Mysql用戶管理

(1).查看用戶及用戶權限

　　mysql中的用戶信息和權限等都存儲在一個名爲mysql的數據庫中。其中主要用到的是user、db、tables_priv、columns_priv、procs_priv這五張表，最重要的是user表。

　　user表存儲全局權限，適用於一個給定服務器中的全部數據庫，在命令中展示形式爲*.*；

　　db表存儲數據庫權限，適用於一個給定數據庫中的全部表，在命令中展示形式爲[數據庫名].*；

　　tables_priv表存儲表權限，適用於一個給定表中的全部列，在命令中展示形式爲[數據庫名].[表名]；

　　columns_priv表存儲列權限，適用於一個給定表中的單一列，在命令中展示形式爲；

　　CREATE ROUTINE, ALTER ROUTINE, EXECUTE和GRANT權限，適用於已存儲的子程序。這些權限能夠被授予爲全局層級和數據庫層級，並且除了CREATE ROUTINE外，這些權限能夠被授予爲子程序層級，並存儲在procs_priv表中。

　　查看用戶及使用範圍（也叫做用域），注意user表中user+host是複合主鍵，下面不少地方都是用的這個複合主鍵確認惟一值。

mysql> select user,host from mysql.user;
+---------------+-----------+
| user          | host      |
+---------------+-----------+
| mysql.session | localhost |　　//localhost是本地，也能夠是網段如192.168.1.%或全網%
| mysql.sys     | localhost |　　//網段和全網是用於遠程鏈接mysql的
| root          | localhost |
| test          | localhost |
+---------------+-----------+
4 rows in set (0.00 sec)

　　查看用戶權限，因爲不可能把那麼多表全看下來，因此建議使用如下命令：show grants for '[用戶名]'@'[使用範圍]'

mysql> show grants for 'root'@'localhost';　　//會以受權命令顯示用戶的權限
+---------------------------------------------------------------------+
| Grants for root@localhost                                           |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION        |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> show grants for 'test'@'localhost';
+---------------------------------------------------+
| Grants for test@localhost                         |
+---------------------------------------------------+
| GRANT USAGE ON *.* TO 'test'@'localhost'          |　　//USAGE這是沒有權限，無權限
| GRANT SELECT ON `test_db`.* TO 'test'@'localhost' |
+---------------------------------------------------+
2 rows in set (0.00 sec)

(2).建立用戶

　　查看validate_password_policy（密碼複雜度）、validate_password_length（密碼長度）、validate_password_number_count（密碼中數字字符長度）、validate_password_special_char_count（密碼中特殊符號字符長度）、validate_password_mixed_case_count（密碼中大小寫字母長度）這五個參數。注意，密碼長度>=[密碼中數字字符長度+密碼中特殊符號字符長度+(2*密碼中大小寫字母長度)]

　　首先查看的是validate_password_policy，若是報錯或顯示LOW只須要再查看validate_password_length，密碼長度符合這個參數便可。顯示其餘的都須要查看全部參數，知足密碼中字符的長度要求。

　　固然能夠爲了簡便，關閉密碼複雜度這個參數，或者調整到LOW強度，只要本身設置的適合注意密碼強度問題。能夠在/etc/my.cnf配置文件的[mysqld]模塊添加或修改validate-password=OFF，而後重啓mysqld服務；也能夠在mysql內部執行set global validate_password_policy=0;調整到LOW強度，而後flush privileges;刷新權限表便可。

　　五個參數的相關命令：

select @@[參數名];　　//查看全局參數的值
set global [參數名];　　//設置全局參數的值
flush privileges;　　//刷新權限表

　　建立用戶命令：

create user '[新用戶名]'@'[做用域]' identified by '[密碼]';
flush privileges;　　//建立完要記得刷新權限表

　　做用域上面也說過，能夠是localhost本地，也能夠是192.168.2.%相似的網段，還能夠是%外網全部地址。

　　實例：

mysql> create user 't1'@'localhost' identified by '12345678';
Query OK, 0 rows affected (0.01 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user where user='t1';    
+------+-----------+
| user | host      |
+------+-----------+
| t1   | localhost |
+------+-----------+
1 row in set (0.00 sec)

mysql> show grants for 't1'@'localhost';　　//能夠看到目前是沒有權限的
+----------------------------------------+
| Grants for t1@localhost                |
+----------------------------------------+
| GRANT USAGE ON *.* TO 't1'@'localhost' |
+----------------------------------------+
1 row in set (0.00 sec)

(3).建立用戶並受權、給已有用戶受權、給已有用戶受權並修改密碼

　　其實用的是同一個命令

grant [權限] on [數據庫名].[表名] to '[用戶名]'@'[做用域]' identified by '[密碼]';
flush privileges;　　//記得刷新權限表

　　權限爲ALL PRIVILEGES或ALL是全部權限，還有單個權限select、update、insert、delete等，單個權限之間用逗號隔開，詳細能夠查看下mysql.user表的表結構。

　　[數據庫名].[表名]爲*.*時表示全部數據庫。

　　若是不存在identified by '[密碼]'時，密碼維持原樣。

　　給已有用戶受權實例：

mysql> grant all privileges on test.* to 't1'@'localhost';　　//密碼維持原樣
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 't1'@'localhost';                       
+------------------------------------------------------+
| Grants for t1@localhost                              |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 't1'@'localhost'               |
| GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' |
+------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> exit
Bye
[root@youxi1 ~]# mysql -ut1 -p12345678　　//原密碼成功登錄
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

　　給已有用戶受權並修改密碼實例：

mysql> grant select on mysql.* to 't1'@'localhost' identified by 'abcdefgh';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 't1'@'localhost';
+------------------------------------------------------+
| Grants for t1@localhost                              |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 't1'@'localhost'               |
| GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' |
| GRANT SELECT ON `mysql`.* TO 't1'@'localhost'        |
+------------------------------------------------------+
3 rows in set (0.01 sec)

mysql> exit
Bye
[root@youxi1 ~]# mysql -ut1 -p12345678　　//原密碼報錯了
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 't1'@'localhost' (using password: YES)
[root@youxi1 ~]# mysql -ut1 -pabcdefgh;　　//新密碼成功登錄
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

　　建立用戶並受權實例：

mysql> grant all on test_db.* to 't2'@'localhost' identified by '12345678';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user where user='t2';　　//用戶建立成功
+------+-----------+
| user | host      |
+------+-----------+
| t2   | localhost |
+------+-----------+
1 row in set (0.00 sec)

mysql> show grants for 't2'@'localhost';　　//權限正確
+---------------------------------------------------------+
| Grants for t2@localhost                                 |
+---------------------------------------------------------+
| GRANT USAGE ON *.* TO 't2'@'localhost'                  |
| GRANT ALL PRIVILEGES ON `test_db`.* TO 't2'@'localhost' |
+---------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> exit
Bye
[root@youxi1 ~]# mysql -ut2 -p12345678;　　//能夠登陸
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

(4).進入mysql後修改用戶密碼

　　密碼相關參數，該看的仍是要看。進入mysql後修改密碼命令以下：

alter user '[用戶名]'@'[做用域]' identified by '[新密碼]';　　//兩個都是修改密碼的命令，使用其中一個就好
set password for [用戶名]@[做用域]=password('[新密碼]');
flush privileges;　　//刷新權限表，

　　只展現上面一個實例：

mysql> alter user 't1'@'localhost' identified by '12345678';
Query OK, 0 rows affected (0.01 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
[root@youxi1 ~]# mysql -ut1 -p12345678;
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

(5).撤銷用戶權限

　　撤銷命令和受權命令格式相似，以下：

revoke [權限] on [數據庫名].[表名] from '[用戶名]'@'[做用域]';
flush privileges;　　//屬性權限表

　　實例：

mysql> show grants for 't1'@'localhost';　　//查看權限
+------------------------------------------------------+
| Grants for t1@localhost                              |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 't1'@'localhost'               |
| GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' |
| GRANT SELECT ON `mysql`.* TO 't1'@'localhost'        |
+------------------------------------------------------+
3 rows in set (0.00 sec)

mysql> revoke select on mysql.* from 't1'@'localhost';　　//去除權限
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 't1'@'localhost';　　//權限去除成功
+------------------------------------------------------+
| Grants for t1@localhost                              |
+------------------------------------------------------+
| GRANT USAGE ON *.* TO 't1'@'localhost'               |
| GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' |
+------------------------------------------------------+
2 rows in set (0.01 sec)

(6).刪除用戶

　　刪除用戶其實就是刪除mysql.user表裏的對應記錄，命令以下：

drop user '[用戶名]'@'[做用域]';　　//建議使用這個
delete from mysql.user where user='[用戶名]' and host='[做用域]';
flush privileges;　　//刷新權限表

　　建議使用第一個刪除用戶的命令，由於第二個命令會有數據殘留。

　　實例：

mysql> delete from mysql.user where user='t1' and host='localhost';　　//使用第二個命令刪除用戶
Query OK, 1 row affected (0.00 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 't1'@'localhost';　　//這個命令是查不到了
ERROR 1141 (42000): There is no such grant defined for user 't1' on host 'localhost'

mysql> select * from mysql.db where user='t1' and host='localhost'\G　　//可是到實際存儲權限的表中查看時，仍是存在的
*************************** 1. row ***************************
                 Host: localhost
                   Db: test
                 User: t1
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: Y
            Drop_priv: Y
           Grant_priv: N
      References_priv: Y
           Index_priv: Y
           Alter_priv: Y
Create_tmp_table_priv: Y
     Lock_tables_priv: Y
     Create_view_priv: Y
       Show_view_priv: Y
  Create_routine_priv: Y
   Alter_routine_priv: Y
         Execute_priv: Y
           Event_priv: Y
         Trigger_priv: Y
1 row in set (0.00 sec)

mysql> drop user 't2'@'localhost';　　//使用第一個刪除用戶命令
Query OK, 0 rows affected (0.01 sec)

mysql> flush privileges;　　//刷新權限表
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.db where user='t2' and host='localhost'\G　　//沒有殘留
Empty set (0.00 sec)

(7).忘記密碼的修改方法

　　修改配置文件，注意：若是有validate-password=off 請註釋掉或刪除掉，不然重啓報錯

[root@youxi1 ~]# vim /etc/my.cnf
skip-grant-tables　　//添加
[root@youxi1 ~]# systemctl restart mysqld

　　而後進入mysql修改

[root@youxi1 ~]# mysql
mysql> update user set authentication_string=password('654321') where user='root';
mysql> flush privileges;　　//刷新權限表

　　最後還原配置文件中的參數，重啓啓動mysqld。測試便可。