查看當前用戶
SELECT CURRENT_USER();
CREATE USER 語法
CREATE USER [IF NOT EXISTS] user [auth_option] [, user [auth_option]] ... DEFAULT ROLE role [, role ] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ... user: (see Section 6.2.4, “Specifying Account Names”) auth_option: { IDENTIFIED BY 'auth_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' | IDENTIFIED WITH auth_plugin AS 'hash_string' } tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] } lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
user 即賬戶名稱,語法是 'user_name'@'host_name' ,其中主機地址可以寫為 '%'表示接受任何地址的連接。
auth_option 即身份驗證方式,可以指定密碼以及認證插件(mysql_native_password、sha256_password、caching_sha2_password)。
tls_option 即加密連接選項
resource_option 即用戶資源限制,比如每小時最大連接數
password_option 即密碼額外的控制,比如設定失效時間
lock_option 賬戶鎖定選項,由管理員上鎖或者解鎖(ACCOUNT LOCK | ACCOUNT UNLOCK)。
最簡單的就是指定賬戶名+密碼
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password';
加上認證插件
CREATE USER 'jeffrey'@'localhost' IDENTIFIED WITH sha256_password BY 'password';
指定密碼過期,以便用戶第一次使用的時候需要修改密碼
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE;
也可以指定每隔一段時間修改一次新密碼
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE INTERVAL 180 DAY;
可以指定加密連接
-- 不使用加密連接 CREATE USER 'jeffrey'@'localhost' REQUIRE NONE; -- 使用加密連接 CREATE USER 'jeffrey'@'localhost' REQUIRE SSL; -- 使用加密連接,並要求客戶端提供有效證書 CREATE USER 'jeffrey'@'localhost' REQUIRE X509; CREATE USER 'jeffrey'@'localhost' REQUIRE ISSUER 'CA頒發的有效X.509證書'; CREATE USER 'jeffrey'@'localhost' REQUIRE SUBJECT '包含主題的有效X.509證書'; CREATE USER 'jeffrey'@'localhost' REQUIRE CIPHER '指定的加密方法';
可以指定資源控制
-- 單位小時內,賬戶被允許查詢500次,更新100次,單位小時內最大連接數不限制。最大並發連接數不限制 CREATE USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
可以鎖定賬戶
-- 鎖定 CREATE USER 'jeffrey'@'localhost' ACCOUNT LOCK -- 解鎖 ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK
最后完整的命令選項大概這個樣子
CREATE USER 'user_name'@'host_name' IDENTIFIED [WITH auth_plugin] BY 'auth_string' [REQUIRE NONE(SSL,X509)] [WITH MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count] [PASSWORD EXPIRE] [ACCOUNT LOCK]
如果你要刪除賬戶
DROP USER 'jeffrey'@'localhost';
如果你要修改名稱
RENAME USER 'jeffrey'@'localhost' TO 'jeff'@'127.0.0.1';
ALTER USER語法
ALTER USER [IF EXISTS] user [auth_option] [, user [auth_option]] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ... ALTER USER [IF EXISTS] USER() user_func_auth_option ALTER USER [IF EXISTS] user DEFAULT ROLE {NONE | ALL | role [, role ] ...} user: (see Section 6.2.4, “Specifying Account Names”) auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin AS 'auth_string' | DISCARD OLD PASSWORD } user_func_auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | DISCARD OLD PASSWORD } tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] } lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
選項和創建的差不多,這里不做解釋了。
修改自己當前的密碼
ALTER USER USER() IDENTIFIED BY 'new_password';
修改賬戶密碼
ALTER USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password';
修改認證插件
ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password;
修改密碼和插件
ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';
修改角色
-- 授予自定義角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE your_role_name; -- 無角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE NONE; -- 所有角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE ALL;
修改加密方式
-- 只有賬戶密碼正確,無須加密連接 ALTER USER 'jeffrey'@'localhost' REQUIRE NONE; -- 需要加密連接 ALTER USER 'jeffrey'@'localhost' REQUIRE SSL; ...
修改資源訪問
-- 單位小時內,最大查詢數量和更新數量 ALTER USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;
指定密碼過期
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
修改鎖定解鎖
ALTER USER 'jeffrey'@'localhost' ACCOUNT LOCK; ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK;
角色相關
-- 名字規范 'role_name'@'host_name' -- 通常僅使用用戶名部分指定角色名稱,並隱式使用主機名部分 '%',主機名部分沒有任何意義 'admin'
創建角色
-- 省略主機名,默認為 '%' CREATE ROLE 'admin', 'dev'; -- 這種也可以,但是沒意義 CREATE ROLE 'app'@'localhost';
移除角色
DROP ROLE 'admin', 'dev';
GRANT語法
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_or_role [, user_or_role] ... [WITH GRANT OPTION] [AS user [WITH ROLE DEFAULT | NONE | ALL | ALL EXCEPT role [, role ] ... | role [, role ] ... ] ] } GRANT PROXY ON user_or_role TO user_or_role [, user_or_role] ... [WITH GRANT OPTION] GRANT role [, role] ... TO user_or_role [, user_or_role] ... [WITH ADMIN OPTION] object_type: { TABLE | FUNCTION | PROCEDURE } priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } user_or_role: { user | role } user: (see Section 6.2.4, “Specifying Account Names”) role: (see Section 6.2.5, “Specifying Role Names”)
GRANT語法使得管理員能夠授予賬戶權限或者角色,但是GRANT不能再一個語句中同時授予權限和角色。
- 有ON,是授予權限
- 無ON,是授予角色
-- 授予數據庫db1的所有權限給指定賬戶 GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; -- 授予角色給指定的賬戶 GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost'; -- 授予數據庫world的SELECT權限給指定的角色 GRANT SELECT ON world.* TO 'role3';
基本語法
GRANT [權限] ON [數據庫名].[表名] TO 'user_name'@'localhost' ...; -- 授予所有數據庫的權限 GRANT [權限] ON *.* TO 'user_name'@'localhost' ...;
注:全局權限是管理或適用於給定服務器上的所有數據庫。要分配全局權限,請使用 ON *.*語法
下面是權限列表
權限范圍示例
-- 數據庫權限 GRANT ALL ON mydb.* TO 'user_name'@'host_name'; -- 表權限 GRANT ALL ON mydb.mytable TO 'user_name'@'host_name'; -- 列權限 GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytable TO 'user_name'@'host_name'; -- 存儲過程權限 GRANT CREATE ROUTINE ON mydb.* TO 'user_name'@'host_name'; GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'user_name'@'host_name';
授權之后可以使用flush命令使其立即生效
FLUSH PRIVILEGES
FLUSH語法(可以FLUSH很多東西)
FLUSH [NO_WRITE_TO_BINLOG | LOCAL] { flush_option [, flush_option] ... | tables_option } flush_option: { BINARY LOGS | ENGINE LOGS | ERROR LOGS | GENERAL LOGS | HOSTS | LOGS | PRIVILEGES | OPTIMIZER_COSTS | RELAY LOGS [FOR CHANNEL channel] | SLOW LOGS | STATUS | USER_RESOURCES } tables_option: { TABLES | TABLES tbl_name [, tbl_name] ... | TABLES WITH READ LOCK | TABLES tbl_name [, tbl_name] ... WITH READ LOCK | TABLES tbl_name [, tbl_name] ... FOR EXPORT }
比如:
FLUSH PRIVILEGES 包含了以下操作
1. 重新加載mysql系統數據庫中的grant表中的權限信息,並清除caching_sha2_password身份驗證插件使用的內存緩存。
2. 服務器讀取包含動態特權分配的global_grants表,並注冊其中的任何未注冊特權。
3. 服務器通過GRANT、CREATE USER、CREATE SERVER和INSTALL PLUGIN語句將信息緩存到內存中。對應的REVOKE、DROP USER、DROP SERVER和UNINSTALL插件語句不會釋放這些內存,因此對於執行許多導致緩存的語句實例的服務器,內存使用量將會增加。可以使用刷新特權釋放此緩存內存。
FLUSH TABLES 包含以下操作
關閉所有打開的表,強制關閉所有正在使用的表,並刷新准備好的語句緩存。
REVOKE語法
既然可以授權,那么就可以撤銷
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user_or_role [, user_or_role] ... REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user_or_role [, user_or_role] ... REVOKE PROXY ON user_or_role FROM user_or_role [, user_or_role] ... REVOKE role [, role ] ... FROM user_or_role [, user_or_role ] ... user_or_role: { user | role } user: (see Section 6.2.4, “Specifying Account Names”) role: (see Section 6.2.5, “Specifying Role Names”.
REVOKE可以實現權限或者角色的撤銷(前提:擁有GRANT權限和REVOKE權限)
-- 撤銷用戶的INSERT權限 REVOKE INSERT ON *.* FROM 'jeffrey'@'localhost'; -- 撤銷用戶的指定角色 REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost'; -- 撤銷角色的INSERT權限 REVOKE SELECT ON world.* FROM 'role3';
撤銷所有權限(只能撤銷權限,不能撤銷角色)
-- 從賬戶或者角色上撤銷所有權限 REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_or_role [, user_or_role] ... -- 撤銷賬戶 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'jeffrey'@'localhost' -- 撤銷角色 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'role3'
在全局上撤銷權限(*.*)
-- 全局上撤銷所有權限 REVOKE ALL ON *.* FROM 'jeffrey'@'localhost';