MySQL權限受權認證詳解
MySQL權限受權認證詳解
vue
做者:尹正傑node
版權聲明:原創做品,謝絕轉載!不然將追究法律責任。 mysql
一.MySQL權限系統介紹
1>.權限系統的做用是授予來自某個主機的某個用戶能夠查詢、插入、修改、刪除等數據庫操做的權限
2>.不能明確的指定拒絕某個用戶的鏈接
3>.權限控制(受權與回收)的執行語句包括create user, grant, revoke
4>.受權後的權限都會存放在MySQL的內部數據庫中(數據庫名叫mysql),並在數據庫啓動以後把權限信息複製到內存中
5>.MySQL用戶的認證信息不光包括用戶名,還要包含鏈接發起的主機名(如下兩個yinzhengjie被認爲不是同一個用戶,由於它們的主機名不一樣)nginx
>>>SHOW GRANTS FOR ‘yinzhengjie’@‘node101.yinzhengjie.org.cn’; >>>SHOW GRANTS FOR 'yinzhengjie’@‘node102.yinzhengjie.org.cn’;
二.MySQL權限級別介紹sql
1>.MySQL權限級別數據庫
全局性的管理權限,做用於整個MySQL實例級別;
數據庫級別的權限,做用於某個指定的數據庫上或者全部的數據庫上;
數據庫對象級別的權限,做用於指定的數據庫對象上(表、視圖等)或者全部的數據庫對象上;
2>.權限存儲在mysql庫的user, db, tables_priv, columns_priv, and procs_priv這幾個系統表中,待MySQL實例啓動後就加載到內存中apache
3>.查看mysql實例默認root用戶的權限(來自localhost)django
mysql> SHOW GRANTS FOR root@localhost\G *************************** 1. row *************************** Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 2. row *************************** Grants for root@localhost: GRANT APPLICATION_PASSWORD_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 3. row *************************** Grants for root@localhost: GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION 3 rows in set (0.01 sec) mysql>
4>.對比root用戶在幾個權限系統表中的數據 json
mysql> SELECT * FROM user WHERE user='root' AND host='localhost'\G *************************** 1. row *************************** Host: localhost User: root Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Reload_priv: Y Shutdown_priv: Y Process_priv: Y File_priv: Y Grant_priv: Y References_priv: Y Index_priv: Y Alter_priv: Y Show_db_priv: Y Super_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Execute_priv: Y Repl_slave_priv: Y Repl_client_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: Y Create_user_priv: Y Event_priv: Y Trigger_priv: Y Create_tablespace_priv: Y ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: caching_sha2_password authentication_string: $A$005$_DHTgn}dT9t%1>5eMM4wjrUWB.UY3A60WfUlqsZAVP0HhJ3Xxp1bFRs76g9B password_expired: N password_last_changed: 2019-01-22 05:42:22 password_lifetime: NULL account_locked: N Create_role_priv: Y Drop_role_priv: Y Password_reuse_history: NULL Password_reuse_time: NULL Password_require_current: NULL User_attributes: NULL 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM db WHERE user='root' AND host='localhost'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM tables_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM columns_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM procs_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
5>.查看mysql實例默認mysql.sys用戶的權限(來自localhost) 服務器
mysql> SHOW GRANTS FOR 'mysql.sys'@localhost; +---------------------------------------------------------------+ | Grants for mysql.sys@localhost | +---------------------------------------------------------------+ | GRANT USAGE ON *.* TO `mysql.sys`@`localhost` | | GRANT TRIGGER ON `sys`.* TO `mysql.sys`@`localhost` | | GRANT SELECT ON `sys`.`sys_config` TO `mysql.sys`@`localhost` | +---------------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> mysql> SHOW GRANTS FOR 'mysql.sys'@localhost\G *************************** 1. row *************************** Grants for mysql.sys@localhost: GRANT USAGE ON *.* TO `mysql.sys`@`localhost` *************************** 2. row *************************** Grants for mysql.sys@localhost: GRANT TRIGGER ON `sys`.* TO `mysql.sys`@`localhost` *************************** 3. row *************************** Grants for mysql.sys@localhost: GRANT SELECT ON `sys`.`sys_config` TO `mysql.sys`@`localhost` 3 rows in set (0.00 sec) mysql>
6>.對比mysql.sys用戶在幾個權限系統表中的數據
mysql> SELECT * FROM user WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost User: mysql.sys Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Create_user_priv: N Event_priv: N Trigger_priv: N Create_tablespace_priv: N ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: caching_sha2_password authentication_string: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED password_expired: N password_last_changed: 2019-01-22 05:41:42 password_lifetime: NULL account_locked: Y Create_role_priv: N Drop_role_priv: N Password_reuse_history: NULL Password_reuse_time: NULL Password_require_current: NULL User_attributes: NULL 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM db WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost Db: sys User: mysql.sys Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Execute_priv: N Event_priv: N Trigger_priv: Y 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM tables_priv WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost Db: sys User: mysql.sys Table_name: sys_config Grantor: root@localhost Timestamp: 2019-01-22 05:41:42 Table_priv: Select Column_priv: 1 row in set (0.00 sec) mysql> mysql>
mysql> SELECT * FROM columns_priv WHERE user='mysql.sys' AND host='localhost'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM procs_priv WHERE user='mysql.sys' AND host='localhost'\G Empty set (0.00 sec) mysql> mysql>
三.MySQL權限詳解
1>.ALL/ALL PRIVILEGES權限
表明全局或者全數據庫對象級別的全部權限。
2>.ALTER權限
表明容許修改表結構的權限,但必需要求有CREATE和INSERT權限配合。若是是RENAME表名,則必需要求有ALTER和DROP原表,CREATE和INSERT新表的權限。
3>.ALTER ROUTINE權限
表明容許修改或者刪除存儲過程,函數的權限。
4>.CREATE權限
CREATE權限表明容許建立新的數據庫和表的權限。
5>.CREATE ROUTINE權限
表明容許建立存儲過程,函數的權限。
6>.CREATE TABLESPACE權限
表明容許建立,修改,刪除表空間和日誌組的權限。
7>.CRATE TEMPOARY TABLES權限
表明容許建立臨時表的權限。
8>.CREATE USER權限
表明容許建立,修改,刪除,重命名USRER的權限。
9>.CREATE VIEW權限
表明容許建立視圖的權限。
10>.DELETE權限
表明容許刪除行數據的權限。
11>.DROP權限
表明容許刪除數據庫,表,視圖的權限,包括TRUNCATE TABLE命令。
12>.EVENT權限
代表容許查詢,建立,修改,刪除MySQL事件。
13>.Execute權限
表明容許執行存儲過程和函數的權限。
14>.FILE權限
表明容許在MySQL能夠訪問的目錄進行讀寫磁盤文件操做,可以使用的命令包括LOAD DATA INFILE,SELECT ... INTO OUTFILE,LOAD FILE()函數。
15>.GRANT OPTION權限
表明是否容許此用戶受權或者收回其餘用戶你給予的權限。
16>.INDEX權限
表明是否容許建立和刪除索引。
17>.INSERT權限
表明是否容許在表裏插入數據,同時在執行ANALYZE TABLE,OPTIMIZE TABLE,REPAIR TABLE語句的時候也須要INSERT權限。
18>.LOCK權限
表明容許對擁有SELECT權限的表進行鎖定,以防止其餘連接對此表的讀或寫。
19>.PROCESS權限
表明容許查看MySQL中的進程信息,好比執行SHOW PROCESSLIST,mysqladmin processlist(命令行),SHOW ENGINES等命令。
mysql> SHOW PROCESSLIST\G *************************** 1. row *************************** Id: 4 User: event_scheduler Host: localhost db: NULL Command: Daemon Time: 4061 State: Waiting on empty queue Info: NULL *************************** 2. row *************************** Id: 8 User: root Host: localhost db: mysql Command: Query Time: 0 State: starting Info: SHOW PROCESSLIST 2 rows in set (0.00 sec) mysql>
mysql> SHOW ENGINES\G *************************** 1. row *************************** Engine: FEDERATED Support: NO Comment: Federated MySQL storage engine Transactions: NULL XA: NULL Savepoints: NULL *************************** 2. row *************************** Engine: InnoDB Support: DEFAULT Comment: Supports transactions, row-level locking, and foreign keys Transactions: YES XA: YES Savepoints: YES *************************** 3. row *************************** Engine: PERFORMANCE_SCHEMA Support: YES Comment: Performance Schema Transactions: NO XA: NO Savepoints: NO *************************** 4. row *************************** Engine: MyISAM Support: YES Comment: MyISAM storage engine Transactions: NO XA: NO Savepoints: NO *************************** 5. row *************************** Engine: MRG_MYISAM Support: YES Comment: Collection of identical MyISAM tables Transactions: NO XA: NO Savepoints: NO *************************** 6. row *************************** Engine: BLACKHOLE Support: YES Comment: /dev/null storage engine (anything you write to it disappears) Transactions: NO XA: NO Savepoints: NO *************************** 7. row *************************** Engine: MEMORY Support: YES Comment: Hash based, stored in memory, useful for temporary tables Transactions: NO XA: NO Savepoints: NO *************************** 8. row *************************** Engine: CSV Support: YES Comment: CSV storage engine Transactions: NO XA: NO Savepoints: NO *************************** 9. row *************************** Engine: ARCHIVE Support: YES Comment: Archive storage engine Transactions: NO XA: NO Savepoints: NO 9 rows in set (0.00 sec) mysql>
[root@node105 ~]# mysqladmin processlist -uroot -pyinzhengjie mysqladmin: [Warning] Using a password on the command line interface can be insecure. +----+-----------------+-----------+----+---------+------+------------------------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +----+-----------------+-----------+----+---------+------+------------------------+------------------+ | 4 | event_scheduler | localhost | | Daemon | 4650 | Waiting on empty queue | | | 10 | root | localhost | | Query | 0 | starting | show processlist | +----+-----------------+-----------+----+---------+------+------------------------+------------------+ [root@node105 ~]# [root@node105 ~]#
20>.REFERENCE權限
是在5.7.6版本以後引入,表明是否容許建立外鍵。
21>.RELOAD權限
表明容許執行FLUSH命令,指明從新家在權限表到系統內存中,REFRESH命令表明關閉和從新開啓日誌文件並刷新全部到表。
22>.REPLICATION CLIENT權限
表明容許執行SHOW MASTER STATUS,SHOW SLAVE STATUS,SHOW BINARY LOGS命令。
mysql> SHOW MASTER STATUS; +---------------+----------+--------------+------------------+-------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set | +---------------+----------+--------------+------------------+-------------------+ | binlog.000003 | 155 | | | | +---------------+----------+--------------+------------------+-------------------+ 1 row in set (0.00 sec) mysql>
mysql> SHOW SLAVE STATUS; Empty set (0.00 sec) mysql>
mysql> mysql> SHOW BINARY LOGS; +---------------+-----------+-----------+ | Log_name | File_size | Encrypted | +---------------+-----------+-----------+ | binlog.000001 | 513 | No | | binlog.000002 | 178 | No | | binlog.000003 | 155 | No | +---------------+-----------+-----------+ 3 rows in set (0.00 sec) mysql> mysql>
23>.REPLICATION SLAVE權限
表明容許SLAVE主機經過此用戶鏈接MASTER以便創建主從複製關係。
24>.SELECT權限
表明容許從表中查看數據,某些不查詢表數據的SELECT執行則不須要此權限,如SELECT 1+1,SELECT PI() +5 等等;並且SELECT權限在執行UPDATA/DELETE語句中含有WHERE條件的狀況下也是須要的。
mysql> SELECT PI()+5; +----------+ | PI()+5 | +----------+ | 8.141593 | +----------+ 1 row in set (0.00 sec) mysql>
25>.SHOW DATABASES權限
表明經過執行SHOW DATABASES名稱查看全部的數據庫名。
26>.SHOW VIEW權限
表明經過執行SHOW CREATE VIEW命令查看視圖建立的語句。
27>.SHUTDOWN權限
表明容許關閉數據庫實例,執行語句包括mysqladmin shutdown。
[root@node105 ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 128 :::3306 :::* LISTEN 0 128 :::22 :::* LISTEN 0 70 :::33060 :::* [root@node105 ~]# [root@node105 ~]# [root@node105 ~]# mysqladmin -uroot -pyinzhengjie shutdown mysqladmin: [Warning] Using a password on the command line interface can be insecure. [root@node105 ~]# [root@node105 ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node105 ~]# [root@node105 ~]#
28>.SUPER權限
表明容許執行一系列數據庫管理命令,包括kill強制關閉某個鏈接命令,CHANGE MASTER TO 建立複製關係命令,以及CRETE/ALTER/DROP SERVER等命令。
29>.TRIGGER權限
表明容許建立,刪除,執行,現實觸發器等權限。
30>.UPADTE權限
表明容許修改表中等數據等權限。
31>.USAGE權限
它是建立一個用戶以後等默認權限,其自己表明鏈接登錄權限。
mysql> CREATE USER yinzhengjie@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR yinzhengjie@node105.yinzhengjie.org.cn; +------------------------------------------------------------------+ | Grants for yinzhengjie@node105.yinzhengjie.org.cn | +------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `yinzhengjie`@`node105.yinzhengjie.org.cn` | +------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
四.系統權限表
1>.權限存儲在mysql庫的user,db,tables_priv,columns_priv和procs_priv這5個系統表中。待MySQL實力啓動成功後就家在到內存中。
• User表:
存放用戶帳戶信息以及全局級別(全部數據庫)權限,決定了 來自哪些主機的哪些用戶能夠訪問數據庫實例,若是有全局權限則意味着對全部數據庫都有此權限。
• Db表:
存放數據庫級別的權限,決定了來自哪些主機的哪些用戶能夠訪 問此數據庫。
• Tables_priv表:
存放表級別的權限,決定了來自哪些主機的哪些用戶能夠 訪問數據庫的這個表。
• Columns_priv表:
存放列(字段)級別的權限,決定了來自哪些主機的哪些用戶可 以訪問數據庫表的這個字段。
• Procs_priv表:
存放存儲過程和函數級別的權限。
2>.user和db權限表結構
mysql> desc mysql.user\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: Select_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 4. row *************************** Field: Insert_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 5. row *************************** Field: Update_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 6. row *************************** Field: Delete_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 7. row *************************** Field: Create_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 8. row *************************** Field: Drop_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 9. row *************************** Field: Reload_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 10. row *************************** Field: Shutdown_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 11. row *************************** Field: Process_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 12. row *************************** Field: File_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 13. row *************************** Field: Grant_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 14. row *************************** Field: References_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 15. row *************************** Field: Index_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 16. row *************************** Field: Alter_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 17. row *************************** Field: Show_db_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 18. row *************************** Field: Super_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 19. row *************************** Field: Create_tmp_table_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 20. row *************************** Field: Lock_tables_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 21. row *************************** Field: Execute_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 22. row *************************** Field: Repl_slave_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 23. row *************************** Field: Repl_client_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 24. row *************************** Field: Create_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 25. row *************************** Field: Show_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 26. row *************************** Field: Create_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 27. row *************************** Field: Alter_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 28. row *************************** Field: Create_user_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 29. row *************************** Field: Event_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 30. row *************************** Field: Trigger_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 31. row *************************** Field: Create_tablespace_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 32. row *************************** Field: ssl_type Type: enum('','ANY','X509','SPECIFIED') Null: NO Key: Default: Extra: *************************** 33. row *************************** Field: ssl_cipher Type: blob Null: NO Key: Default: NULL Extra: *************************** 34. row *************************** Field: x509_issuer Type: blob Null: NO Key: Default: NULL Extra: *************************** 35. row *************************** Field: x509_subject Type: blob Null: NO Key: Default: NULL Extra: *************************** 36. row *************************** Field: max_questions Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 37. row *************************** Field: max_updates Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 38. row *************************** Field: max_connections Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 39. row *************************** Field: max_user_connections Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 40. row *************************** Field: plugin Type: char(64) Null: NO Key: Default: caching_sha2_password Extra: *************************** 41. row *************************** Field: authentication_string Type: text Null: YES Key: Default: NULL Extra: *************************** 42. row *************************** Field: password_expired Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 43. row *************************** Field: password_last_changed Type: timestamp Null: YES Key: Default: NULL Extra: *************************** 44. row *************************** Field: password_lifetime Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 45. row *************************** Field: account_locked Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 46. row *************************** Field: Create_role_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 47. row *************************** Field: Drop_role_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 48. row *************************** Field: Password_reuse_history Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 49. row *************************** Field: Password_reuse_time Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 50. row *************************** Field: Password_require_current Type: enum('N','Y') Null: YES Key: Default: NULL Extra: *************************** 51. row *************************** Field: User_attributes Type: json Null: YES Key: Default: NULL Extra: 51 rows in set (0.00 sec) mysql>
mysql> desc mysql.db\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Select_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 5. row *************************** Field: Insert_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 6. row *************************** Field: Update_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 7. row *************************** Field: Delete_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 8. row *************************** Field: Create_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 9. row *************************** Field: Drop_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 10. row *************************** Field: Grant_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 11. row *************************** Field: References_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 12. row *************************** Field: Index_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 13. row *************************** Field: Alter_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 14. row *************************** Field: Create_tmp_table_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 15. row *************************** Field: Lock_tables_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 16. row *************************** Field: Create_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 17. row *************************** Field: Show_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 18. row *************************** Field: Create_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 19. row *************************** Field: Alter_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 20. row *************************** Field: Execute_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 21. row *************************** Field: Event_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 22. row *************************** Field: Trigger_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: 22 rows in set (0.00 sec) mysql>
User權限表結構中的特殊字段 • Plugin,password,authentication_string三個字段存放用戶認證信息 • Password_expired設置成’Y’則代表容許DBA將此用戶的密碼設置成過時而 且過時後要求用戶的使用者重置密碼(alter user/set password重置密碼) • Password_last_changed做爲一個時間戳字段表明密碼上次修改時間,執 行create user/alter user/set password/grant等命令建立用戶或修改用戶密 碼時此數值自動更新 • Password_lifetime表明從password_last_changed時間開始此密碼過時的天 數 • Account_locked表明此用戶被鎖住,沒法使用
3>.tables_priv和columns_priv權限表結構
mysql> desc mysql.tables_priv\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Table_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 5. row *************************** Field: Grantor Type: char(93) Null: NO Key: MUL Default: Extra: *************************** 6. row *************************** Field: Timestamp Type: timestamp Null: NO Key: Default: CURRENT_TIMESTAMP Extra: DEFAULT_GENERATED on update CURRENT_TIMESTAMP *************************** 7. row *************************** Field: Table_priv Type: set('Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View','Show view','Trigger') Null: NO Key: Default: Extra: *************************** 8. row *************************** Field: Column_priv Type: set('Select','Insert','Update','References') Null: NO Key: Default: Extra: 8 rows in set (0.00 sec) mysql>
mysql> desc mysql.columns_priv\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Table_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 5. row *************************** Field: Column_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 6. row *************************** Field: Timestamp Type: timestamp Null: NO Key: Default: CURRENT_TIMESTAMP Extra: DEFAULT_GENERATED on update CURRENT_TIMESTAMP *************************** 7. row *************************** Field: Column_priv Type: set('Select','Insert','Update','References') Null: NO Key: Default: Extra: 7 rows in set (0.00 sec) mysql>
procs_priv權限表結構
• Routine_type是枚舉類型,表明是存儲過程仍是函數
• Timestamp和grantor兩個字段暫時沒用
4>.系統權限表字段長度限制表
5>.權限認證中的大小寫銘感問題
• 字段user,password,authencation_string,db,table_name大小寫敏感
• 字段host,column_name,routine_name大小寫不敏感
mysql> CREATE USER yinzhengjie@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER Yinzhengjie@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> select User,Host from mysql.user where Host='node110.yinzhengjie.org.cn'; +-------------+----------------------------+ | User | Host | +-------------+----------------------------+ | Yinzhengjie | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +-------------+----------------------------+ 2 rows in set (0.00 sec) mysql> mysql>
mysql> CREATE USER jason@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER jason@NODE110.yinzhengjie.org.cn; #這裏報錯了,說明MySQL的主機名是不區分大小寫的!若是你寫成大寫他會默認給你轉換成小寫在user表中進行對比! ERROR 1396 (HY000): Operation CREATE USER failed for 'jason'@'node110.yinzhengjie.org.cn' mysql> mysql> mysql> select User,Host from mysql.user where Host='node110.yinzhengjie.org.cn'; +-------------+----------------------------+ | User | Host | +-------------+----------------------------+ | Yinzhengjie | node110.yinzhengjie.org.cn | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +-------------+----------------------------+ 3 rows in set (0.00 sec) mysql> mysql>
6>.查看用戶權限信息
mysql> SHOW GRANTS FOR 'root'@'localhost'\G *************************** 1. row *************************** Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 2. row *************************** Grants for root@localhost: GRANT APPLICATION_PASSWORD_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 3. row *************************** Grants for root@localhost: GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION 3 rows in set (0.00 sec) mysql>
mysql> SHOW CREATE USER root@localhost\G *************************** 1. row *************************** CREATE USER for root@localhost: CREATE USER 'root'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$_DHTgn}dT9t%1>5eMM4wjrUWB.UY3A60WfUlqsZAVP0HhJ3Xxp1bFRs76g9B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT 1 row in set (0.00 sec) mysql> mysql>
五.MySQL受權用戶
1>.MySQL受權用戶的組成部分
MySQL的受權用戶由兩部分組成,即用戶名和登錄主機名。關於用戶名和主機名須要遵循如下幾點規則:
• 表達用戶的語法爲‘user_name’@‘host_name’
• 單引號不是必須,但若是其中包含特殊字符則是必須的
• ‘’@‘localhost’表明匿名登陸的用戶
• Host_name可使主機名或者ipv4/ipv6的地址。Localhost表明本機,127.0.0.1表明ipv4的 本機地址,::1表明ipv6的本機地址
• Host_name字段容許使用%和_兩個匹配字符,好比’%’表明全部主機,’%.mysql.com’表明 來自mysql.com這個域名下的全部主機,‘192.168.1.%’表明全部來自192.168.1網段的主機
2>.MySQL修改權限的生效週期
• 執行Grant,revoke,setpassword,renameuser命令修改權限以後,MySQL會自動將修改後的權限信息同步加載到系統內存中
• 若是執行insert/update/delete操做上述的系統權限表以後,則必須再執行刷 新權限命令才能同步到系統內存中,刷新權限命令包括:flush privileges/mysqladmin flush-privileges/mysqladmin reload
• 若是是修改tables和columns級別的權限,則客戶端的下次操做新權限就會生效
• 若是是修改database級別的權限,則新權限在客戶端執行use database命令後生效
• 若是是修改global級別的權限,則須要從新建立鏈接新權限才能生效
• --skip-grant-tables能夠跳過全部系統權限表而容許全部用戶登陸,只在特殊 狀況下暫時使用
3>.MySQL用戶鏈接各類姿式
[root@node105 ~]# mysql --user=root --password mysql Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 14 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> mysql> quit Bye [root@node105 ~]# [root@node105 ~]#
[root@node105 ~]# mysql --user=root -p mysql Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 15 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit Bye [root@node105 ~]#
[root@node105 ~]# mysql --user=root --password=yinzhengjie mysql mysql: [Warning] Using a password on the command line interface can be insecure. Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit Bye [root@node105 ~]# [root@node105 ~]# history | tail -5 282 mysql --user=yinzhengjie@node105.yinzhengjie.org.cn --password mysql 283 mysql --user=root --password mysql 284 mysql --user=root -p mysql 285 mysql --user=root --password=yinzhengjie mysql #密碼被history記錄住了 286 history | tail -5 [root@node105 ~]#
[root@node105 ~]# mysql -uroot -pyinzhengjie mysql mysql: [Warning] Using a password on the command line interface can be insecure. Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit; Bye [root@node105 ~]# history | tail -2 289 mysql -uroot -pyinzhengjie mysql 290 history | tail -2 [root@node105 ~]#
4>.建立MySQL用戶案例展現
有兩種建立MySQL受權用戶:
姿式一 :執行CREATE USER/GRANT命令(博主推薦)
姿式二 :經過INSERT語句直接操做MySQL系統權限表(不推薦使用)
mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql> mysql> mysql> CREATE USER 'jason'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql>
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | +------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | +------------------------------------------------------------+ row in set (0.00 sec) mysql> mysql> CREATE DATABASE yinzhengjie; Query OK, 1 row affected (0.00 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | yinzhengjie | +--------------------+ rows in set (0.00 sec) mysql> mysql> GRANT ALL PRIVILEGES ON yinzhengjie.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +--------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +--------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT ALL PRIVILEGES ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +--------------------------------------------------------------------------------------------------+ rows in set (0.00 sec) mysql>
[root@node110 ~]# hostname node110.yinzhengjie.org.cn [root@node110 ~]# [root@node110 ~]# hostname -i 172.30.1.110 [root@node110 ~]# [root@node110 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn 172.30.1.105 node105.yinzhengjie.org.cn 172.30.1.110 node110.yinzhengjie.org.cn [root@node110 ~]# [root@node110 ~]# [root@node110 ~]# mysql -h node105.yinzhengjie.org.cn -ujason -pyinzhengjie mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 21 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | yinzhengjie | +--------------------+ 2 rows in set (0.00 sec) mysql> use yinzhengjie; Database changed mysql> mysql> SELECT database(); +-------------+ | database() | +-------------+ | yinzhengjie | +-------------+ 1 row in set (0.00 sec) mysql> show tables; Empty set (0.00 sec) mysql> quit Bye [root@node110 ~]# [root@node110 ~]#
5>.回收MySQL用戶權限
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +---------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +---------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT ALL PRIVILEGES ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +---------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> REVOKE SELECT,UPDATE,DELETE ON yinzhengjie.* FROM 'jason'@'node110.yinzhengjie.org.cn'; Query OK, 0 rows affected (0.00 sec) mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT INSERT, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql>
6>.刪除MySQL用戶
mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql> mysql> DROP USER jason@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql>
7>.設置MySQL用戶資源
• 經過設置全局變量max_user_connections能夠限制全部用戶在同一時間鏈接MySQL實例的數量,但此參數沒法對每一個用戶區別對待,因此MySQL提供了對每一個用戶的資源限制管理
• MAX_QUERIES_PER_HOUR:一個用戶在一個小時內能夠執行查詢的次數(基本包含全部語句)
• MAX_UPDATES_PER_HOUR:一個用戶在一個小時內能夠執行修改的次數(僅包含修改數據庫或表的語句)
• MAX_CONNECTIONS_PER_HOUR:一個用戶在一個小時內能夠鏈接MySQL的時間
• MAX_USER_CONNECTIONS:一個用戶能夠在同一時間鏈接MySQL實例的數量,注意,當針對某個用戶當MAX_USER_CONNECTIONS非0時,則忽略全局系統參數MAX_USER_CONNECTIONS,反之則全局系統參數生效!
• 從5.0.3版本開始,對用戶‘user’@‘%.example.com’的資源限制是指全部 經過example.com域名主機鏈接user用戶的鏈接,而不是分別指從 host1.example.com和host2.example.com主機過來的鏈接
mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql> mysql> CREATE USER 'jason'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie' -> WITH MAX_QUERIES_PER_HOUR 20 -> MAX_UPDATES_PER_HOUR 5 -> MAX_CONNECTIONS_PER_HOUR 3 -> MAX_USER_CONNECTIONS 2; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn WITH MAX_USER_CONNECTIONS 5; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn WITH MAX_USER_CONNECTIONS 0; Query OK, 0 rows affected (0.01 sec) mysql>
8>.設置MySQL用戶當密碼
mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql> mysql> CREATE USER 'yinzhengjie'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 6 rows in set (0.00 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie2019'; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> SELECT USER(); +----------------+ | USER() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec) mysql> mysql> ALTER USER USER() IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql>
注意,MySQL8.0之後的版本,不支持使用 SET PASSWORD FOR jason@node110.yinzhengjie.org.cn = PASSWORD('yinzhengjie'); 這樣的語句修改代碼了,使用MySQL5.7的小夥伴們得注意一下了喲~固然,若是你經過mysqladmin的方式修改MySQL密碼也是一種方式,可是博主不推薦喲~別忘記Linux中又一個history功能喲!
9>.設置MySQL用戶密碼過時策略
設置系統參數default_password_lifetime做用於全部的用戶帳戶
• default_password_lifetime=180 設置180天過時 • default_password_lifetime=0 設置密碼不過時
若是爲每一個用戶設置了密碼過時策略,則會覆蓋上述系統參數
• ALTER USER 'jason'@'node101.yinzhengjie.org.cn' PASSWORD EXPIRE INTERVAL 90 DAY;
• ALTER USER ‘jason’@‘node102.yinzhengjie.org.cn’ PASSWORD EXPIRE NEVER; 密碼不過時
• ALTER USER ‘jason’@‘node103.yinzhengjie.org.cn’ PASSWORD EXPIRE DEFAULT; 默認過時策略
手動強制某個用戶密碼過時
• ALTER USER 'jason'@'node105.yinzhengjie.org.cn' PASSWORD EXPIRE;
10>.MySQL用戶lock
mysql> CREATE USER yzj@node110.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie' ACCOUNT LOCK; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | | yzj | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 7 rows in set (0.00 sec) mysql> mysql> ALTER USER yinzhengjie@node110.yinzhengjie.org.cn ACCOUNT LOCK; Query OK, 0 rows affected (0.01 sec) mysql>
咱們建立時就將用戶鎖住,那麼其時沒法登錄MySQL服務器的喲!鏈接時會提示該用戶已經被鎖入住,以下所示:
[root@node110 ~]# mysql -h node105.yinzhengjie.org.cn -uyzj -pyinzhengjie mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 3118 (HY000): Access denied for user 'yzj'@'node110.yinzhengjie.org.cn'. Account is locked. [root@node110 ~]# [root@node110 ~]#
若是MySQL用戶被鎖住後,有人申請要解鎖的話,其實也很簡單,具體操做以下:
mysql> ALTER USER yinzhengjie@node110.yinzhengjie.org.cn ACCOUNT UNLOCK; Query OK, 0 rows affected (0.00 sec) mysql>
11>.企業應用中的常規MySQL用戶
MySQL用戶的建立一般由DBA統一協調建立,並且按需建立;
DBA一般直接使用root用戶來管理數據庫;
一般會建立指定業務數據庫上的增刪改查、臨時表、執行存儲過程的權限給應 用程序來鏈接數據庫;
一般也會建立指定業務數據庫上的只讀權限給特定應用程序或某些高級別人員 來查詢數據,防止數據被修改;
在MySQL8.0引入了一個角色的概念,具體的SQL操做以下:
mysql> CREATE ROLE app_readonly; #建立一個app_readonly角色(組) Query OK, 0 rows affected (0.03 sec) mysql> mysql> GRANT SELECT ON *.* TO app_readonly; #咱們爲建立的角色授予只讀權限 Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER apache@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; #咱們建立一個用戶 Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER nginx@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readonly TO apache@node105.yinzhengjie.org.cn ; #咱們將角色的權限授予指定的用戶 Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readonly TO nginx@node105.yinzhengjie.org.cn ; Query OK, 0 rows affected (0.00 sec) mysql> mysql> mysql> CREATE ROLE app_readwrite; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT SELECT,INSERT,DELETE,UPDATE ON *.* TO app_readwrite; Query OK, 0 rows affected (0.00 sec) mysql> mysql> mysql> CREATE USER django@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql> mysql> CREATE USER vue@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql> mysql> GRANT app_readwrite TO django@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readwrite TO vue@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn; +--------------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +--------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | | GRANT `app_readwrite`@`%` TO `django`@`node105.yinzhengjie.org.cn` | +--------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn USING app_readwrite; #使用USING + 角色名稱 就能夠看到詳細的權限信息了,和上面的查看權限的造成了鮮明的對比~ +--------------------------------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +--------------------------------------------------------------------------------------+ | GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | | GRANT `app_readwrite`@`%` TO `django`@`node105.yinzhengjie.org.cn` | +--------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> REVOKE app_readwrite FROM django@node105.yinzhengjie.org.cn; #咱們能夠收回權限 Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn; #固然咱們也能夠把多個角色賦值給同一個用戶喲~ +-------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +-------------------------------------------------------------+ | GRANT USAGE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | +-------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
12>.企業應用中的MySQL用戶密碼設定
• 企業生產系統中MySQL用戶的密碼設定有嚴格的規範,一般要有密碼複雜度、密碼長度等要求
• 搜索網上的密碼生成器,能按要求生成隨機密碼
• http://suijimimashengcheng.51240.com/
相關文章
- 1. Java權限管理(受權與認證)
- 2. Shiro-權限認證(受權)-編程式受權
- 3. OAuth 2.0 受權認證詳解
- 4. ETCD受權認證
- 5. 認證受權:IdentityServer4
- 6. 028.[轉] 認證、受權、鑑權和權限控制
- 7. Oracle權限管理詳解、受權
- 8. MySQL權限詳解
- 9. Mysql權限詳解
- 10. MongoDB 權限認證
- 更多相關文章...
- • MySQL刪除用戶權限(REVOKE) - MySQL教程
- • Rust 所有權 - RUST 教程
- • Flink 數據傳輸及反壓詳解
- • 漫談MySQL的鎖機制
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Java權限管理(受權與認證)
- 2. Shiro-權限認證(受權)-編程式受權
- 3. OAuth 2.0 受權認證詳解
- 4. ETCD受權認證
- 5. 認證受權:IdentityServer4
- 6. 028.[轉] 認證、受權、鑑權和權限控制
- 7. Oracle權限管理詳解、受權
- 8. MySQL權限詳解
- 9. Mysql權限詳解
- 10. MongoDB 權限認證