(一)MySQL有哪些权限
MySQL的权限列表可以使用 show privileges 来查看,主要的权限信息如下:
这里我们根据作用域,把权限分为3类:
1.MySQL服务管理权限:用于管理MySQL服务器的操作。这些权限是全局性的,授权范围不能是特定的数据库或对象。只能使用*.*方式授予,不能使用db.*或db.tb方式授权;
2.数据库级别权限:授权范围可以是所有数据库,也可以是单个数据库下面的所有对象。可以使用*.*方式授予全部数据库,也可以使用db.*授予单个数据库;
3.对象级别权限:授权范围可以是所有数据库,也可以是单个数据库下面的所有对象,也可以是特定的对象。可以使用*.*方式授予全部数据库,也可以使用db.*授予单个数据库,还可以使用db.tb授予单个对象。
(二)MySQL权限管理相关表
在mysql数据库中包含了权限相关的表,一共6个表,分别从不同维度记录了MySQL用户的权限信息
user :用户账号,全局权限和其它非权限列
db :数据库级别权限
tables_priv :表级别权限
column_priv :列级别权限
procs_priv :存储过程和函数的权限
proxies_priv :代理用户权限
有那么多权限表,权限信息是如何存储的呢?通过测试,发现:
--当授权对象为 *.* 时,存储在user表;
--当授权对象为 db.* 时,存储在db表;
--当授权对象为 db.tb 时,存储在tables_priv表;
--当授权对象为 某个表的某个列 时,存储在column_priv表
我们不妨来验证一下上面的结论:
测试1.当授予用户user1 *.*权限时,权限信息保存在user表中,其它权限表未存储相关权限信息。
create user user1 identified by '123456'; grant update on *.* to user1; mysql> select * from mysql.user a where a.user = 'user1' \G *************************** 1. row *************************** Host: % User: user1 Select_priv: N Insert_priv: N Update_priv: Y Delete_priv: N Create_priv: N mysql> select * from mysql.db a where a.user = 'user1'; Empty set (0.00 sec) mysql> select * from mysql.tables_priv a where a.user = 'user1'; Empty set (0.00 sec) mysql> select * from mysql.columns_priv a where a.user = 'user1'; Empty set (0.00 sec)
测试2.授予用户user1单个数据库的权限时,权限信息保存在db表中,其它权限表未存储相关权限信息。
grant insert on lijiamandb.* to user1; mysql> select * from mysql.user a where a.user = 'user1' \G *************************** 1. row *************************** Host: % User: user1 Select_priv: N Insert_priv: N Update_priv: Y //该权限是上一步授予的,不用管 Delete_priv: N mysql> select * from mysql.db a where a.user = 'user1' \G *************************** 1. row *************************** Host: % Db: lijiamandb User: user1 Select_priv: N Insert_priv: Y ... Trigger_priv: N 1 row in set (0.00 sec) mysql> select * from mysql.tables_priv a where a.user = 'user1'; Empty set (0.00 sec) mysql> select * from mysql.columns_priv a where a.user = 'user1'; Empty set (0.00 sec)
测试3.授予用户user1单个表的权限时,权限信息保存在tables_priv表中,其它权限表未存储相关权限信息。
grant delete on lijiamandb.t1 to user1; mysql> select * from mysql.user a where a.user = 'user1' \G *************************** 1. row *************************** Host: % User: user1 Select_priv: N Insert_priv: N Update_priv: Y Delete_priv: N Create_priv: N mysql> select * from mysql.db a where a.user = 'user1' \G *************************** 1. row *************************** Host: % Db: lijiamandb User: user1 Select_priv: N Insert_priv: Y Update_priv: N Delete_priv: N Create_priv: N mysql> select * from mysql.tables_priv a where a.user = 'user1'; +------+------------+-------+------------+----------------+---------------------+------------+-------------+ | Host | Db | User | Table_name | Grantor | Timestamp | Table_priv | Column_priv | +------+------------+-------+------------+----------------+---------------------+------------+-------------+ | % | lijiamandb | user1 | t1 | root@localhost | 0000-00-00 00:00:00 | Delete | | +------+------------+-------+------------+----------------+---------------------+------------+-------------+ 1 row in set (0.00 sec) mysql> select * from mysql.columns_priv a where a.user = 'user1'; Empty set (0.00 sec)
测试4.授予用户user1单个列的权限时,权限信息保存在columns_priv表中,其它权限表未存储相关权限信息。
grant select(name) on lijiamandb.t1 to user1; mysql> select * from mysql.user a where a.user = 'user1' \G *************************** 1. row *************************** Host: % User: user1 Select_priv: N Insert_priv: N Update_priv: Y Delete_priv: N Create_priv: N mysql> select * from mysql.db a where a.user = 'user1' \G *************************** 1. row *************************** Host: % Db: lijiamandb User: user1 Select_priv: N Insert_priv: Y Update_priv: N Delete_priv: N Create_priv: N mysql> select * from mysql.tables_priv a where a.user = 'user1'; +------+------------+-------+------------+----------------+---------------------+------------+-------------+ | Host | Db | User | Table_name | Grantor | Timestamp | Table_priv | Column_priv | +------+------------+-------+------------+----------------+---------------------+------------+-------------+ | % | lijiamandb | user1 | t1 | root@localhost | 0000-00-00 00:00:00 | Delete| Select | +------+------------+-------+------------+----------------+---------------------+------------+-------------+ 1 row in set (0.00 sec) mysql> select * from mysql.columns_priv a where a.user = 'user1'; +------+------------+-------+------------+-------------+---------------------+-------------+ | Host | Db | User | Table_name | Column_name | Timestamp | Column_priv | +------+------------+-------+------------+-------------+---------------------+-------------+ | % | lijiamandb | user1 | t1 | name | 0000-00-00 00:00:00 | Select | +------+------------+-------+------------+-------------+---------------------+-------------+
(三)创建并授权、查看、删除账户
(3.1)创建账户
使用create user语句创建账户,创建账户的SQL语句如下:
CREATE USER `<user_name>`@`<host>` IDENTIFIED BY '';
创建账户的例子如下:
--创建一个只能从本地访问MySQL的用户user1,密码是123456 CREATE USER `user1`@`localhost` IDENTIFIED BY '123456'; --创建一个从192。168.10.*网段访问MySQL的用户user2 CREATE USER `user2`@`192.168.10.*` IDENTIFIED BY '123456'; --创建一个可以从任意位置访问MySQL的用户user3 CREATE USER `user3`@`%` IDENTIFIED BY '123456';
注意:这里需留意一下账户与用户的区别,账户是用户与登录主机的组合,格式为 `<user_name>`@`<host>` ,用户为 `<user_name>` 。
(3.2)删除账户
使用drop user语句删除账户,删除账户的SQL语句如下:
DROP USER `<user_name>`@`<host>`;
删除账户的例子如下:
DROP USER `user1`@`localhost`;
(3.3)查看账户极其权限信息
查看MySQL里面有哪些账户,直接查看mysql.user表即可
mysql> select user,host from mysql.user; +------------------+--------------+ | user | host | +------------------+--------------+ | lijiaman | % | | root | % | | user2 | % | | user2 | 192.168.10.* | | mysql.infoschema | localhost | | mysql.session | localhost | | mysql.sys | localhost | +------------------+--------------+
要查看某个用户的权限信息,使用 SHOW GRANTS 命令,语法如下
SHOW GRANTS FOR `user`@`host`;
例如,查看用户lijiaman的权限
mysql> SHOW GRANTS FOR `lijiaman`@`%` \G *************************** 1. row *************************** Grants for lijiaman@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `lijiaman`@`%` *************************** 2. row *************************** Grants for lijiaman@%: GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `lijiaman`@`%` 2 rows in set (0.00 sec)
(3.4)授权、回收账户权限
要授予某个用户权限,使用 GRANT 语句,语法如下:
GRANT <privilege> ON <db>.<table> TO <user>@<host>;
例如,授予用户user2对所有数据库有select权限
mysql> GRANT select ON *.* TO `user2`@`%`;
要回收某个账户的权限,使用 REVOKE 语句,语法如下:
REVOKE <privilege> ON <db>.<table> FROM <user>@<host>;
例如,回收user2对lijiamandb数据库的select权限
REVOKE select ON lijiamandb.* FROM `user2`@`%`;
【完】