创建MySQL用户及赋予用户权限
1、通过help查看grant命令帮助
……
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';
GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;
……
2、运维人员比较常用的创建用户的方法是
GRANT ALL ON db1.* TO 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
3、先创建用户再授权
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
4、创建用户并授权
grant命令简单语法如下
grant all privileges on bdname.* to username@localhost identified by ‘passwd’;
表格说明:
grant |
all privileges |
on dbname.* |
to username@localhost |
identified by ‘passwd’ |
授权命令 |
对应权限 |
目标:库和表 |
用户和客户端主机 |
用户密码 |
授权用户solin对solin_utf8库所有权限:
mysql> grant all privileges on solin_utf8.* to 'solin'@'localhost' identified by'ubuntu';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
5、查看用户权限
mysql> show grants for solin@localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for solin@localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'solin'@'localhost' IDENTIFIED BY PASSWORD '*3CD53EE62F8F7439157DF288B55772A2CA36E60C' |
| GRANT ALL PRIVILEGES ON `solin_utf8`.* TO 'solin'@'localhost' |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
6、create和grant配合法
①首先创建用户solin01及密码ubuntu,授权主机localhost
CREATE USER 'solin01'@'localhost' IDENTIFIED BY 'ubuntu';
②授权
mysql> create user solin01@localhost identified by 'ubuntu';
Query OK, 0 rows affected (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| solin_utf8 |
+--------------------+
4 rows in set (0.00 sec)
mysql> grant all on solin_utf8.* to 'solin01'@'localhost';
Query OK, 0 rows affected (0.00 sec)
7、授权局域网内主机远程连接
solin@localhost位置为授权访问数据库的主机,localhost可以用域名,IP地址或者IP段来替代。
①IP配置方式
[root@db-server ~]# mysql -uroot -pcentos #登陆MySQL(-u用户,-p,密码)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3928
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user test@'192.168.119.%' identified by 'test'; #创建新的数据库授权192.168.119.%段主机登陆
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges; #刷新
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
root@db-Client:~# mysql -utest -ptest -h 192.168.119.224 #远程连接数据库
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3930
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \q #退出数据库
Bye
②子网掩码配置方式
grant all on test@’192.168.119.224/255.255.255.0’ indentified by ‘test’;
flush privileges;
MySQL客户端连接异地数据库服务
本地:mysql -uroot -pcentos=mysql -uroot -pcentos -h localhost
远程:mysql -utest -ptest -h 192.168.119.224
通过php服务器连接mysql服务器的代码
//$link_id=mysql_connect('主机名','用户','密码');
$link_id=mysql_connect('192.168.119.224','test''centos') or mysql_error();
if($link_id){
echo "mysql successful by oldboy !";
}else{
echo mysql_error();
}
?>
8、MySQL用户的权限有哪些
权限表
权限 |
权限级别 |
权限说明 |
CREATE |
数据库、表或索引 |
创建数据库、表或索引权限 |
DROP |
数据库或表 |
删除数据库或表权限 |
GRANT OPTION |
数据库、表或保存的程序 |
赋予权限选项 |
REFERENCES |
数据库或表 |
|
ALTER |
表 |
更改表,比如添加字段、索引等 |
DELETE |
表 |
删除数据权限 |
INDEX |
表 |
索引权限 |
INSERT |
表 |
插入权限 |
SELECT |
表 |
查询权限 |
UPDATE |
表 |
更新权限 |
CREATE VIEW |
视图 |
创建视图权限 |
SHOW VIEW |
视图 |
查看视图权限 |
ALTER ROUTINE |
存储过程 |
更改存储过程权限 |
CREATE ROUTINE |
存储过程 |
创建存储过程权限 |
EXECUTE |
存储过程 |
执行存储过程权限 |
FILE |
服务器主机上的文件访问 |
文件访问权限 |
CREATE TEMPORARY TABLES |
服务器管理 |
创建临时表权限 |
LOCK TABLES |
服务器管理 |
锁表权限 |
CREATE USER |
服务器管理 |
创建用户权限 |
PROCESS |
服务器管理 |
查看进程权限 |
RELOAD |
服务器管理 |
执行flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, reload等命令的权限 |
REPLICATION CLIENT |
服务器管理 |
复制权限 |
REPLICATION SLAVE |
服务器管理 |
复制权限 |
SHOW DATABASES |
服务器管理 |
查看数据库权限 |
SHUTDOWN |
服务器管理 |
关闭数据库权限 |
SUPER |
服务器管理 |
执行kill线程权限 |
MYSQL的权限如何分布,就是针对表可以设置什么权限,针对列可以设置什么权限等等,这个可以从官方文档中的一个表来说明:
权限分布 |
可能的设置的权限 |
表权限 |
'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop', 'Grant', 'References', 'Index', 'Alter' |
列权限 |
'Select', 'Insert', 'Update', 'References' |
过程权限 |
'Execute', 'Alter Routine', 'Grant' |
企业生产环境环境如何授权用户权限
1、博客,CMS等产品授权的数据库授权
对于web连接用户权限尽量采用最小化原则,很多开源软件都是web界面安装,因此,在安装期间除了select,insert,update,delete4个权限外,还需要create、drop等比较危险的权限
2、常规情况下授权select,insert,update,delete4个权限即可,
生成数据库表后,要收回create、drop权限
mysql> grant select,insert,update,delete,create,drop on test.* to 'solin'@'192.168.119.%' identified by'centos';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for 'solin'@'192.168.119.%';
+------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected].% |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'solin'@'192.168.119.%' IDENTIFIED BY PASSWORD '*128977E278358FF80A246B5046F51043A2B1FCED' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `test`.* TO 'solin'@'192.168.119.%' |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> REVOKE create,drop ON test.* FROM 'solin'@'192.168.119.%';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for 'solin'@'192.168.119.%';
+------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected].% |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'solin'@'192.168.119.%' IDENTIFIED BY PASSWORD '*128977E278358FF80A246B5046F51043A2B1FCED' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO 'solin'@'192.168.119.%' |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> \q
Bye
(1)生产环境针对主库(写为主读为辅)用户的授权
普通环境:
本机:LNMP、LAMP环境数据库授权
GRANT all privileges ON ‘test.*’ TO ‘solin’@’localhost’ identified by ‘centos’;
应用服务器和数据库服务器不在一个主机上的授权
GRANT all privileges ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ’centos’;
严格的授权:重视安全,忽略了方便:
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘test.*’ to ‘solin’@’192.168.119.%’ identified by ‘centos’;
(2)生产环境从库(只读)用户的授权:
CRANT SELECT ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ‘centos’;
(3)主从高级授权策略
第一种使用简单方法
写库 |
|||
solin |
Ysolin456 |
3306 |
192.168.119.224 |
读库 |
|||
solin |
Ysolin456 |
3306 |
192.168.119.225 |
第二种配置方法
写库 |
|||
solin_w |
Ysolin456 |
3306 |
192.168.119.224 |
读库 |
|||
solin_r |
Ysolin789 |
3306 |
192.168.119.225 |
主库授权的命令
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘test.*’@’192.168.119.%’ identified by ‘centos’;
从库授权的命令
GRANT SELECT ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ‘centos’;
当从库除了做select的授权外,还可以加read-only等只读参数,严格web用户写从库
(4)问题:
就是主从库的mysql库和表示同步的,无法针对同一个用户授权不同的权限,因为主从库授权后会自动同步到从库上,导致从库的授权只读失败
解决办法:
a.取消mysql库的同步
b.授权主库权限后,从库执行回收增删改权限
c.不在授权上控制增删改,而是用read-only参数,控制普通用户更新,注意,read-only参数对超级用户无效。