MySQL用户权限授权相关面试介绍
文章目录
- MySQL用户权限
- 如何给用户授权
- MySQL数据库如何定义账号
- MySQL常见用户权限
- 查看当前数据库所有用户权限
- 创建用户
- 给用户授权
- 回收权限
- 查看用户权限
- 删除用户
- 修改密码
- 重置root密码
- 如何保证数据库账号安全?
- mysql.user表字段解析
本文基于MySQL5.7。
MySQL用户权限
MySQL是一个多用户管理的数据库,可以为不同用户分配不同的权限,分为root(超级管理员)和普通用户。
MySQL通过权限表来控制用户对数据库的访问,权限表放在mysql数据库中,常见的有user表。
mysql> select user, host from user;
+---------------+--------------+
| user | host |
+---------------+--------------+
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
| root2 | 192.168.1.% |
| root3 | % |
| root4 | sla01 |
+---------------+--------------+
如何给用户授权
MySQL数据库如何定义账号
用户名@可访问控制列表
如文章开头的数据表查询,解析如下:
- (root, localhost) 表示只可以在部署mysql的服务器上登录;
- (root, 192.168.1.%) 表示可以在192.168.1网段登录MySQL;
- (root, %) 表示可以从除了本地外的所有外部主机登录,即允许远程登录;
- (root, sla01) 表示主机名为sla01可以登陆(可以在
/etc/hostname查看sla01代表哪台服务器;
MySQL常见用户权限
| 分类 | 语句 | 说明 |
|---|---|---|
| 管理员 | create user | 建立新用户的权限 |
| grant option | 为其它用户授权的权限 | |
| super | 管理服务器的权限 | |
| DDL | create | 新建数据库,表的权限 |
| alter | 修改表结构的权限 | |
| drop | 删除数据库,表的权限 | |
| index | 建立删除索引的权限 | |
| DML | select | 查询表数据的权限 |
| insert | 表中插入数据的权限 | |
| update | 更新表中数据的权限 | |
| delete | 删除表中数据的权限 | |
| execute | 执行存储过程的权限 |
查看当前数据库所有用户权限
mysql> show privileges;
+-------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege | Context | Comment |
+-------------------------+---------------------------------------+-------------------------------------------------------+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
+-------------------------+---------------------------------------+-------------------------------------------------------+
创建用户
命令:
create user 'username@ip' identified by 'password';
# 本地访问用户
mysql> create user 'testuser0022'@'localhost' identified by 'password1';
# 除本地任意主机访问用户
mysql> create user 'testuser0022'@'%' identified by 'password2';
# 限网段访问用户
mysql> create user 'testuser0022'@'192.168.3.%' identified by 'password3';
mysql> select user, host from user;
+---------------+-------------+
| user | host |
+---------------+-------------+
| testuser0022 | % |
| testuser0022 | 192.168.3.% |
| testuser0022 | localhost |
+---------------+-------------+
给用户授权
命令:
grant [insert|delete|update|select ...] on Databasename.Tablename to 'username'@'ip'
grant insert,select on test.account to testuser0022@'%';
grant all on *.* to testuser0022@localhost;
给用户授权所有数据库和表的响应操作权限:
grant all on *.* to 'pig'@'%'
以上命令授权的用户不能给别的用户授权,如果想该用户能给别的用户授权,可以加上with grant option,例如:
grant [insert,delete,update,select ...] on Databasename.Tablename to username@ip with grant option
回收权限
命令:
revoke [insert,delete,update,select ...] on Databasename.Tablename from 'username'@'ip';
查看用户权限
命令:
show grants for 'username'@'ip';
mysql> show grants for testuser0022@localhost;
+------------------------------------------------------------------------+
| Grants for testuser0022@localhost |
+------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'testuser0022'@'localhost' |
| GRANT SELECT, INSERT ON `test`.`account` TO 'testuser0022'@'localhost' |
+------------------------------------------------------------------------+
删除用户
drop user 'username'@'ip';
修改密码
update mysql.user set authentication_string=password('password') where user='root' and host = 'localhost';
flush privileges;
# 新设置用户或更改密码后需用flush
重置root密码
- 修改MySQL的配置文件(my.ini),在[mysqld]下添加一行skip-grant-tables,重启MYSQL后就不需要密码了。
- 重启后,
mysql -u root -p登入数据库 - update mysql.user set authentication_string=password(‘password’) where user=‘root’ and host = ‘localhost’;
- flush privileges;
- 删除skip-grant-tables这一行,重新启动 MySQL。
如何保证数据库账号安全?
- 最小权限原则;
- 复杂密码强度策略;
- 密码过期和限制重用原则;
mysql.user表字段解析
| 字段名称 | 说明 |
| 权限列 | |
| Host | 主机名,值为%时表示允许非本地的其它所有机器登录 |
| User | 用户名 |
| Select_priv | 确定用户是否有权限使用select命令查询数据 |
| Insert_priv | 确定用户是否有权限使用insert命令插入数据 |
| Update_priv | 确定用户是否有权限使用update命令更新数据 |
| Delete_priv | 确定用户是否有权限使用DELETE命令删除数据 |
| Create_priv | 确定用户是否有权限使用create命令创建数据库和表 |
| Drop_priv | 确定用户是否有权限使用drop命令删除数据库和表 |
| Reload_priv | 确定用户是否有权限执行刷新和重新加载MySQL所用各种内部缓存的特定命令,包括日志、权限、主机、查询和表重新加载权限表 |
| Shutdown_priv | 确定用户是否有权限关闭MySQL服务器在将此权限提供给root账户之外的任何用户时 |
| Process_priv | 确定用户是否有权限通过SHOW PROCESSLIST命令查看其他用户的进程 |
| File_priv | 确定用户是有权限执行SELECT INTO OUTFILE和LOAD DATA INFILE命令 |
| Grant_priv | |
| References_priv | |
| Index_priv | |
| Alter_priv | |
| Show_db_priv | |
| Super_priv | |
| Create_tmp_table_priv | |
| Lock_tables_priv | |
| Execute_priv | |
| Repl_slave_priv | |
| Repl_client_priv | |
| Create_view_priv | |
| Show_view_priv | |
| Create_routine_priv | |
| Alter_routine_priv | |
| Create_user_priv | |
| Event_priv | |
| Trigger_priv | |
| Create_tablespace_priv | |
| 安全列 | |
| ssl_type | 支持ssl标准加密安全字段 |
| ssl_cipher | 支持ssl标准加密安全字段 |
| x509_issuer | 支持x509标准字段 |
| x509_subject | 支持x509标准字段 |
| password_expired | 密码是否过期。Y:说明该用户密码已过期 N:没有过期 |
| password_last_changed | |
| password_lifetime | |
| plugin | 5.5.7开始,mysql引入plugins以进行用户连接时的密码验证,plugin创建外部/代理用户 |
| authentication_string | 通过authentication_string可以控制两者的映射关系,(PAM plugin等,PAM可以支持多个服务名) |
| 资源控制列 | |
| max_questions | 每小时允许执行多少次查询:0表示无限制 |
| max_updates | 每小时可以执行多少次更新:0表示无限制 |
| max_connections | 每小时可以建立的多少次连接:0表示无限制 |
| max_user_connections | 单用户可以同时具有的连接数:0表示无限制 |
| account_locke | |