MySQL(用户授权及撤销)

1)允许root从192.168.4.0/24网段 访问,对所有库/表有完全权限,密码为tarena
2)添加一个管理账号dba007,完全控制及授权
3)撤销root从本机访问的权限,然后恢复
4)允许webuser从任意客户机登录,只对webdb库有完全权限,密码为 888888
5)撤销webuser的完全权限,改为查询权限
使用2台RHEL 6虚拟机,如图-1所示。其中192.168.4.10是MySQL服务器,授权及撤销操作均在此服务器上执行;而192.168.4.120作为测试客户机,需要安装好MySQL-client软件包,以便提供mysql命令。

MySQL(用户授权及撤销)_第1张图片
同时,MySQL服务器本身(192.168.4.10)也可以作为测试客户机。
实现此案例需要按照如下步骤进行。

步骤一:用户授权及撤销

1)允许root从192.168.4.0/24访问,对所有库表有完全权限,密码为tarena。

授权之前,从192.168.4.0/24网段的客户机访问时,将会被拒绝:

[root@host120 ~]# mysql -u root -p -h 192.168.4.10
Enter password:  								//输入正确的密码
ERROR 1130 (HY000): Host '192.168.4.120' is not allowed to connect to this MySQL server

授权操作,此处可设置与从localhost访问时不同的密码:

mysql> GRANT all ON *.* TO root@'192.168.4.%' IDENTIFIED BY 'tarena';
Query OK, 0 rows affected (0.00 sec)

再次从192.168.4.0/24网段的客户机访问时,输入正确的密码后可登入:

[root@host120 ~]# mysql -u root -p -h 192.168.4.10
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.6.15 MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

从网络登入后,测试新建一个库、查看所有库:

mysql> CREATE DATABASE rootdb;  				//创建新库rootdb
Query OK, 1 row affected (0.06 sec)

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| home               |
| mydb               |
| mysql              |
| performance_schema |
| rootdb             |  					//新建的rootdb库
| test               |
+--------------------+
7 rows in set (0.08 sec)

2)建立一个管理账号dba007,对所有库完全控制,并赋予其授权的权限

新建账号并授权:
mysql> GRANT all ON *.* TO dba007@localhost
    -> IDENTIFIED BY '1234567'
    -> WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
查看dba007的权限:
mysql> SHOW GRANTS FOR dba007@localhost;
+------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for dba007@localhost                                                                                                              |
+------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'dba007'@'localhost' IDENTIFIED BY PASSWORD '*6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

3)撤销root从本机访问的权限,然后恢复

注意:如果没有事先建立其他管理账号,请不要轻易撤销root用户的本地访问权限,否则恢复起来会比较困难,甚至不得不重装数据库。

撤销root对数据库的操作权限:
mysql> REVOKE all ON *.* FROM root@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR root@localhost;
+-------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                                                     |
+-------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION                                                                  |
+-------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
验证撤销后的权限效果:
mysql> exit  									//退出当前MySQL连接
Bye
[root@dbsvr1 ~]# mysql -u root -p  				//重新以root从本地登入
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.6.15 MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE newdb2014;  				//尝试新建库失败
ERROR 1044 (42000): Access denied for user 'root'@'localhost' to database 'newdb2014'
mysql> DROP DATABASE rootdb;  						//尝试删除库失败
ERROR 1044 (42000): Access denied for user 'root'@'localhost' to database 'rootdb'
尝试以当前的root用户恢复权限,也会失败(无权更新授权表):
mysql> GRANT all ON *.* TO root@localhost IDENTIFIED BY '1234567';
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
怎么办呢?
退出当前MySQL连接,以上一步添加的管理账号dba007登入:
mysql> exit  										//退出当前MySQL连接
Bye
[root@dbsvr1 ~]# mysql -u dba007 -p   				//以另一个管理账号登入
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.6.15 MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
由管理账号dba007重新为root添加本地访问权限:
mysql> GRANT all ON *.* TO root@localhost IDENTIFIED BY '1234567';
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR root@localhost;  			//查看恢复结果
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                                                              |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*6A7A490FB9DC8C33C2B025A91737077A7E9CC5E5' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION                                                                           |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
退出,再重新以root登入,测试一下看看,权限又恢复了吧:
mysql> exit  									//退出当前MySQL连接
Bye
[root@dbsvr1 ~]# mysql -u root -p 				//重新以root登入
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.6.15 MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE newdb2014;  				//成功创建新库
Query OK, 1 row affected (0.00 sec)

4)允许webuser从任意客户机登录,只对webdb库有完全权限,密码为 888888

添加授权:
mysql> GRANT all ON webdb.* TO webuser@'%' IDENTIFIED BY '888888';
Query OK, 0 rows affected (0.00 sec)
查看授权结果:
mysql> SHOW GRANTS FOR webuser@'%';
+--------------------------------------------------------------------------------------------------------+
| Grants for webuser@%                                                                                   |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'webuser'@'%' IDENTIFIED BY PASSWORD '*DA28842831B3C40F4BC1D3C76CF9AD8CBFDAE1CB' |
| GRANT ALL PRIVILEGES ON `webdb`.* TO 'webuser'@'%'                                                     |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

5)撤销webuser的完全权限,改为查询权限

撤销所有权限:
mysql> REVOKE all ON webdb.* FROM webuser@'%';
Query OK, 0 rows affected (0.03 sec)
只赋予查询权限:
mysql> GRANT select ON webdb.* TO webuser@'%';
Query OK, 0 rows affected (0.00 sec)
确认授权更改结果:
mysql> SHOW GRANTS FOR webuser@'%';
+--------------------------------------------------------------------------------------------------------+
| Grants for webuser@%                                                                                   |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'webuser'@'%' IDENTIFIED BY PASSWORD '*DA28842831B3C40F4BC1D3C76CF9AD8CBFDAE1CB' |
| GRANT SELECT ON `webdb`.* TO 'webuser'@'%'                                                             |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

你可能感兴趣的:(实验记录)