13.4 mysql用戶管理

mysql用戶管理目錄概要

• grant all on . to 'user1' identified by 'passwd';
• grant SELECT,UPDATE,INSERT on db1.* to 'user2'@'192.168.133.1' identified by 'passwd';
• grant all on db1.* to 'user3'@'%' identified by 'passwd';
• show grants;
• show grants for user2@192.168.133.1;

mysql用戶管理

• 場景，爲了安全，新建的站點，建立新的用戶，或者給予使用已有帳戶，給予權限
• grant all on . to 'user1' identified by 'passwd';
  • grant 表示 受權
  • all 表示全部權限，查看，建立，刪除等等
  • on . to 'user1' identified by 'passwd';
• 如果登陸到mysql中後，輸錯了字符，並按了回車鍵，直接輸入分號 ; 就會推出， 回到mysql的命令行
• 退出mysql除了使用 quit 命令，還可使用 exit 命令，還能夠ctrl+d快捷鍵退出

1. 登陸到mysql

[root@hf-01 ~]# mysql -uroot -p'hanfeng'
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

2. 建立普通用戶user1，命令

• grant all on . to 'user1'@'127.0.0.1' identified by '123456a';——>在輸入命令的時候，千萬要注意符號，一旦漏失了符號 ' '，那麼後面就沒法登陸到user1的mysql
  • 'user1'@'127.0.0.1' 指定用戶@指定來源IP （指定用戶能夠寫 % 就是通配，表示全部的IP）若是指定了來源IP，那麼只能經過來源IP登陸
  • 符號*.* 表示全部庫，全部表
    • 第一個 * 表示庫名，能夠寫成mysql.* 那就表示對mysql全部的表
  • identified by 'passwd' 指定user1的mysql密碼
• grant語句，是不會記錄到命令歷史中的由於不安全

mysql>  grant all on *.* to 'user1'@'127.0.0.1' identified by '123456a';
Query OK, 0 rows affected (0.02 sec)

mysql>

3. 退出數據庫，並嘗試user1是否能夠登陸

[root@hf-01 ~]# mysql -uuser1 -p'123456a'
Warning: Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: YES)
[root@hf-01 ~]#

4. 會看到登陸失敗，由於它默認的是sock，須要指定 -h 指定IP，會看到成功登陸到user1的數據庫

[root@hf-01 ~]# mysql -uuser1 -p123456a -h127.0.0.1
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit
Bye

5. 受權localhost，受權本地，用sock去鏈接
6. 從新登陸root，並輸入localhost，建立成功後，並退出

• grant all on . to 'user1'@'localhost' identified by '123456a';

[root@hf-01 ~]#  mysql -uroot -p'hanfeng'
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant all on *.* to 'user1'@'localhost' identified by '123456a';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
[root@hf-01 ~]#

7. 這時不加-h 也能夠登陸到user1了，由於如今受權就是針對localhost，localhost就是針對的sock

[root@hf-01 ~]# mysql -uuser1 -p123456a
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> exit
Bye

8. 退出數據庫除了用 quit 命令，還能夠用 exit 命令，還能夠ctrl+d快捷鍵退出

針對具體的權限去受權

• grant SELECT,UPDATE,INSERT on db1.* to 'user2'@'192.168.133.1' identified by 'passwd';
  • 針對SELECT,UPDATE,INSERT，針對 db1這個庫全部的表給用戶user2來源IP，並設定密碼
• grant all on db1.* to 'user3'@'%' identified by 'passwd';
  • 針對全部的IP去受權
• show grants; 查看全部的受權
  • 在登陸到某一用戶下，show grants;會查看到當前用戶的權限的
  • 登陸user1用戶的mysql，去查看受權

[root@hf-01 ~]# mysql -uuser1 -p123456a
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show grants;
+-----------------------------------------------------------------------------------------------------------------------+
| Grants for user1@localhost                                                                                            |
+-----------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'user1'@'localhost' IDENTIFIED BY PASSWORD '*B012E8731FF1DF44F3D8B26837708985278C3CED' |
+-----------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

• show grants for user1@127.0.0.1; 指定用戶去查看受權
  • 登陸root用戶的mysql，而後查看user1用戶的mysql的受權

[root@hf-01 ~]#  mysql -uroot -p'hanfeng'
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show grants for user1@'127.0.0.1';
+-----------------------------------------------------------------------------------------------------------------------+
| Grants for user1@127.0.0.1                                                                                            |
+-----------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'user1'@'127.0.0.1' IDENTIFIED BY PASSWORD '*B012E8731FF1DF44F3D8B26837708985278C3CED' |
+-----------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

show grants;需求

• show grants；看的是root

1. 建立一個用戶user2，並作一個受權

• grant SELECT,UPDATE,INSERT on db1.* to 'user2'@'192.168.133.1' identified by 'passwd';

mysql> grant SELECT,UPDATE,INSERT on db1.* to 'user2'@'192.168.133.1' identified by 'passwd';
Query OK, 0 rows affected (0.01 sec)

mysql>

2. 查看user2的受權

• show grants for user2@'192.168.133.1';

mysql> show grants for user2@'192.168.133.1';
+------------------------------------------------------------------------------------------------------------------+
| Grants for user2@192.168.133.1                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user2'@'192.168.133.1' IDENTIFIED BY PASSWORD '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0' |
| GRANT SELECT, INSERT, UPDATE ON `db1`.* TO 'user2'@'192.168.133.1'                                               |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql>

3. 有一種狀況會用到它，好比說，給192.168.133.1作了受權了，但發現一個IP不夠，還有一個192.168.133.2，也就是說user2用戶不只須要在192.168.133.1上登陸，還須要在192.168.133.2上登陸，這時候就須要把受權的命令所有在執行一遍
4. 這時候就能夠直接把GRANT USAGE ON . TO 'user2'@'192.168.133.1' IDENTIFIED BY PASSWORD '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0' 複製一遍，將其中192.168.133.1改成192.168.133.2 並在語句結尾加上分號 ;

mysql> GRANT USAGE ON *.* TO 'user2'@'192.168.133.2' IDENTIFIED BY PASSWOORD '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0';
Query OK, 0 rows affected (0.00 sec)

mysql>

5. 而後再將第二行復制GRANT SELECT, INSERT, UPDATE ON db1.* TO 'user2'@'192.168.133.1' 把IP改成192.168.133.2，並加上分號 ;

mysql> GRANT SELECT, INSERT, UPDATE ON `db1`.* TO 'user2'@'192.168.133.2';
Query OK, 0 rows affected (0.01 sec)

mysql>

6. 這時候在來查看show grants查看192.168.133.2

mysql> show grants for user2@'192.168.133.2';
+------------------------------------------------------------------------------------------------------------------+
| Grants for user2@192.168.133.2                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'user2'@'192.168.133.2' IDENTIFIED BY PASSWORD '*59C70DA2F3E3A5BDF46B68F5C8B8F25762BCCEF0' |
| GRANT SELECT, INSERT, UPDATE ON `db1`.* TO 'user2'@'192.168.133.2'                                               |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql>

7. show grants;會看到一樣的密碼，一樣的用戶，惟一改變的就是IP
8. 在知道mysql的用戶名，但不知道密碼，也能夠這樣去受權