(1).查看用戶及用戶權限
mysql中的用戶信息和權限等都存儲在一個名為mysql的數據庫中。其中主要用到的是user、db、tables_priv、columns_priv、procs_priv這五張表,最重要的是user表。
user表存儲全局權限,適用於一個給定服務器中的所有數據庫,在命令中展現形式為*.*;
db表存儲數據庫權限,適用於一個給定數據庫中的所有表,在命令中展現形式為[數據庫名].*;
tables_priv表存儲表權限,適用於一個給定表中的所有列,在命令中展現形式為[數據庫名].[表名];
columns_priv表存儲列權限,適用於一個給定表中的單一列,在命令中展現形式為;
CREATE ROUTINE, ALTER ROUTINE, EXECUTE和GRANT權限,適用於已存儲的子程序。這些權限可以被授予為全局層級和數據庫層級,而且除了CREATE ROUTINE外,這些權限可以被授予為子程序層級,並存儲在procs_priv表中。
查看用戶及使用范圍(也叫作用域),注意user表中user+host是復合主鍵,下面很多地方都是用的這個復合主鍵確認唯一值。
mysql> select user,host from mysql.user; +---------------+-----------+ | user | host | +---------------+-----------+ | mysql.session | localhost | //localhost是本地,也可以是網段如192.168.1.%或全網% | mysql.sys | localhost | //網段和全網是用於遠程連接mysql的 | root | localhost | | test | localhost | +---------------+-----------+ 4 rows in set (0.00 sec)
查看用戶權限,由於不可能把那么多表全看下來,所以建議使用以下命令:show grants for '[用戶名]'@'[使用范圍]'
mysql> show grants for 'root'@'localhost'; //會以授權命令顯示用戶的權限 +---------------------------------------------------------------------+ | Grants for root@localhost | +---------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION | | GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION | +---------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> show grants for 'test'@'localhost'; +---------------------------------------------------+ | Grants for test@localhost | +---------------------------------------------------+ | GRANT USAGE ON *.* TO 'test'@'localhost' | //USAGE,無權限,只能連接數據庫和查詢infomation_schema | GRANT SELECT ON `test_db`.* TO 'test'@'localhost' | +---------------------------------------------------+ 2 rows in set (0.00 sec)
(2).創建用戶
查看validate_password_policy(密碼復雜度)、validate_password_length(密碼長度)、validate_password_number_count(密碼中數字字符長度)、validate_password_special_char_count(密碼中特殊符號字符長度)、validate_password_mixed_case_count(密碼中大小寫字母長度)這五個參數。注意,密碼長度>=[密碼中數字字符長度+密碼中特殊符號字符長度+(2*密碼中大小寫字母長度)]
首先查看的是validate_password_policy,如果報錯或顯示LOW只需要再查看validate_password_length,密碼長度符合這個參數即可。顯示其他的都需要查看所有參數,滿足密碼中字符的長度要求。
當然可以為了簡便,關閉密碼復雜度這個參數,或者調整到LOW強度,只要自己設置的適合注意密碼強度問題。可以在/etc/my.cnf配置文件的[mysqld]模塊添加或修改validate-password=OFF,然后重啟mysqld服務;也可以在mysql內部執行set global validate_password_policy=0;調整到LOW強度,然后flush privileges;刷新權限表即可。
五個參數的相關命令:
select @@[參數名]; //查看全局參數的值 set global [參數名]; //設置全局參數的值 flush privileges; //刷新權限表
創建用戶命令:
create user '[新用戶名]'@'[作用域]' identified by '[密碼]'; flush privileges; //創建完要記得刷新權限表
作用域上面也說過,可以是localhost本地,也可以是192.168.2.%類似的網段,還可以是%外網所有地址。
實例:
mysql> create user 't1'@'localhost' identified by '12345678'; Query OK, 0 rows affected (0.01 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> select user,host from mysql.user where user='t1'; +------+-----------+ | user | host | +------+-----------+ | t1 | localhost | +------+-----------+ 1 row in set (0.00 sec) mysql> show grants for 't1'@'localhost'; //可以看到目前是沒有權限的 +----------------------------------------+ | Grants for t1@localhost | +----------------------------------------+ | GRANT USAGE ON *.* TO 't1'@'localhost' | +----------------------------------------+ 1 row in set (0.00 sec)
(3).創建用戶並授權、給已有用戶授權、給已有用戶授權並修改密碼
其實用的是同一個命令
grant [權限] on [數據庫名].[表名] to '[用戶名]'@'[作用域]' identified by '[密碼]'; flush privileges; //記得刷新權限表
權限為ALL PRIVILEGES或ALL是所有權限,還有單個權限select、update、insert、delete等,單個權限之間用逗號隔開,詳細可以查看下mysql.user表的表結構。
[數據庫名].[表名]為*.*時表示所有數據庫。
如果不存在identified by '[密碼]'時,密碼維持原樣。
給已有用戶授權實例:
mysql> grant all privileges on test.* to 't1'@'localhost'; //密碼維持原樣 Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> show grants for 't1'@'localhost'; +------------------------------------------------------+ | Grants for t1@localhost | +------------------------------------------------------+ | GRANT USAGE ON *.* TO 't1'@'localhost' | | GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' | +------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> exit Bye [root@youxi1 ~]# mysql -ut1 -p12345678 //原密碼成功登陸 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.7.26 MySQL Community Server (GPL) Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
給已有用戶授權並修改密碼實例:
mysql> grant select on mysql.* to 't1'@'localhost' identified by 'abcdefgh'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> show grants for 't1'@'localhost'; +------------------------------------------------------+ | Grants for t1@localhost | +------------------------------------------------------+ | GRANT USAGE ON *.* TO 't1'@'localhost' | | GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' | | GRANT SELECT ON `mysql`.* TO 't1'@'localhost' | +------------------------------------------------------+ 3 rows in set (0.01 sec) mysql> exit Bye [root@youxi1 ~]# mysql -ut1 -p12345678 //原密碼報錯了 mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 't1'@'localhost' (using password: YES) [root@youxi1 ~]# mysql -ut1 -pabcdefgh; //新密碼成功登陸 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.7.26 MySQL Community Server (GPL) Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
創建用戶並授權實例:
mysql> grant all on test_db.* to 't2'@'localhost' identified by '12345678'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> select user,host from mysql.user where user='t2'; //用戶創建成功 +------+-----------+ | user | host | +------+-----------+ | t2 | localhost | +------+-----------+ 1 row in set (0.00 sec) mysql> show grants for 't2'@'localhost'; //權限正確 +---------------------------------------------------------+ | Grants for t2@localhost | +---------------------------------------------------------+ | GRANT USAGE ON *.* TO 't2'@'localhost' | | GRANT ALL PRIVILEGES ON `test_db`.* TO 't2'@'localhost' | +---------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> exit Bye [root@youxi1 ~]# mysql -ut2 -p12345678; //可以登錄 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 10 Server version: 5.7.26 MySQL Community Server (GPL) Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
(4).進入mysql后修改用戶密碼
密碼相關參數,該看的還是要看。進入mysql后修改密碼命令如下:
alter user '[用戶名]'@'[作用域]' identified by '[新密碼]'; //兩個都是修改密碼的命令,使用其中一個就好
set password for [用戶名]@[作用域]=password('[新密碼]');
flush privileges; //刷新權限表,
只展示上面一個實例:
mysql> alter user 't1'@'localhost' identified by '12345678'; Query OK, 0 rows affected (0.01 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> exit Bye [root@youxi1 ~]# mysql -ut1 -p12345678; mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 12 Server version: 5.7.26 MySQL Community Server (GPL) Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
(5).撤銷用戶權限
撤銷命令和授權命令格式類似,如下:
revoke [權限] on [數據庫名].[表名] from '[用戶名]'@'[作用域]'; flush privileges; //屬性權限表
實例:
mysql> show grants for 't1'@'localhost'; //查看權限 +------------------------------------------------------+ | Grants for t1@localhost | +------------------------------------------------------+ | GRANT USAGE ON *.* TO 't1'@'localhost' | | GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' | | GRANT SELECT ON `mysql`.* TO 't1'@'localhost' | +------------------------------------------------------+ 3 rows in set (0.00 sec) mysql> revoke select on mysql.* from 't1'@'localhost'; //去除權限 Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; //刷新權限表 Query OK, 0 rows affected (0.00 sec) mysql> show grants for 't1'@'localhost'; //權限去除成功 +------------------------------------------------------+ | Grants for t1@localhost | +------------------------------------------------------+ | GRANT USAGE ON *.* TO 't1'@'localhost' | | GRANT ALL PRIVILEGES ON `test`.* TO 't1'@'localhost' | +------------------------------------------------------+ 2 rows in set (0.01 sec)
(6).刪除用戶
刪除用戶其實就是刪除mysql.user表里的對應記錄,命令如下:
drop user '[用戶名]'@'[作用域]'; //建議使用這個
delete from mysql.user where user='[用戶名]' and host='[作用域]'; flush privileges; //刷新權限表
建議使用第一個刪除用戶的命令,因為第二個命令會有數據殘留。
實例:
mysql> delete from mysql.user where user='t1' and host='localhost'; //使用第二個命令刪除用戶
Query OK, 1 row affected (0.00 sec)
mysql> flush privileges; //刷新權限表
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for 't1'@'localhost'; //這個命令是查不到了
ERROR 1141 (42000): There is no such grant defined for user 't1' on host 'localhost'
mysql> select * from mysql.db where user='t1' and host='localhost'\G //但是到實際存儲權限的表中查看時,還是存在的
*************************** 1. row ***************************
Host: localhost
Db: test
User: t1
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Grant_priv: N
References_priv: Y
Index_priv: Y
Alter_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Execute_priv: Y
Event_priv: Y
Trigger_priv: Y
1 row in set (0.00 sec)
mysql> drop user 't2'@'localhost'; //使用第一個刪除用戶命令
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges; //刷新權限表
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.db where user='t2' and host='localhost'\G //沒有殘留
Empty set (0.00 sec)
(7).忘記密碼的修改方法
修改配置文件,注意:如果有validate-password=off 請注釋掉或刪除掉,否則重啟報錯
[root@youxi1 ~]# vim /etc/my.cnf skip-grant-tables //添加 [root@youxi1 ~]# systemctl restart mysqld
然后進入mysql修改
[root@youxi1 ~]# mysql
mysql> update user set authentication_string=password('654321') where user='root';
mysql> flush privileges; //刷新權限表
最后還原配置文件中的參數,重啟啟動mysqld。測試即可。