。
從上面的例子能夠看出,當用戶經過權限認證,進行權限分配時,將按照user->db->tables_priv->coloumns_priv的順序進行權限分配,即先檢查全局權限表user,若是user中對應權限爲「Y」,則此用戶對全部數據庫的權限都爲「Y」,將再也不檢查db、tables_priv和coloumns_priv;若是爲「N」,則到db表中檢查此用戶對應的具體數據庫,並獲得db中爲「Y」的權限;若是db中相應的權限爲「N」,則檢查tables_priv中此數據庫對應的具體表,取得表中爲「Y」的權限;若是tables_priv中相應權限爲「N」,則檢查columns_priv中此表對應的具體列,取得列中爲「Y」的權限。
帳號管理
帳號管理主要包括帳號的建立、權限更改和帳號的刪除。用戶鏈接數據庫的第一步都從帳號建立開始。
有兩種方法能夠用來建立帳號:使用GRANT語法建立或者直接操做受權表,但更推薦使用第一種方法,由於操做簡單,出錯概率更少。
方式一.建立帳號
GRANT的經常使用語法以下 :
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_specification [, user_specification] ...
[REQUIRE {NONE | ssl_option [[AND] ssl_option] ...}]
[WITH with_option ...]
GRANT PROXY ON user_specification
TO user_specification [, user_specification] ...
[WITH GRANT OPTION]
object_type:
TABLE
| FUNCTION
| PROCEDURE
|
來看下面的幾個例子。
例1:建立用戶cqh,權限爲能夠在全部數據庫上執行全部權限,只能從本地進行鏈接。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
mysql> grant all privileges on *.* to cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> select * from user where user='cqh' and host='localhost' \G
*************************** 1. row ***************************
Host: localhost
User: cqh
Password:
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: N
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
1 row in set (0.00 sec)
|
能夠發現,除了Grant_priv權限外,全部權限在user表裏都是「Y」。
例2:在例1基礎上,增長對cqh的grant權限
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
mysql> grant all privileges on *.* to cqh@localhost with grant option;
Query OK, 0 rows affected (0.00 sec)
mysql> select * from user where user='cqh' and host='localhost' \G
*************************** 1. row ***************************
Host: localhost
User: cqh
Password:
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
1 row in set (0.00 sec)
|
例3:在例2基礎上,設置密碼爲「123」。
| 1 2 |
mysql> grant all privileges on *.* to cqh@localhost identified by '123' with grant option;
Query OK, 0 rows affected (0.00 sec)
|
從user表中查看修改的密碼:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
mysql> select * from user where user='cqh' and host='localhost' \G
*************************** 1. row ***************************
Host: localhost
User: cqh
Password: *23AE809DDACAF96AF0FD78ED04B6A265E05AA257
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
1 row in set (0.00 sec)
|
能夠發現,密碼變成了一堆加密後的字符串。在MySQL5.0裏面,密碼的算法是生成一個以*開始的41位的字符串,而MySQL4.0以前是16位,所以安全性大大提升。
例4:建立新用戶chenqionghe,能夠從任何IP進行鏈接,權限爲test數據庫裏的全部表進行SELECT、UPDATE、INSERT和DELETE操做,初始密碼爲「123」。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
mysql> grant select,insert,update,delete on test.* to 'chenqionghe'@'%' identified by '123';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from user where user='chenqionghe' and host='%' \G
*************************** 1. row ***************************
Host: %
User: chenqionghe
Password: *23AE809DDACAF96AF0FD78ED04B6A265E05AA257
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin:
authentication_string: NULL
1 row in set (0.00 sec)
mysql> select * from db where user='chenqionghe' and host='%' \G
*************************** 1. row ***************************
Host: %
Db: test
User: chenqionghe
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)
|
如上文所述,user表中的權限都是「N」,db表中增長的記錄權限則都是「Y」。通常地,咱們只授予用戶適當的權限,而通常不會授予過多的權限,本例中的權限適合大多數應用帳號。
本例中的IP限制爲全部IP均可以鏈接,所以設置爲「*」,mysql數據庫中是經過user表的host字段來進行控制,host能夠是如下類型的值。
- Host值能夠是主機名或IP號,或「localhost"批出本地主機
- 能夠在Host列值使用通配符字符「%」和「_」。
- Host值「%」匹配任何主機名,空Host值等價於「%」。它們的含義與LIKE操做符的模式匹配操做相同。例如,「%」的Host值與全部主機名匹配,而「%.mysql.com」匹配mysql.com域的全部主機。
host和user組合進行鏈接的例子
| Host值 |
User值 |
被條目匹配的鏈接 |
| cqh.loc.gov |
cqh |
cqh,從cqh.loc.gov鏈接 |
| cqh.loc.gov |
|
任何用戶,從cqh.loc.gov鏈接 |
| % |
cqh |
cqh,從任何主機鏈接 |
| % |
|
任何用戶,從任何主機鏈接 |
| %.loc.gov |
cqh |
cqh,從在loc.gov域的任何主機鏈接 |
| x.y.% |
cqh |
cqh,從x.y.net、x.y.com、x.y.edu等鏈接 |
| 114.115.166.177 |
cqh |
cqh,從有114.115.166.177IP地址的主機鏈接 |
| 114.115.166.% |
cqh |
cqh,從144.155.166C類子網的任何主機鏈接 |
可能你們會有這樣的疑問,若是權限表中的Host既有「cqh.loc.gov」,又有「%」,而此時,鏈接從主機cqh.loc.gov過來。顯然,user表裏面這兩條記錄都符合匹配條件,那系統會選擇哪個呢?
若是有多個匹配,服務器必須選擇使用哪一個條目。按照下述原則來解決:
- 服務器在啓動時讀入user表後進行排序;
- 而後當用戶試圖鏈接時,以排序的順序瀏覽條目;
- 服務器使用與客戶端和用戶名匹配的第一行。
當服務器讀取表時,它首先以最具體的Host值排序。主機名和IP號是具體的。「%」意味着「任何主機」而且是最不特定的。有相同Host值的條目首先以最具體的User值排序(空User值意味着「任何用戶」而且是最不特定的)。
注意:mysql數據庫的user表中host值爲%或者空,表示全部外部IP均可以鏈接,可是不包括本地服務器local,所以,若是要包括本地服務器、必須單獨爲local賦予權限。
例5:授予SUPER、PROCESS、FILE權限給用戶cqh2@%;
| 1 2 |
mysql> grant super,process,file on *.* to 'cqh2'@'%';
Query OK, 0 rows affected (0.00 sec)
|
由於這幾個權限都屬於管理權限,所以不可以指定某個數據庫,on後面必須跟「*.*」,下面的語法將提示錯誤:
| 1 2 |
mysql> grant super,process,file on test.* to 'cqh2'@'%';
ERROR 1221 (HY000): Incorrect usage of DB GRANT and GLOBAL PRIVILEGES
|
例6:只授予登陸權限給cqh3@localhost
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
mysql> grant usage on *.* to 'cqh3'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
[root@iZ28dr6w0qvZ ~]# mysql -ucqh3
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1640
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.00 sec)
|
usage權限只能用於數據庫登陸,不能執行任何操做。
直接操做權限表也能夠進行權限的建立,其實GRANT操做的本質就是修改權限後進行權限的刷新,所以,GRANT比操做權限表更簡單,下面繼續以上文的例子來講明一下更新權限的用法。
建立新用戶chenqionghe,能夠從任何IP進行鏈接,權限對test庫裏的全部表進行SELECT、UPDATE、INSERT和DELETE,初始密碼爲123
| 1 |
mysql> grant select,insert,update,delete on test.* to 'chenqionghe'@'%' identified by '123';
|
方式二:直接操做權限表
直接操做權限表以下:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[root@iZ28dr6w0qvZ ~]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1560
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mysql;
Database changed
mysql> insert into db (host,db,user,select_priv,insert_priv,update_priv,delete_priv) values ('%','test','chenqionghe','Y','Y','Y','Y');
Query OK, 1 row affected (0.00 sec)
mysql> flush privileges;
mysql> exit;
Bye
[root@iZ28dr6w0qvZ ~]# mysql -ucqh3
ERROR 1045 (28000): Access denied for user 'cqh3'@'localhost' (using password: NO)
[root@iZ28dr6w0qvZ ~]# mysql -ucqh3 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1643
Server version: 5.5.37-log MySQL Community Server (GPL)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)
|
查看和更改帳號的權限
建立完帳號後,時間長了可能就會忘記分配的權限而須要查看帳號權限,也在可能會通過一段時間後須要更改之前的帳號權限,下面介紹查看和更改這兩種操做命令。
帳號建立好後,能夠經過以下命令查看權限;
| 1 |
show grants for user@host;
|
如如下示例
| 1 2 3 4 5 6 7 8 |
mysql> show grants for cqh@localhost;
+---------------------------------------------------------------------------------------------------------------------------------------+
| Grants for cqh@localhost |
+---------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'cqh'@'localhost' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' WITH GRANT OPTION |
| GRANT SELECT ON `test`.* TO 'cqh'@'localhost' |
+---------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
|
host能夠不寫,默認是「%」,以下所示
| 1 2 3 4 5 6 7 |
mysql> show grants for chenqionghe;
+------------------------------------------------------------------------------------------------------------+
| Grants for chenqionghe@% |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'chenqionghe'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
|
對於MySQL5.0之後的版本,也能夠利用新新增的information_schema數據庫進行權限的查看;
| 1 2 3 4 5 6 7 |
mysql> select * from SCHEMA_PRIVILEGES where grantee="'cqh'@'localhost'";
+-------------------+---------------+--------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | TABLE_SCHEMA | PRIVILEGE_TYPE | IS_GRANTABLE |
+-------------------+---------------+--------------+----------------+--------------+
| 'cqh'@'localhost' | def | test | SELECT | NO |
+-------------------+---------------+--------------+----------------+--------------+
1 row in set (0.00 sec)
|
能夠進行權限的新增和回收。和帳號建立同樣,權限變動也在兩種辦法:使用GRANT(新增)和REVOKE(回收)語句,或者更改權限表。
第二種方法和前面同樣,直接對user、db、tables_priv和columns_priv中的權限進行更新便可,這裏重點介紹第一種方法。
和建立帳號的語法徹底同樣,GRANT能夠直接用來對帳號進行增長。其實GRANT語句在執行的時候,若是權限表中不存在目標帳號,則建立帳號;若是已經存在,則執行權限的新增。來看下面一個例子。
(1)cqh3@localhost目前只有登陸的權限。
| 1 2 3 4 5 6 7 |
mysql> show grants for cqh3@localhost;
+------------------------------------------+
| Grants for cqh3@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO 'cqh3'@'localhost' |
+------------------------------------------+
1 row in set (0.00 sec)
|
(2)賦予cqh3@localhost全部數據庫上的全部表的SELECT權限。
| 1 2 3 4 5 6 7 8 9 |
mysql> grant select on *.* to 'cqh3'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh3@localhost;
+-------------------------------------------+
| Grants for cqh3@localhost |
+-------------------------------------------+
| GRANT SELECT ON *.* TO 'cqh3'@'localhost' |
+-------------------------------------------+
1 row in set (0.00 sec)
|
(3)繼續給cqh3@localhost賦予SELECT和INSERT權限,和已胡的SELECT權限進行合併。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
mysql> show grants for cqh3@localhost;
+-------------------------------------------+
| Grants for cqh3@localhost |
+-------------------------------------------+
| GRANT SELECT ON *.* TO 'cqh3'@'localhost' |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql> grant select,insert on *.* to 'cqh3'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh3@localhost;
+---------------------------------------------------+
| Grants for cqh3@localhost |
+---------------------------------------------------+
| GRANT SELECT, INSERT ON *.* TO 'cqh3'@'localhost' |
+---------------------------------------------------+
1 row in set (0.00 sec)
|
(4)REVOKE語句能夠回收已經賦予的權限,語法以下:
| 1 2 3 4 5 6 7 8 9 |
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user [, user] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
REVOKE PROXY ON user
FROM user [, user] ...
|
對於上面的例子,這裏決定要收回cqh3@localhost上的INSERT和SELECT權限:
| 1 2 3 4 5 6 7 8 9 |
mysql> revoke select,insert on *.* from cqh3@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh3@localhost;
+------------------------------------------+
| Grants for cqh3@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO 'cqh3'@'localhost' |
+------------------------------------------+
1 row in set (0.00 sec)
|
usage權限不能被回收,也就是說,REVOKE用戶並不能刪除用戶。
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
mysql> show grants for cqh3@localhost;
+------------------------------------------+
| Grants for cqh3@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO 'cqh3'@'localhost' |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> revoke usage on *.* from cqh@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh3@localhost;
+------------------------------------------+
| Grants for cqh3@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO 'cqh3'@'localhost' |
+------------------------------------------+
1 row in set (0.00 sec)
|
方法1:能夠用mysqladmin命令在命令行指定密碼。
| 1 |
shell> mysqladmin -u user_name -h host_name password "newpwd"
|
方法2:執行SET PASSWORD語句。下例中將帳號'chenqionghe'@'%'的密碼改成「cqh123」
| 1 |
SET PASSWORD FOR 'chenqionghe'@'%' = PASSWORD('cqh123');
|
若是是更改本身的密碼,能夠省略for語句:
| 1 |
SET PASSWORD = PASSWORD('cqh123');
|
方法3:還能夠在全局級別使用GRANT USAGE語句(在*.*)來指定某個帳戶的密碼而不影響帳戶當前的權限。
| 1 |
GRANT USAGE ON *.* TO 'chenqionghe'@'%' IDENTIFIED BY 'cqh123';
|
方法4:直接更改數據庫的user表。
| 1 2 3 4 |
mysql> INSERT INTO user (Host,User,Password) VALUES('%','chenqionghe',PASSWORD('333333'));
mysql> FLUSH PRIVILEGES;
mysql> UPDATE user SET Password = PASSWORD('333333') WHERE Host='%' AND User='chenqionghe';
mysql> FLUSH PRIVILEGES;
|
注意:更改密碼的時候必定要使用PASSWORD函數(mysqladmin和GRANT兩種方式不用寫,會自動加上)。
要完全刪除帳號,一樣也有兩種方法:DROP USER命令和修改權限表。
DROP USER語法很是簡單,具體以下:
| 1 |
DROP USER user [, user] ...
|
舉一個單的例子,將cqh3@localhost用戶刪除
| 1 2 3 4 5 6 7 8 9 10 11 |
mysql> show grants for cqh3@localhost;
+------------------------------------------+
| Grants for cqh3@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO 'cqh3'@'localhost' |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> drop user cqh3@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for cqh3@localhost;
ERROR 1141 (42000): There is no such grant defined for user 'cqh3' on host 'localhost'
|
修改權限表方法只要把user用戶中的用戶記錄刪除便可,這裏再也不演示