背景
從前,有一個客戶,數據庫高權賬號的密碼,要求每天自動地修改為隨機密碼,以增強數據庫的安全性。
我們開發了一個用程序模塊來實現的,當然您也可以用腳本 + cron 來實現。
現在,實現這個需求更為簡單了。
8.0.18版本新增了一個小功能,CREATE USER,ALTER USER和 SET PASSWORD語句可以生成隨機密碼。
生成隨機密碼
mysql> create user 'fanderchan'@'%' IDENTIFIED BY RANDOM PASSWORD;
+------------+------+----------------------+
| user | host | generated password |
+------------+------+----------------------+
| fanderchan | % | YMeIblT.jRciKLWkB0RL |
+------------+------+----------------------+
1 row in set (0.01 sec)
mysql> ALTER USER 'fanderchan'@'%' IDENTIFIED BY RANDOM PASSWORD;
+------------+------+----------------------+
| user | host | generated password |
+------------+------+----------------------+
| fanderchan | % | !bnMk/Lu4C87VMOdXQh. |
+------------+------+----------------------+
1 row in set (0.01 sec)
mysql> SET PASSWORD FOR 'fanderchan'@'%' TO RANDOM;
+------------+------+----------------------+
| user | host | generated password |
+------------+------+----------------------+
| fanderchan | % | dCdJT5h9[Gm/dsC.aVHm |
+------------+------+----------------------+
1 row in set (0.01 sec)
可以看見默認情況下,隨機密碼長度為20個字符,並且具有很好的復雜度(大寫字母、小寫字母、特殊符號、數字)
相關參數
控制隨機密碼的長度
mysql> show variables like 'generated_random_password_length';
+----------------------------------+-------+
| Variable_name | Value |
+----------------------------------+-------+
| generated_random_password_length | 20 |
+----------------------------------+-------+
1 row in set (0.00 sec)
補充說明
validate_password是一個可選安裝的MySQL密碼增強插件,但隨機密碼不受validate_password插件的影響和控制- MySQL8.0 默認的密碼認證插件是
caching_sha2_password,MySQL5.7 默認的密碼認證插件是mysql_native_password。
mysql> show global variables like 'default_authentication_plugin';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| default_authentication_plugin | caching_sha2_password |
+-------------------------------+-----------------------+
1 row in set (0.00 sec)
所以,我在這里補充兩個MySQL 8.0的授權語法和現象:
mysql> create user 'fander1'@'%' IDENTIFIED WITH 'caching_sha2_password' BY RANDOM PASSWORD;
+---------+------+----------------------+
| user | host | generated password |
+---------+------+----------------------+
| fander1 | % | Mk3UO%gi8HB6Qe>KFKxE |
+---------+------+----------------------+
1 row in set (0.01 sec)
mysql> create user 'fander2'@'%' IDENTIFIED WITH 'mysql_native_password' BY RANDOM PASSWORD;
+---------+------+----------------------+
| user | host | generated password |
+---------+------+----------------------+
| fander2 | % | Kp+t0g-3ALKeisQ>yBU/ |
+---------+------+----------------------+
1 row in set (0.00 sec)
mysql> select user,host,plugin,authentication_string from mysql.user where user like 'fander%';
+------------+------+-----------------------+------------------------------------------------------------------------+
| user | host | plugin | authentication_string |
+------------+------+-----------------------+------------------------------------------------------------------------+
| fander1 | % | caching_sha2_password | $A$005$WG[R/ c]0Z8wdaalCKRoKJFNkh1owsuzQ0lsP9JSGLDHlmdGhM8DvSM1 |
| fander2 | % | mysql_native_password | *8DADAA12E42653774E3CB670F92E0A58171FE2E8 |
+------------+------+-----------------------+------------------------------------------------------------------------+
5 rows in set (0.00 sec)
我想表達的是,在binlog里,授權語句的密碼顯示為加密后的的密文密碼 (authentication_string字段)。
參考:
https://dev.mysql.com/doc/refman/8.0/en/password-management.html#random-password-generation