MySQL權限授權認證詳解
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.MySQL權限系統介紹
1>.權限系統的作用是授予來自某個主機的某個用戶可以查詢、插入、修改、刪除等數據庫操作的權限
2>.不能明確的指定拒絕某個用戶的連接
3>.權限控制(授權與回收)的執行語句包括create user, grant, revoke
4>.授權后的權限都會存放在MySQL的內部數據庫中(數據庫名叫mysql),並在數據庫啟動之后把權限信息復制到內存中
5>.MySQL用戶的認證信息不光包括用戶名,還要包含連接發起的主機名(以下兩個yinzhengjie被認為不是同一個用戶,因為它們的主機名不同)
>>>SHOW GRANTS FOR ‘yinzhengjie’@‘node101.yinzhengjie.org.cn’; >>>SHOW GRANTS FOR 'yinzhengjie’@‘node102.yinzhengjie.org.cn’;
二.MySQL權限級別介紹
1>.MySQL權限級別
全局性的管理權限,作用於整個MySQL實例級別;
數據庫級別的權限,作用於某個指定的數據庫上或者所有的數據庫上;
數據庫對象級別的權限,作用於指定的數據庫對象上(表、視圖等)或者所有的數據庫對象上;
2>.權限存儲在mysql庫的user, db, tables_priv, columns_priv, and procs_priv這幾個系統表中,待MySQL實例啟動后就加載到內存中
3>.查看mysql實例默認root用戶的權限(來自localhost)
mysql> SHOW GRANTS FOR root@localhost\G *************************** 1. row *************************** Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 2. row *************************** Grants for root@localhost: GRANT APPLICATION_PASSWORD_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 3. row *************************** Grants for root@localhost: GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION 3 rows in set (0.01 sec) mysql>
4>.對比root用戶在幾個權限系統表中的數據
mysql> SELECT * FROM user WHERE user='root' AND host='localhost'\G *************************** 1. row *************************** Host: localhost User: root Select_priv: Y Insert_priv: Y Update_priv: Y Delete_priv: Y Create_priv: Y Drop_priv: Y Reload_priv: Y Shutdown_priv: Y Process_priv: Y File_priv: Y Grant_priv: Y References_priv: Y Index_priv: Y Alter_priv: Y Show_db_priv: Y Super_priv: Y Create_tmp_table_priv: Y Lock_tables_priv: Y Execute_priv: Y Repl_slave_priv: Y Repl_client_priv: Y Create_view_priv: Y Show_view_priv: Y Create_routine_priv: Y Alter_routine_priv: Y Create_user_priv: Y Event_priv: Y Trigger_priv: Y Create_tablespace_priv: Y ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: caching_sha2_password authentication_string: $A$005$_DHTgn}dT9t%1>5eMM4wjrUWB.UY3A60WfUlqsZAVP0HhJ3Xxp1bFRs76g9B password_expired: N password_last_changed: 2019-01-22 05:42:22 password_lifetime: NULL account_locked: N Create_role_priv: Y Drop_role_priv: Y Password_reuse_history: NULL Password_reuse_time: NULL Password_require_current: NULL User_attributes: NULL 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM db WHERE user='root' AND host='localhost'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM tables_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM columns_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM procs_priv WHERE host='localhost' AND user = 'root'\G Empty set (0.00 sec) mysql>
5>.查看mysql實例默認mysql.sys用戶的權限(來自localhost)
mysql> SHOW GRANTS FOR 'mysql.sys'@localhost; +---------------------------------------------------------------+ | Grants for mysql.sys@localhost | +---------------------------------------------------------------+ | GRANT USAGE ON *.* TO `mysql.sys`@`localhost` | | GRANT TRIGGER ON `sys`.* TO `mysql.sys`@`localhost` | | GRANT SELECT ON `sys`.`sys_config` TO `mysql.sys`@`localhost` | +---------------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> mysql> SHOW GRANTS FOR 'mysql.sys'@localhost\G *************************** 1. row *************************** Grants for mysql.sys@localhost: GRANT USAGE ON *.* TO `mysql.sys`@`localhost` *************************** 2. row *************************** Grants for mysql.sys@localhost: GRANT TRIGGER ON `sys`.* TO `mysql.sys`@`localhost` *************************** 3. row *************************** Grants for mysql.sys@localhost: GRANT SELECT ON `sys`.`sys_config` TO `mysql.sys`@`localhost` 3 rows in set (0.00 sec) mysql>
6>.對比mysql.sys用戶在幾個權限系統表中的數據
mysql> SELECT * FROM user WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost User: mysql.sys Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Create_user_priv: N Event_priv: N Trigger_priv: N Create_tablespace_priv: N ssl_type: ssl_cipher: x509_issuer: x509_subject: max_questions: 0 max_updates: 0 max_connections: 0 max_user_connections: 0 plugin: caching_sha2_password authentication_string: $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED password_expired: N password_last_changed: 2019-01-22 05:41:42 password_lifetime: NULL account_locked: Y Create_role_priv: N Drop_role_priv: N Password_reuse_history: NULL Password_reuse_time: NULL Password_require_current: NULL User_attributes: NULL 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM db WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost Db: sys User: mysql.sys Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Create_view_priv: N Show_view_priv: N Create_routine_priv: N Alter_routine_priv: N Execute_priv: N Event_priv: N Trigger_priv: Y 1 row in set (0.00 sec) mysql>
mysql> SELECT * FROM tables_priv WHERE user='mysql.sys' AND host='localhost'\G *************************** 1. row *************************** Host: localhost Db: sys User: mysql.sys Table_name: sys_config Grantor: root@localhost Timestamp: 2019-01-22 05:41:42 Table_priv: Select Column_priv: 1 row in set (0.00 sec) mysql> mysql>
mysql> SELECT * FROM columns_priv WHERE user='mysql.sys' AND host='localhost'\G Empty set (0.00 sec) mysql>
mysql> SELECT * FROM procs_priv WHERE user='mysql.sys' AND host='localhost'\G Empty set (0.00 sec) mysql> mysql>
三.MySQL權限詳解
1>.ALL/ALL PRIVILEGES權限
代表全局或者全數據庫對象級別的所有權限。
2>.ALTER權限
代表允許修改表結構的權限,但必須要求有CREATE和INSERT權限配合。如果是RENAME表名,則必須要求有ALTER和DROP原表,CREATE和INSERT新表的權限。
3>.ALTER ROUTINE權限
代表允許修改或者刪除存儲過程,函數的權限。
4>.CREATE權限
CREATE權限代表允許創建新的數據庫和表的權限。
5>.CREATE ROUTINE權限
代表允許創建存儲過程,函數的權限。
6>.CREATE TABLESPACE權限
代表允許創建,修改,刪除表空間和日志組的權限。
7>.CRATE TEMPOARY TABLES權限
代表允許創建臨時表的權限。
8>.CREATE USER權限
代表允許創建,修改,刪除,重命名USRER的權限。
9>.CREATE VIEW權限
代表允許創建視圖的權限。
10>.DELETE權限
代表允許刪除行數據的權限。
11>.DROP權限
代表允許刪除數據庫,表,視圖的權限,包括TRUNCATE TABLE命令。
12>.EVENT權限
代表允許查詢,創建,修改,刪除MySQL事件。
13>.Execute權限
代表允許執行存儲過程和函數的權限。
14>.FILE權限
代表允許在MySQL可以訪問的目錄進行讀寫磁盤文件操作,可使用的命令包括LOAD DATA INFILE,SELECT ... INTO OUTFILE,LOAD FILE()函數。
15>.GRANT OPTION權限
代表是否允許此用戶授權或者收回其他用戶你給予的權限。
16>.INDEX權限
代表是否允許創建和刪除索引。
17>.INSERT權限
代表是否允許在表里插入數據,同時在執行ANALYZE TABLE,OPTIMIZE TABLE,REPAIR TABLE語句的時候也需要INSERT權限。
18>.LOCK權限
代表允許對擁有SELECT權限的表進行鎖定,以防止其他鏈接對此表的讀或寫。
19>.PROCESS權限
代表允許查看MySQL中的進程信息,比如執行SHOW PROCESSLIST,mysqladmin processlist(命令行),SHOW ENGINES等命令。
mysql> SHOW PROCESSLIST\G *************************** 1. row *************************** Id: 4 User: event_scheduler Host: localhost db: NULL Command: Daemon Time: 4061 State: Waiting on empty queue Info: NULL *************************** 2. row *************************** Id: 8 User: root Host: localhost db: mysql Command: Query Time: 0 State: starting Info: SHOW PROCESSLIST 2 rows in set (0.00 sec) mysql>
mysql> SHOW ENGINES\G *************************** 1. row *************************** Engine: FEDERATED Support: NO Comment: Federated MySQL storage engine Transactions: NULL XA: NULL Savepoints: NULL *************************** 2. row *************************** Engine: InnoDB Support: DEFAULT Comment: Supports transactions, row-level locking, and foreign keys Transactions: YES XA: YES Savepoints: YES *************************** 3. row *************************** Engine: PERFORMANCE_SCHEMA Support: YES Comment: Performance Schema Transactions: NO XA: NO Savepoints: NO *************************** 4. row *************************** Engine: MyISAM Support: YES Comment: MyISAM storage engine Transactions: NO XA: NO Savepoints: NO *************************** 5. row *************************** Engine: MRG_MYISAM Support: YES Comment: Collection of identical MyISAM tables Transactions: NO XA: NO Savepoints: NO *************************** 6. row *************************** Engine: BLACKHOLE Support: YES Comment: /dev/null storage engine (anything you write to it disappears) Transactions: NO XA: NO Savepoints: NO *************************** 7. row *************************** Engine: MEMORY Support: YES Comment: Hash based, stored in memory, useful for temporary tables Transactions: NO XA: NO Savepoints: NO *************************** 8. row *************************** Engine: CSV Support: YES Comment: CSV storage engine Transactions: NO XA: NO Savepoints: NO *************************** 9. row *************************** Engine: ARCHIVE Support: YES Comment: Archive storage engine Transactions: NO XA: NO Savepoints: NO 9 rows in set (0.00 sec) mysql>
[root@node105 ~]# mysqladmin processlist -uroot -pyinzhengjie mysqladmin: [Warning] Using a password on the command line interface can be insecure. +----+-----------------+-----------+----+---------+------+------------------------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +----+-----------------+-----------+----+---------+------+------------------------+------------------+ | 4 | event_scheduler | localhost | | Daemon | 4650 | Waiting on empty queue | | | 10 | root | localhost | | Query | 0 | starting | show processlist | +----+-----------------+-----------+----+---------+------+------------------------+------------------+ [root@node105 ~]# [root@node105 ~]#
20>.REFERENCE權限
是在5.7.6版本之后引入,代表是否允許創建外鍵。
21>.RELOAD權限
代表允許執行FLUSH命令,指明重新家在權限表到系統內存中,REFRESH命令代表關閉和重新開啟日志文件並刷新所有到表。
22>.REPLICATION CLIENT權限
代表允許執行SHOW MASTER STATUS,SHOW SLAVE STATUS,SHOW BINARY LOGS命令。
mysql> SHOW MASTER STATUS; +---------------+----------+--------------+------------------+-------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set | +---------------+----------+--------------+------------------+-------------------+ | binlog.000003 | 155 | | | | +---------------+----------+--------------+------------------+-------------------+ 1 row in set (0.00 sec) mysql>
mysql> SHOW SLAVE STATUS; Empty set (0.00 sec) mysql>
mysql> mysql> SHOW BINARY LOGS; +---------------+-----------+-----------+ | Log_name | File_size | Encrypted | +---------------+-----------+-----------+ | binlog.000001 | 513 | No | | binlog.000002 | 178 | No | | binlog.000003 | 155 | No | +---------------+-----------+-----------+ 3 rows in set (0.00 sec) mysql> mysql>
23>.REPLICATION SLAVE權限
代表允許SLAVE主機通過此用戶連接MASTER以便建立主從復制關系。
24>.SELECT權限
代表允許從表中查看數據,某些不查詢表數據的SELECT執行則不需要此權限,如SELECT 1+1,SELECT PI() +5 等等;而且SELECT權限在執行UPDATA/DELETE語句中含有WHERE條件的情況下也是需要的。
mysql> SELECT PI()+5; +----------+ | PI()+5 | +----------+ | 8.141593 | +----------+ 1 row in set (0.00 sec) mysql>
25>.SHOW DATABASES權限
代表通過執行SHOW DATABASES名稱查看所有的數據庫名。
26>.SHOW VIEW權限
代表通過執行SHOW CREATE VIEW命令查看視圖創建的語句。
27>.SHUTDOWN權限
代表允許關閉數據庫實例,執行語句包括mysqladmin shutdown。
[root@node105 ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 128 :::3306 :::* LISTEN 0 128 :::22 :::* LISTEN 0 70 :::33060 :::* [root@node105 ~]# [root@node105 ~]# [root@node105 ~]# mysqladmin -uroot -pyinzhengjie shutdown mysqladmin: [Warning] Using a password on the command line interface can be insecure. [root@node105 ~]# [root@node105 ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node105 ~]# [root@node105 ~]#
28>.SUPER權限
代表允許執行一系列數據庫管理命令,包括kill強制關閉某個連接命令,CHANGE MASTER TO 創建復制關系命令,以及CRETE/ALTER/DROP SERVER等命令。
29>.TRIGGER權限
代表允許創建,刪除,執行,現實觸發器等權限。
30>.UPADTE權限
代表允許修改表中等數據等權限。
31>.USAGE權限
它是創建一個用戶之后等默認權限,其本身代表連接登陸權限。
mysql> CREATE USER yinzhengjie@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.01 sec) mysql> SHOW GRANTS FOR yinzhengjie@node105.yinzhengjie.org.cn; +------------------------------------------------------------------+ | Grants for yinzhengjie@node105.yinzhengjie.org.cn | +------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `yinzhengjie`@`node105.yinzhengjie.org.cn` | +------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
四.系統權限表
1>.權限存儲在mysql庫的user,db,tables_priv,columns_priv和procs_priv這5個系統表中。待MySQL實力啟動成功后就家在到內存中。
• User表:
存放用戶賬戶信息以及全局級別(所有數據庫)權限,決定了 來自哪些主機的哪些用戶可以訪問數據庫實例,如果有全局權限則意味着對所有數據庫都有此權限。
• Db表:
存放數據庫級別的權限,決定了來自哪些主機的哪些用戶可以訪 問此數據庫。
• Tables_priv表:
存放表級別的權限,決定了來自哪些主機的哪些用戶可以 訪問數據庫的這個表。
• Columns_priv表:
存放列(字段)級別的權限,決定了來自哪些主機的哪些用戶可 以訪問數據庫表的這個字段。
• Procs_priv表:
存放存儲過程和函數級別的權限。
2>.user和db權限表結構
mysql> desc mysql.user\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: Select_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 4. row *************************** Field: Insert_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 5. row *************************** Field: Update_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 6. row *************************** Field: Delete_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 7. row *************************** Field: Create_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 8. row *************************** Field: Drop_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 9. row *************************** Field: Reload_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 10. row *************************** Field: Shutdown_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 11. row *************************** Field: Process_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 12. row *************************** Field: File_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 13. row *************************** Field: Grant_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 14. row *************************** Field: References_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 15. row *************************** Field: Index_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 16. row *************************** Field: Alter_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 17. row *************************** Field: Show_db_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 18. row *************************** Field: Super_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 19. row *************************** Field: Create_tmp_table_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 20. row *************************** Field: Lock_tables_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 21. row *************************** Field: Execute_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 22. row *************************** Field: Repl_slave_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 23. row *************************** Field: Repl_client_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 24. row *************************** Field: Create_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 25. row *************************** Field: Show_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 26. row *************************** Field: Create_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 27. row *************************** Field: Alter_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 28. row *************************** Field: Create_user_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 29. row *************************** Field: Event_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 30. row *************************** Field: Trigger_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 31. row *************************** Field: Create_tablespace_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 32. row *************************** Field: ssl_type Type: enum('','ANY','X509','SPECIFIED') Null: NO Key: Default: Extra: *************************** 33. row *************************** Field: ssl_cipher Type: blob Null: NO Key: Default: NULL Extra: *************************** 34. row *************************** Field: x509_issuer Type: blob Null: NO Key: Default: NULL Extra: *************************** 35. row *************************** Field: x509_subject Type: blob Null: NO Key: Default: NULL Extra: *************************** 36. row *************************** Field: max_questions Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 37. row *************************** Field: max_updates Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 38. row *************************** Field: max_connections Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 39. row *************************** Field: max_user_connections Type: int(11) unsigned Null: NO Key: Default: 0 Extra: *************************** 40. row *************************** Field: plugin Type: char(64) Null: NO Key: Default: caching_sha2_password Extra: *************************** 41. row *************************** Field: authentication_string Type: text Null: YES Key: Default: NULL Extra: *************************** 42. row *************************** Field: password_expired Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 43. row *************************** Field: password_last_changed Type: timestamp Null: YES Key: Default: NULL Extra: *************************** 44. row *************************** Field: password_lifetime Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 45. row *************************** Field: account_locked Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 46. row *************************** Field: Create_role_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 47. row *************************** Field: Drop_role_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 48. row *************************** Field: Password_reuse_history Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 49. row *************************** Field: Password_reuse_time Type: smallint(5) unsigned Null: YES Key: Default: NULL Extra: *************************** 50. row *************************** Field: Password_require_current Type: enum('N','Y') Null: YES Key: Default: NULL Extra: *************************** 51. row *************************** Field: User_attributes Type: json Null: YES Key: Default: NULL Extra: 51 rows in set (0.00 sec) mysql>
mysql> desc mysql.db\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Select_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 5. row *************************** Field: Insert_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 6. row *************************** Field: Update_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 7. row *************************** Field: Delete_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 8. row *************************** Field: Create_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 9. row *************************** Field: Drop_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 10. row *************************** Field: Grant_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 11. row *************************** Field: References_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 12. row *************************** Field: Index_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 13. row *************************** Field: Alter_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 14. row *************************** Field: Create_tmp_table_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 15. row *************************** Field: Lock_tables_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 16. row *************************** Field: Create_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 17. row *************************** Field: Show_view_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 18. row *************************** Field: Create_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 19. row *************************** Field: Alter_routine_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 20. row *************************** Field: Execute_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 21. row *************************** Field: Event_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: *************************** 22. row *************************** Field: Trigger_priv Type: enum('N','Y') Null: NO Key: Default: N Extra: 22 rows in set (0.00 sec) mysql>
User權限表結構中的特殊字段 • Plugin,password,authentication_string三個字段存放用戶認證信息 • Password_expired設置成’Y’則表明允許DBA將此用戶的密碼設置成過期而 且過期后要求用戶的使用者重置密碼(alter user/set password重置密碼) • Password_last_changed作為一個時間戳字段代表密碼上次修改時間,執 行create user/alter user/set password/grant等命令創建用戶或修改用戶密 碼時此數值自動更新 • Password_lifetime代表從password_last_changed時間開始此密碼過期的天 數 • Account_locked代表此用戶被鎖住,無法使用
3>.tables_priv和columns_priv權限表結構
mysql> desc mysql.tables_priv\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Table_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 5. row *************************** Field: Grantor Type: char(93) Null: NO Key: MUL Default: Extra: *************************** 6. row *************************** Field: Timestamp Type: timestamp Null: NO Key: Default: CURRENT_TIMESTAMP Extra: DEFAULT_GENERATED on update CURRENT_TIMESTAMP *************************** 7. row *************************** Field: Table_priv Type: set('Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View','Show view','Trigger') Null: NO Key: Default: Extra: *************************** 8. row *************************** Field: Column_priv Type: set('Select','Insert','Update','References') Null: NO Key: Default: Extra: 8 rows in set (0.00 sec) mysql>
mysql> desc mysql.columns_priv\G *************************** 1. row *************************** Field: Host Type: char(60) Null: NO Key: PRI Default: Extra: *************************** 2. row *************************** Field: Db Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 3. row *************************** Field: User Type: char(32) Null: NO Key: PRI Default: Extra: *************************** 4. row *************************** Field: Table_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 5. row *************************** Field: Column_name Type: char(64) Null: NO Key: PRI Default: Extra: *************************** 6. row *************************** Field: Timestamp Type: timestamp Null: NO Key: Default: CURRENT_TIMESTAMP Extra: DEFAULT_GENERATED on update CURRENT_TIMESTAMP *************************** 7. row *************************** Field: Column_priv Type: set('Select','Insert','Update','References') Null: NO Key: Default: Extra: 7 rows in set (0.00 sec) mysql>
procs_priv權限表結構
• Routine_type是枚舉類型,代表是存儲過程還是函數
• Timestamp和grantor兩個字段暫時沒用
4>.系統權限表字段長度限制表
5>.權限認證中的大小寫銘感問題
• 字段user,password,authencation_string,db,table_name大小寫敏感
• 字段host,column_name,routine_name大小寫不敏感
mysql> CREATE USER yinzhengjie@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER Yinzhengjie@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> select User,Host from mysql.user where Host='node110.yinzhengjie.org.cn'; +-------------+----------------------------+ | User | Host | +-------------+----------------------------+ | Yinzhengjie | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +-------------+----------------------------+ 2 rows in set (0.00 sec) mysql> mysql>
mysql> CREATE USER jason@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER jason@NODE110.yinzhengjie.org.cn; #這里報錯了,說明MySQL的主機名是不區分大小寫的!如果你寫成大寫他會默認給你轉換成小寫在user表中進行對比! ERROR 1396 (HY000): Operation CREATE USER failed for 'jason'@'node110.yinzhengjie.org.cn' mysql> mysql> mysql> select User,Host from mysql.user where Host='node110.yinzhengjie.org.cn'; +-------------+----------------------------+ | User | Host | +-------------+----------------------------+ | Yinzhengjie | node110.yinzhengjie.org.cn | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +-------------+----------------------------+ 3 rows in set (0.00 sec) mysql> mysql>
6>.查看用戶權限信息
mysql> SHOW GRANTS FOR 'root'@'localhost'\G *************************** 1. row *************************** Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 2. row *************************** Grants for root@localhost: GRANT APPLICATION_PASSWORD_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `root`@`localhost` WITH GRANT OPTION *************************** 3. row *************************** Grants for root@localhost: GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION 3 rows in set (0.00 sec) mysql>
mysql> SHOW CREATE USER root@localhost\G *************************** 1. row *************************** CREATE USER for root@localhost: CREATE USER 'root'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$_DHTgn}dT9t%1>5eMM4wjrUWB.UY3A60WfUlqsZAVP0HhJ3Xxp1bFRs76g9B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT 1 row in set (0.00 sec) mysql> mysql>
五.MySQL授權用戶
1>.MySQL授權用戶的組成部分
MySQL的授權用戶由兩部分組成,即用戶名和登陸主機名。關於用戶名和主機名需要遵循以下幾點規則:
• 表達用戶的語法為‘user_name’@‘host_name’
• 單引號不是必須,但如果其中包含特殊字符則是必須的
• ‘’@‘localhost’代表匿名登錄的用戶
• Host_name可以使主機名或者ipv4/ipv6的地址。Localhost代表本機,127.0.0.1代表ipv4的 本機地址,::1代表ipv6的本機地址
• Host_name字段允許使用%和_兩個匹配字符,比如’%’代表所有主機,’%.mysql.com’代表 來自mysql.com這個域名下的所有主機,‘192.168.1.%’代表所有來自192.168.1網段的主機
2>.MySQL修改權限的生效周期
• 執行Grant,revoke,setpassword,renameuser命令修改權限之后,MySQL會自動將修改后的權限信息同步加載到系統內存中
• 如果執行insert/update/delete操作上述的系統權限表之后,則必須再執行刷 新權限命令才能同步到系統內存中,刷新權限命令包括:flush privileges/mysqladmin flush-privileges/mysqladmin reload
• 如果是修改tables和columns級別的權限,則客戶端的下次操作新權限就會生效
• 如果是修改database級別的權限,則新權限在客戶端執行use database命令后生效
• 如果是修改global級別的權限,則需要重新創建連接新權限才能生效
• --skip-grant-tables可以跳過所有系統權限表而允許所有用戶登錄,只在特殊 情況下暫時使用
3>.MySQL用戶連接各種姿勢
[root@node105 ~]# mysql --user=root --password mysql Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 14 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> mysql> quit Bye [root@node105 ~]# [root@node105 ~]#
[root@node105 ~]# mysql --user=root -p mysql Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 15 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit Bye [root@node105 ~]#
[root@node105 ~]# mysql --user=root --password=yinzhengjie mysql mysql: [Warning] Using a password on the command line interface can be insecure. Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit Bye [root@node105 ~]# [root@node105 ~]# history | tail -5 282 mysql --user=yinzhengjie@node105.yinzhengjie.org.cn --password mysql 283 mysql --user=root --password mysql 284 mysql --user=root -p mysql 285 mysql --user=root --password=yinzhengjie mysql #密碼被history記錄住了 286 history | tail -5 [root@node105 ~]#
[root@node105 ~]# mysql -uroot -pyinzhengjie mysql mysql: [Warning] Using a password on the command line interface can be insecure. Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select database(); +------------+ | database() | +------------+ | mysql | +------------+ 1 row in set (0.00 sec) mysql> quit; Bye [root@node105 ~]# history | tail -2 289 mysql -uroot -pyinzhengjie mysql 290 history | tail -2 [root@node105 ~]#
4>.創建MySQL用戶案例展示
有兩種創建MySQL授權用戶:
姿勢一 :執行CREATE USER/GRANT命令(博主推薦)
姿勢二 :通過INSERT語句直接操作MySQL系統權限表(不推薦使用)
mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql> mysql> mysql> CREATE USER 'jason'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql>
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | +------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | +------------------------------------------------------------+ row in set (0.00 sec) mysql> mysql> CREATE DATABASE yinzhengjie; Query OK, 1 row affected (0.00 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | yinzhengjie | +--------------------+ rows in set (0.00 sec) mysql> mysql> GRANT ALL PRIVILEGES ON yinzhengjie.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +--------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +--------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT ALL PRIVILEGES ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +--------------------------------------------------------------------------------------------------+ rows in set (0.00 sec) mysql>
[root@node110 ~]# hostname node110.yinzhengjie.org.cn [root@node110 ~]# [root@node110 ~]# hostname -i 172.30.1.110 [root@node110 ~]# [root@node110 ~]# cat /etc/hosts | grep yinzhengjie 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn 172.30.1.105 node105.yinzhengjie.org.cn 172.30.1.110 node110.yinzhengjie.org.cn [root@node110 ~]# [root@node110 ~]# [root@node110 ~]# mysql -h node105.yinzhengjie.org.cn -ujason -pyinzhengjie mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 21 Server version: 8.0.14 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | yinzhengjie | +--------------------+ 2 rows in set (0.00 sec) mysql> use yinzhengjie; Database changed mysql> mysql> SELECT database(); +-------------+ | database() | +-------------+ | yinzhengjie | +-------------+ 1 row in set (0.00 sec) mysql> show tables; Empty set (0.00 sec) mysql> quit Bye [root@node110 ~]# [root@node110 ~]#
5>.回收MySQL用戶權限
mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +---------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +---------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT ALL PRIVILEGES ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +---------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> REVOKE SELECT,UPDATE,DELETE ON yinzhengjie.* FROM 'jason'@'node110.yinzhengjie.org.cn'; Query OK, 0 rows affected (0.00 sec) mysql> SHOW GRANTS FOR 'jason'@'node110.yinzhengjie.org.cn'; +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for jason@node110.yinzhengjie.org.cn | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `jason`@`node110.yinzhengjie.org.cn` | | GRANT INSERT, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `yinzhengjie`.* TO `jason`@`node110.yinzhengjie.org.cn` WITH GRANT OPTION | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql>
6>.刪除MySQL用戶
mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql> mysql> DROP USER jason@node110.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql>
7>.設置MySQL用戶資源
• 通過設置全局變量max_user_connections可以限制所有用戶在同一時間連接MySQL實例的數量,但此參數無法對每個用戶區別對待,所以MySQL提供了對每個用戶的資源限制管理
• MAX_QUERIES_PER_HOUR:一個用戶在一個小時內可以執行查詢的次數(基本包含所有語句)
• MAX_UPDATES_PER_HOUR:一個用戶在一個小時內可以執行修改的次數(僅包含修改數據庫或表的語句)
• MAX_CONNECTIONS_PER_HOUR:一個用戶在一個小時內可以連接MySQL的時間
• MAX_USER_CONNECTIONS:一個用戶可以在同一時間連接MySQL實例的數量,注意,當針對某個用戶當MAX_USER_CONNECTIONS非0時,則忽略全局系統參數MAX_USER_CONNECTIONS,反之則全局系統參數生效!
• 從5.0.3版本開始,對用戶‘user’@‘%.example.com’的資源限制是指所有 通過example.com域名主機連接user用戶的連接,而不是分別指從 host1.example.com和host2.example.com主機過來的連接
mysql> SELECT User,Host from mysql.user; +------------------+-----------+ | User | Host | +------------------+-----------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +------------------+-----------+ 4 rows in set (0.00 sec) mysql> mysql> CREATE USER 'jason'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie' -> WITH MAX_QUERIES_PER_HOUR 20 -> MAX_UPDATES_PER_HOUR 5 -> MAX_CONNECTIONS_PER_HOUR 3 -> MAX_USER_CONNECTIONS 2; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn WITH MAX_USER_CONNECTIONS 5; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn WITH MAX_USER_CONNECTIONS 0; Query OK, 0 rows affected (0.01 sec) mysql>
8>.設置MySQL用戶當密碼
mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 5 rows in set (0.00 sec) mysql> mysql> CREATE USER 'yinzhengjie'@'node110.yinzhengjie.org.cn' IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 6 rows in set (0.00 sec) mysql>
mysql> ALTER USER jason@node110.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie2019'; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> SELECT USER(); +----------------+ | USER() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec) mysql> mysql> ALTER USER USER() IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql>
注意,MySQL8.0以后的版本,不支持使用 SET PASSWORD FOR jason@node110.yinzhengjie.org.cn = PASSWORD('yinzhengjie'); 這樣的語句修改代碼了,使用MySQL5.7的小伙伴們得注意一下了喲~當然,如果你通過mysqladmin的方式修改MySQL密碼也是一種方式,但是博主不推薦喲~別忘記Linux中又一個history功能喲!
9>.設置MySQL用戶密碼過期策略
設置系統參數default_password_lifetime作用於所有的用戶賬戶
• default_password_lifetime=180 設置180天過期 • default_password_lifetime=0 設置密碼不過期
如果為每個用戶設置了密碼過期策略,則會覆蓋上述系統參數
• ALTER USER 'jason'@'node101.yinzhengjie.org.cn' PASSWORD EXPIRE INTERVAL 90 DAY;
• ALTER USER ‘jason’@‘node102.yinzhengjie.org.cn’ PASSWORD EXPIRE NEVER; 密碼不過期
• ALTER USER ‘jason’@‘node103.yinzhengjie.org.cn’ PASSWORD EXPIRE DEFAULT; 默認過期策略
手動強制某個用戶密碼過期
• ALTER USER 'jason'@'node105.yinzhengjie.org.cn' PASSWORD EXPIRE;
10>.MySQL用戶lock
mysql> CREATE USER yzj@node110.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie' ACCOUNT LOCK; Query OK, 0 rows affected (0.01 sec) mysql>
mysql> SELECT User,Host from mysql.user; +------------------+----------------------------+ | User | Host | +------------------+----------------------------+ | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | | jason | node110.yinzhengjie.org.cn | | yinzhengjie | node110.yinzhengjie.org.cn | | yzj | node110.yinzhengjie.org.cn | +------------------+----------------------------+ 7 rows in set (0.00 sec) mysql> mysql> ALTER USER yinzhengjie@node110.yinzhengjie.org.cn ACCOUNT LOCK; Query OK, 0 rows affected (0.01 sec) mysql>
我們創建時就將用戶鎖住,那么其時無法登陸MySQL服務器的喲!連接時會提示該用戶已經被鎖入住,如下所示:
[root@node110 ~]# mysql -h node105.yinzhengjie.org.cn -uyzj -pyinzhengjie mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 3118 (HY000): Access denied for user 'yzj'@'node110.yinzhengjie.org.cn'. Account is locked. [root@node110 ~]# [root@node110 ~]#
如果MySQL用戶被鎖住后,有人申請要解鎖的話,其實也很簡單,具體操作如下:
mysql> ALTER USER yinzhengjie@node110.yinzhengjie.org.cn ACCOUNT UNLOCK; Query OK, 0 rows affected (0.00 sec) mysql>
11>.企業應用中的常規MySQL用戶
MySQL用戶的創建通常由DBA統一協調創建,而且按需創建;
DBA通常直接使用root用戶來管理數據庫;
通常會創建指定業務數據庫上的增刪改查、臨時表、執行存儲過程的權限給應 用程序來連接數據庫;
通常也會創建指定業務數據庫上的只讀權限給特定應用程序或某些高級別人員 來查詢數據,防止數據被修改;
在MySQL8.0引入了一個角色的概念,具體的SQL操作如下:
mysql> CREATE ROLE app_readonly; #創建一個app_readonly角色(組) Query OK, 0 rows affected (0.03 sec) mysql> mysql> GRANT SELECT ON *.* TO app_readonly; #我們為創建的角色授予只讀權限 Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER apache@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; #我們創建一個用戶 Query OK, 0 rows affected (0.00 sec) mysql> mysql> CREATE USER nginx@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readonly TO apache@node105.yinzhengjie.org.cn ; #我們將角色的權限授予指定的用戶 Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readonly TO nginx@node105.yinzhengjie.org.cn ; Query OK, 0 rows affected (0.00 sec) mysql> mysql> mysql> CREATE ROLE app_readwrite; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT SELECT,INSERT,DELETE,UPDATE ON *.* TO app_readwrite; Query OK, 0 rows affected (0.00 sec) mysql> mysql> mysql> CREATE USER django@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql> mysql> CREATE USER vue@node105.yinzhengjie.org.cn IDENTIFIED BY 'yinzhengjie'; Query OK, 0 rows affected (0.01 sec) mysql> mysql> GRANT app_readwrite TO django@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> GRANT app_readwrite TO vue@node105.yinzhengjie.org.cn; Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn; +--------------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +--------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | | GRANT `app_readwrite`@`%` TO `django`@`node105.yinzhengjie.org.cn` | +--------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn USING app_readwrite; #使用USING + 角色名稱 就可以看到詳細的權限信息了,和上面的查看權限的形成了鮮明的對比~ +--------------------------------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +--------------------------------------------------------------------------------------+ | GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | | GRANT `app_readwrite`@`%` TO `django`@`node105.yinzhengjie.org.cn` | +--------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> mysql> REVOKE app_readwrite FROM django@node105.yinzhengjie.org.cn; #我們可以收回權限 Query OK, 0 rows affected (0.00 sec) mysql> mysql> SHOW GRANTS FOR django@node105.yinzhengjie.org.cn; #當然我們也可以把多個角色賦值給同一個用戶喲~ +-------------------------------------------------------------+ | Grants for django@node105.yinzhengjie.org.cn | +-------------------------------------------------------------+ | GRANT USAGE ON *.* TO `django`@`node105.yinzhengjie.org.cn` | +-------------------------------------------------------------+ 1 row in set (0.00 sec) mysql>
12>.企業應用中的MySQL用戶密碼設定
• 企業生產系統中MySQL用戶的密碼設定有嚴格的規范,通常要有密碼復雜度、密碼長度等要求
• 搜索網上的密碼生成器,能按要求生成隨機密碼
• http://suijimimashengcheng.51240.com/