一、起源:
今天一上班就聽到說error-log里記錄了大量的
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
二、mysql 用戶密碼過期的處理:
1、從一條簡單的create user 看mysql密碼過期的內在邏輯
mysql> create user exuser@'%' identified by 'exPass@352'; Query OK, 0 rows affected (0.01 sec) mysql> show create user exuser@'%'; +---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for exuser@% | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER 'exuser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*CD089516E876A47FEBF3BB6A9ADD45F02F4BF73B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec)
2、從上面的show create user 可以看出 mysql會悄悄的在create user 語句的后面加上一個 password expire defautl 子句;這個
password expire default 子句就是用來設置mysql 賬號的密碼過期時間的(單位天)。
3、看寫死mysql 賬號密碼的過期時間時mysql是怎么處理的
mysql> create user tt@'%' identified by '123456' password expire interval 30 day; Query OK, 0 rows affected (0.00 sec) mysql> show create user tt@'%'; +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for tt@% | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER 'tt'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9' REQUIRE NONE PASSWORD EXPIRE INTERVAL 30 DAY ACCOUNT UNLOCK | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4、也就是說在create user 中寫死過期時間的情況下,mysql是不會悄悄的加上password expire default 的。
5、password expire default 這里的default的值是參照default_password_lifetime這個variable的,也就是說可以通過
改變default_password_lifetime的值來靈活的控制賬號的過期時間。
三、default_password_lifetime 地默認值:
目前 default_password_lifetime 這個參數的默認值是0 ,也就是說默認情況下 create user xxx@xxx identified by 'xxx' 這樣
創建出來的賬號密碼是永不過期的。
四、回答一下起源中的問題:
“起源”中提到的密碼過期是因為在mysql-5.7.4 ~ mysql-5.7.10 這些版本中default_password_lifetime的默認值是360,
這樣就尷尬了,這樣的設置使得默認情況下mysql運行個360天就要改一下密碼,這不科學!於是呢在mysql-5.7.11 以后
的mysql就把default_password_lifetime這個參數的默認值設置成了0.
五、給你一個環境怎么才看出來用戶的密碼有沒有過期
對於這里所提到的密碼過期的判定不能簡單的看user.password_expired 這個列來區分賬號的密碼有沒有過期,而是要根據mysql賬號過期的
內在邏輯來看
1、第一步:查看user.assword_last_changed 列來看對應賬號密碼的最近一次的修改時間
mysql> select user,host,password_expired,password_last_changed,password_lifetime from user; +---------------+-----------+------------------+-----------------------+-------------------+ | user | host | password_expired | password_last_changed | password_lifetime | +---------------+-----------+------------------+-----------------------+-------------------+ | root | localhost | N | 2017-10-15 10:07:32 | NULL | | mysql.session | localhost | N | 2017-10-04 12:27:10 | NULL | | mysql.sys | localhost | N | 2017-10-04 12:27:10 | NULL | | jianglexing | localhost | N | 2017-10-07 09:48:14 | NULL | | repl | % | N | 2017-10-07 19:16:44 | NULL | | tstuser | localhost | N | 2017-10-12 10:04:17 | NULL | +---------------+-----------+------------------+-----------------------+-------------------+
2、第二步:查看default_password_lifetime這個變量的值是多少
mysql> show global variables like 'default_password_lifetime'; +---------------------------+-------+ | Variable_name | Value | +---------------------------+-------+ | default_password_lifetime | 1 | +---------------------------+-------+ 1 row in set (0.00 sec)
3、確定用戶是不是用的mysql全局的密碼過期策略
mysql> show create user tstuser@'localhost'; +-------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER for tstuser@localhost | +-------------------------------------------------------------------------------------------------------------------------------+ | CREATE USER 'tstuser'@'localhost' IDENTIFIED WITH 'mysql_native_password' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK | +-------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec)
4、確定當前的時間
mysql> select now(); +---------------------+ | now() | +---------------------+ | 2017-10-15 11:02:36 | +---------------------+ 1 row in set (0.00 sec)
5、結論:
對於tstuser來說它用的是全局的密碼過期策略,也就是一天后密碼就過期,然而它最近一次更新密碼的時間是2017-10-12,而當前的時間已經是
2017-10-15 所以可以確定的說tstuser的密碼已經過期了。