MySQL的账户设置

使用 docker 安装 MySQL 并快速启动,现在我们进入docker容器。

➜  ~ docker exec -it mysql8 /bin/bash
root@dedd71769326:/#

MySQL数据库连接

MySQL命令语法

用户名是你登录的用户,主机名或者IP地址为可选项,如果是本地连接则不需要设置,远程连接服务端则需要填写,密码是对应用户的密码。

mysql –u用户名 [–h主机名或者IP地址,-P端口号] –p密码
  • -u:登录的用户名。
  • -h:远程主机名或IP地址,不填写则默认本地地址。
  • -PMySQL端口号,默认为3306。
  • -p:该登录用户对应的登录密码。
root@dedd71769326:/# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.21 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL账户查看

由于 root 权限很高,所以一般项目上会分配不同的账户和权限供程序员操作。

查看已有账户

mysql> select user from mysql.user;
+------------------+
| user             |
+------------------+
| root             |
| mysql.infoschema |
| mysql.session    |
| mysql.sys        |
| root             |
+------------------+
5 rows in set (0.03 sec)

为什么有两条 root 信息?我们来详细看一下。

mysql> select user, host from mysql.user;
+------------------+-----------+
| user             | host      |
+------------------+-----------+
| root             | %         |
| mysql.infoschema | localhost |
| mysql.session    | localhost |
| mysql.sys        | localhost |
| root             | localhost |
+------------------+-----------+
5 rows in set (0.00 sec)

这里host字段代表允许任意ip地址登录MySQL。目前root账户允许远程和本地登录。

查看当前账户

mysql> select current_user;
+----------------+
| current_user   |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

如果我们使用外部电脑连接

mysql> select current_user;
+----------------+
| current_user   |
+----------------+
| root@% |
+----------------+
1 row in set (0.00 sec)

则表示当前登陆root账户允许远程和本地登录。

MySQL账户创建

MySQL命令语法

CREATE USER [IF NOT EXISTS]
    user [auth_option] [, user [auth_option]] ...
    DEFAULT ROLE role [, role ] ...
    [REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
    [WITH resource_option [resource_option] ...]
    [password_option | lock_option] ...

user:
    (see Section 6.2.4, “Specifying Account Names”)

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED WITH auth_plugin
  | IDENTIFIED WITH auth_plugin BY 'auth_string'
  | IDENTIFIED WITH auth_plugin AS 'hash_string'
}

tls_option: {
   SSL
 | X509
 | CIPHER 'cipher'
 | ISSUER 'issuer'
 | SUBJECT 'subject'
}

resource_option: {
    MAX_QUERIES_PER_HOUR count
  | MAX_UPDATES_PER_HOUR count
  | MAX_CONNECTIONS_PER_HOUR count
  | MAX_USER_CONNECTIONS count
}

password_option: {
    PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
  | PASSWORD HISTORY {DEFAULT | N}
  | PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
  | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}

lock_option: {
    ACCOUNT LOCK
  | ACCOUNT UNLOCK
}
  • user :账户名称,语法是 'user_name'@'host_name' ,其中主机地址可以写为 %表示接受任何地址的连接。

  • auth_option :身份验证方式,可以指定密码以及认证插件(mysql_native_password、sha256_password、caching_sha2_password)

  • tls_option: 加密连接选项。

  • resource_option: 用户资源限制,比如每小时最大连接数。

  • password_option: 密码额外的控制,比如设定失效时间。

  • lock_option: 账户锁定选项,由管理员上锁或者解锁 (ACCOUNT LOCK | ACCOUNT UNLOCK)

最简单的就是指定账户名+密码

CREATE USER 'tian'@'localhost' IDENTIFIED BY 'password';

加上认证插件

CREATE USER 'tian'@'localhost' IDENTIFIED WITH sha256_password BY 'password';

指定密码过期,以便用户第一次使用的时候需要修改密码

CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE;

也可以指定每隔一段时间修改一次新密码

CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE INTERVAL 180 DAY;

可以指定加密连接

-- 不使用加密连接
CREATE USER 'tian'@'localhost' REQUIRE NONE;
-- 使用加密连接
CREATE USER 'tian'@'localhost' REQUIRE SSL;
-- 使用加密连接,并要求客户端提供有效证书
CREATE USER 'tian'@'localhost' REQUIRE X509;

CREATE USER 'tian'@'localhost' REQUIRE ISSUER 'CA颁发的有效X.509证书';

CREATE USER 'tian'@'localhost' REQUIRE SUBJECT '包含主题的有效X.509证书';

CREATE USER 'tian'@'localhost' REQUIRE CIPHER '指定的加密方法';

可以指定资源控制

-- 单位小时内,账户被允许查询500次,更新100次,单位小时内最大连接数不限制。最大并发连接数不限制
CREATE USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

可以锁定账户

-- 锁定
CREATE USER 'tian'@'localhost' ACCOUNT LOCK
-- 解锁
ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK

最后完整的命令选项大概这个样子

CREATE USER 'user_name'@'host_name' IDENTIFIED [WITH auth_plugin] BY 'auth_string' [REQUIRE NONE(SSL,X509)] [WITH MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count] [PASSWORD EXPIRE] [ACCOUNT LOCK]

如果你要删除账户

DROP USER 'tian'@'localhost';

如果你要修改名称

RENAME USER 'tian'@'localhost' TO 'tina'@'127.0.0.1';

MySQL角色创建

MySQL8里新加入了对于角色的管理,下面就简单的说一下如何使用:
角色可以理解为一组权限的集合,然后将角色赋给某个帐户,该帐户就拥有了角色对应的权限,每个帐户可以拥有多个角色,就像游戏里,你可以有很多称号一样。

-- 名字规范
'role_name'@'host_name'
-- 通常仅使用用户名部分指定角色名称,并隐式使用主机名部分 '%',主机名部分没有任何意义
'admin'

创建角色

-- 省略主机名,默认为 '%'
CREATE ROLE 'admin', 'dev';
-- 这种也可以,但是没意义
CREATE ROLE 'app'@'localhost';

移除角色

DROP ROLE 'admin', 'dev';

MySQL账户更新

MySQL命令语法

ALTER USER [IF EXISTS]
    user [auth_option] [, user [auth_option]] ...
    [REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
    [WITH resource_option [resource_option] ...]
    [password_option | lock_option] ...

ALTER USER [IF EXISTS] USER() user_func_auth_option

ALTER USER [IF EXISTS]
    user DEFAULT ROLE
    {NONE | ALL | role [, role ] ...}

user:
    (see Section 6.2.4, “Specifying Account Names”)

auth_option: {
    IDENTIFIED BY 'auth_string'
        [REPLACE 'current_auth_string']
        [RETAIN CURRENT PASSWORD]
  | IDENTIFIED WITH auth_plugin
  | IDENTIFIED WITH auth_plugin BY 'auth_string'
        [REPLACE 'current_auth_string']
        [RETAIN CURRENT PASSWORD]
  | IDENTIFIED WITH auth_plugin AS 'auth_string'
  | DISCARD OLD PASSWORD
}

user_func_auth_option: {
    IDENTIFIED BY 'auth_string'
        [REPLACE 'current_auth_string']
        [RETAIN CURRENT PASSWORD]
  | DISCARD OLD PASSWORD
}

tls_option: {
   SSL
 | X509
 | CIPHER 'cipher'
 | ISSUER 'issuer'
 | SUBJECT 'subject'
}

resource_option: {
    MAX_QUERIES_PER_HOUR count
  | MAX_UPDATES_PER_HOUR count
  | MAX_CONNECTIONS_PER_HOUR count
  | MAX_USER_CONNECTIONS count
}

password_option: {
    PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
  | PASSWORD HISTORY {DEFAULT | N}
  | PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
  | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}

lock_option: {
    ACCOUNT LOCK
  | ACCOUNT UNLOCK
}

参数选项参考创建账户。

修改自己当前的密码

ALTER USER USER() IDENTIFIED BY 'new_password';

修改账户密码

ALTER USER 'tian'@'localhost' IDENTIFIED BY 'new_password';

修改认证插件

ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password;

修改密码和插件

ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';

修改角色

-- 授予自定义角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE your_role_name;
-- 无角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE NONE;
-- 所有角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE ALL;

修改加密方式

-- 只有账户密码正确,无须加密连接
ALTER USER 'tian'@'localhost' REQUIRE NONE;
-- 需要加密连接
ALTER USER 'tian'@'localhost' REQUIRE SSL;
...

修改资源访问

-- 单位小时内,最大查询数量和更新数量
ALTER USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;

指定密码过期

ALTER USER 'tian'@'localhost' PASSWORD EXPIRE;

修改锁定解锁

ALTER USER 'tian'@'localhost' ACCOUNT LOCK;
ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK;

MySQL账户授权

MySQL命令语法

GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    TO user_or_role [, user_or_role] ...
    [WITH GRANT OPTION]
    [AS user
        [WITH ROLE
            DEFAULT
          | NONE
          | ALL
          | ALL EXCEPT role [, role ] ...
          | role [, role ] ...
        ]
    ]
}

GRANT PROXY ON user_or_role
    TO user_or_role [, user_or_role] ...
    [WITH GRANT OPTION]

GRANT role [, role] ...
    TO user_or_role [, user_or_role] ...
    [WITH ADMIN OPTION]

object_type: {
    TABLE
  | FUNCTION
  | PROCEDURE
}

priv_level: {
    *
  | *.*
  | db_name.*
  | db_name.tbl_name
  | tbl_name
  | db_name.routine_name
}

user_or_role: {
    user
  | role
}

user:
    (see Section 6.2.4, “Specifying Account Names”)

role:
    (see Section 6.2.5, “Specifying Role Names”)

GRANT语法使得管理员能够授予账户权限或者角色,但是GRANT不能再一个语句中同时授予权限和角色。

  • 有ON,是授予权限
  • 无ON,是授予角色
-- 授予数据库db1的所有权限给指定账户
GRANT ALL ON db1.* TO 'tian'@'localhost';
-- 授予角色给指定的账户
GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost';
-- 授予数据库world的SELECT权限给指定的角色
GRANT SELECT ON world.* TO 'role3';

基本语法

GRANT [权限] ON [数据库名].[表名] TO 'user_name'@'localhost' ...;
-- 授予所有数据库的权限
GRANT [权限] ON *.* TO 'user_name'@'localhost' ...;

注:全局权限是管理或适用于给定服务器上的所有数据库。要分配全局权限,请使用 ON *.*语法

下面是权限列表

mysql> show privileges;
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege                  | Context                               | Comment                                               |
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Alter                      | Tables                                | To alter the table                                    |
| Alter routine              | Functions,Procedures                  | To alter or drop stored functions/procedures          |
| Create                     | Databases,Tables,Indexes              | To create new databases and tables                    |
| Create routine             | Databases                             | To use CREATE FUNCTION/PROCEDURE                      |
| Create role                | Server Admin                          | To create new roles                                   |
| Create temporary tables    | Databases                             | To use CREATE TEMPORARY TABLE                         |
| Create view                | Tables                                | To create new views                                   |
| Create user                | Server Admin                          | To create new users                                   |
| Delete                     | Tables                                | To delete existing rows                               |
| Drop                       | Databases,Tables                      | To drop databases, tables, and views                  |
| Drop role                  | Server Admin                          | To drop roles                                         |
| Event                      | Server Admin                          | To create, alter, drop and execute events             |
| Execute                    | Functions,Procedures                  | To execute stored routines                            |
| File                       | File access on server                 | To read and write files on the server                 |
| Grant option               | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess   |
| Index                      | Tables                                | To create or drop indexes                             |
| Insert                     | Tables                                | To insert data into tables                            |
| Lock tables                | Databases                             | To use LOCK TABLES (together with SELECT privilege)   |
| Process                    | Server Admin                          | To view the plain text of currently executing queries |
| Proxy                      | Server Admin                          | To make proxy user possible                           |
| References                 | Databases,Tables                      | To have references on tables                          |
| Reload                     | Server Admin                          | To reload or refresh tables, logs and privileges      |
| Replication client         | Server Admin                          | To ask where the slave or master servers are          |
| Replication slave          | Server Admin                          | To read binary log events from the master             |
| Select                     | Tables                                | To retrieve rows from table                           |
| Show databases             | Server Admin                          | To see all databases with SHOW DATABASES              |
| Show view                  | Tables                                | To see views with SHOW CREATE VIEW                    |
| Shutdown                   | Server Admin                          | To shut down the server                               |
| Super                      | Server Admin                          | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc.   |
| Trigger                    | Tables                                | To use triggers                                       |
| Create tablespace          | Server Admin                          | To create/alter/drop tablespaces                      |
| Update                     | Tables                                | To update existing rows                               |
| Usage                      | Server Admin                          | No privileges - allow connect only                    |
| XA_RECOVER_ADMIN           | Server Admin                          |                                                       |
| SHOW_ROUTINE               | Server Admin                          |                                                       |
| RESOURCE_GROUP_USER        | Server Admin                          |                                                       |
| SET_USER_ID                | Server Admin                          |                                                       |
| SESSION_VARIABLES_ADMIN    | Server Admin                          |                                                       |
| CLONE_ADMIN                | Server Admin                          |                                                       |
| PERSIST_RO_VARIABLES_ADMIN | Server Admin                          |                                                       |
| ROLE_ADMIN                 | Server Admin                          |                                                       |
| BACKUP_ADMIN               | Server Admin                          |                                                       |
| CONNECTION_ADMIN           | Server Admin                          |                                                       |
| RESOURCE_GROUP_ADMIN       | Server Admin                          |                                                       |
| INNODB_REDO_LOG_ARCHIVE    | Server Admin                          |                                                       |
| BINLOG_ENCRYPTION_ADMIN    | Server Admin                          |                                                       |
| REPLICATION_SLAVE_ADMIN    | Server Admin                          |                                                       |
| SYSTEM_VARIABLES_ADMIN     | Server Admin                          |                                                       |
| GROUP_REPLICATION_ADMIN    | Server Admin                          |                                                       |
| SYSTEM_USER                | Server Admin                          |                                                       |
| APPLICATION_PASSWORD_ADMIN | Server Admin                          |                                                       |
| TABLE_ENCRYPTION_ADMIN     | Server Admin                          |                                                       |
| SERVICE_CONNECTION_ADMIN   | Server Admin                          |                                                       |
| AUDIT_ADMIN                | Server Admin                          |                                                       |
| BINLOG_ADMIN               | Server Admin                          |                                                       |
| ENCRYPTION_KEY_ADMIN       | Server Admin                          |                                                       |
| INNODB_REDO_LOG_ENABLE     | Server Admin                          |                                                       |
| REPLICATION_APPLIER        | Server Admin                          |                                                       |
+----------------------------+---------------------------------------+-------------------------------------------------------+
58 rows in set (0.00 sec)

权限范围示例

-- 数据库权限
GRANT ALL ON mydb.* TO 'user_name'@'host_name';
-- 表权限
GRANT ALL ON mydb.mytable TO 'user_name'@'host_name';
-- 列权限
GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytable TO 'user_name'@'host_name';

-- 存储过程权限
GRANT CREATE ROUTINE ON mydb.* TO 'user_name'@'host_name';
GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'user_name'@'host_name';

授权之后可以使用flush命令使其立即生效

FLUSH PRIVILEGES

FLUSH语法

FLUSH [NO_WRITE_TO_BINLOG | LOCAL] {
    flush_option [, flush_option] ...
  | tables_option
}

flush_option: {
    BINARY LOGS
  | ENGINE LOGS
  | ERROR LOGS
  | GENERAL LOGS
  | HOSTS
  | LOGS
  | PRIVILEGES
  | OPTIMIZER_COSTS
  | RELAY LOGS [FOR CHANNEL channel]
  | SLOW LOGS
  | STATUS
  | USER_RESOURCES
}

tables_option: {
    TABLES
  | TABLES tbl_name [, tbl_name] ...
  | TABLES WITH READ LOCK
  | TABLES tbl_name [, tbl_name] ... WITH READ LOCK
  | TABLES tbl_name [, tbl_name] ... FOR EXPORT
}

FLUSH PRIVILEGES 包含以下操作

  1. 重新加载mysql系统数据库中的grant表中的权限信息,并清除caching_sha2_password身份验证插件使用的内存缓存。

  2. 服务器读取包含动态特权分配的global_grants表,并注册其中的任何未注册特权。

  3. 服务器通过GRANT、CREATE USER、CREATE SERVER和INSTALL PLUGIN语句将信息缓存到内存中。对应的REVOKE、DROP USER、DROP SERVER和UNINSTALL插件语句不会释放这些内存,因此对于执行许多导致缓存的语句实例的服务器,内存使用量将会增加。可以使用刷新特权释放此缓存内存。

FLUSH TABLES 包含以下操作

关闭所有打开的表,强制关闭所有正在使用的表,并刷新准备好的语句缓存。

REVOKE语法

既然可以授权,那么就可以撤销

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    FROM user_or_role [, user_or_role] ...

REVOKE ALL [PRIVILEGES], GRANT OPTION
    FROM user_or_role [, user_or_role] ...

REVOKE PROXY ON user_or_role
    FROM user_or_role [, user_or_role] ...

REVOKE role [, role ] ...
    FROM user_or_role [, user_or_role ] ...

user_or_role: {
    user
  | role
}

user:
    (see Section 6.2.4, “Specifying Account Names”)

role:
    (see Section 6.2.5, “Specifying Role Names”.

REVOKE可以实现权限或者角色的撤销(前提:拥有GRANT权限和REVOKE权限)

-- 撤销用户的INSERT权限
REVOKE INSERT ON *.* FROM 'tian'@'localhost';
-- 撤销用户的指定角色
REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost';
-- 撤销角色的INSERT权限
REVOKE SELECT ON world.* FROM 'role3';

撤销所有权限(只能撤销权限,不能撤销角色)

-- 从账户或者角色上撤销所有权限
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_or_role [, user_or_role] ...
-- 撤销账户
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'tian'@'localhost'
-- 撤销角色
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'role3'

在全局上撤销权限(.

-- 全局上撤销所有权限
REVOKE ALL ON *.* FROM 'tian'@'localhost';

你可能感兴趣的:(MySQL的账户设置)