MySQL权限控制及日志管理

MySQL权限控制及日志管理
MySQL权限控制及日志管理_第1张图片

用户权限管理

创建用户

CREATE USER '用户名'@'IP地址' [ IDENTIFIED BY '密码' ]GRANT SELECT ON *.* TO '用户名'@’IP地址’ IDENTIFIED BY "密码"--创建一个用户名为Usr1 密码为 Usr1.mysql的用户 并授权
CREATE USER 'Usr1'@'192.168.1.128' IDENTIFIED BY "Usr1.mysql";
GRANT ALL ON *.* TO 'Usr1'@'192.168.1.128' IDENTIFIED BY 'Usr1.mysql';

--查看mysql.user表
mysql> SELECT Host,User FROM user WHERE User = 'Usr1';
+---------------+------+
| Host          | User |
+---------------+------+
| 192.168.1.128 | Usr1 |
+---------------+------+

--格式注意
用户名@IP地址 用户只能在改IP下才能访问
用户名@192.168.1.% 用户只能在改IP段下才能访问(通配符%表示任意)
用户名@%.baidu.com 
用户名@% 用户可以再任意IP下访问(默认IP地址为%)

删除用户

DROP USER '用户名'@'IP地址';

DELETE FROM mysql.user WHERE user='用户名' AND host='IP地址'

--删除Usr1
DROP USER 'Usr1'@'192.168.1.128';
--查看表
mysql> SELECT Host,User FROM user ;
+-----------+---------------+
| Host      | User          |
+-----------+---------------+
| %         | root          |
| localhost | mysql.session |
| localhost | mysql.sys     |
| localhost | rkun18        |
| localhost | root          |
+-----------+---------------+


修改用户

RENAME USER '旧用户名'@'IP地址' TO '新用户名'@'IP地址' ;

--修改rkun18用户让其在192.168.1.网段都可以登录mysql
mysql> RENAME USER 'rkun18'@'localhost' TO 'rkun18'@'192.168.1.%';

mysql> SELECT Host,User FROM user ;
+-------------+---------------+
| Host        | User          |
+-------------+---------------+
| %           | root          |
| 192.168.1.% | rkun18        |
| localhost   | mysql.session |
| localhost   | mysql.sys     |
| localhost   | root          |
+-------------+---------------+


修改密码

--修改完密码一定刷新权限
FLUSH PRIVILEGES;

--多种方法
mysqladmin -uroot -p旧密码 password 'new_password' 

alter user 'root'@'localhost' identified by 'new_pssword';

SET PASSWORD=password(‘new_password’);


--root用户修改其他用户密码
alter user '其他用户名'@'localhost' identified by '密码';

GRANT SELECT ON *.* TO 用户名@’ip地址’ IDENTIFIED BY ‘密码’;

--普通用户修改自己密码
SET password=password(‘new_password’);

找回root密码

  • 修改mysql配置文件[mysqld]加上skip-grant-tables
#设置免密登录
[root@mysql ~]# vim /etc/my.cnf
[root@mysql ~]# cat /etc/my.cnf | grep skip
skip-grant-tables


  • 重启mysql
#终端输入mysql直接登录mysql数据库
[root@mysql ~]# systemctl restart mysqld
[root@mysql ~]# mysql

--切换系统库mysql
mysql> use mysql;

--设置密码
update user set authentication_string=password('密码') where user='root';

--之后注释掉免密登录 重启mysql 然后使用你设置的密码登录

密码复杂度

  • mysql默认启用密码复杂度设置,插件名:validate_password
mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';



#修改配置文件
vim /etc/my.cnf

[mysqld]
plugin-load=validate_password.so
validate_password_policy=0
validate-password=FORCE_PLUS_PERMANENT


systemctl restart mysqld

#查看
mysql> show variables like 'validate%';
+--------------------------------------+-------+
| Variable_name                        | Value |
+--------------------------------------+-------+
| validate_password_check_user_name    | OFF   |
| validate_password_dictionary_file    |       |
| validate_password_length             | 8     |
| validate_password_mixed_case_count   | 1     |
| validate_password_number_count       | 1     |
| validate_password_policy             | LOW   |
| validate_password_special_char_count | 1     |
+--------------------------------------+-------+

--创建一个用户 使用较短的密码 显示没有满足策略要求
mysql> grant all on *.* to admin@'%' identified by '1234';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

--查看密码策略
mysql> select @@validate_password_policy;
+----------------------------+
| @@validate_password_policy |
+----------------------------+
| LOW                        |
+----------------------------+

--查看密码复杂性最低要求
mysql> select @@validate_password_length;
+----------------------------+
| @@validate_password_length |
+----------------------------+
|                          8 |
+----------------------------+

--更换密码复杂性策略 设置为1
mysql> set global validate_password_length=1;

--关闭策略

mysql>  set global validate_password_policy=0;

--再次设置用户和密码 成功
mysql> grant all on *.* to admin@'%' identified by '1234';
Query OK, 0 rows affected, 1 warning (0.00 sec)

--测试登录
[root@mysql ~]# mysql -uadmin -p1234
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.42 MySQL Community Server (GPL)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
--成功!
--永久修改就修改my.cnf文件

远程登录

mysql -u用户名 -p密码 [ -h主机 ] [ -P端口 ];
mysql -u用户名 -p密码 [ -h主机 ] [ -P端口 ] [ -e"SQL语句" ]

日志管理

错误日志

  • 记录mysql启动过程中状态,报错,警告等信息。

  • 设置错误日志

    #配置错误日志
    [root@mysql ~]# mkdir /logs
    [root@mysql ~]# vim /etc/my.cnf
    #修改权限 
    [root@mysql ~]# chown -R mysql:mysql /logs/
    
    [root@mysql ~]# cat /etc/my.cnf | grep log-error
    log-error=/logs/mysql-error.log
    
    #重启服务
    [root@mysql ~]# systemctl restart mysqld
    
    
    
    --进入mysql查看
    mysql> select @@log_error;
    +-----------------------+
    | @@log_error           |
    +-----------------------+
    | /logs/mysql-error.log |
    +-----------------------+
    
    
    
    
    #进入虚拟机查看日志内容是否存在
    [root@mysql ~]# tail /logs/mysql-error.log 
    2023-06-12T19:50:05.941676Z 0 [Warning] A deprecated TLS version TLSv1.1 is enabled. Please use TLSv1.2 or higher.
    2023-06-12T19:50:05.945078Z 0 [Warning] CA certificate ca.pem is self signed.
    2023-06-12T19:50:05.945468Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
    2023-06-12T19:50:05.947524Z 0 [Note] Server hostname (bind-address): '*'; port: 3306
    2023-06-12T19:50:05.947655Z 0 [Note] IPv6 is available.
    2023-06-12T19:50:05.947754Z 0 [Note]   - '::' resolves to '::';
    2023-06-12T19:50:05.947814Z 0 [Note] Server socket created on IP: '::'.
    2023-06-12T19:50:06.038988Z 0 [Note] Event Scheduler: Loaded 0 events
    2023-06-12T19:50:06.039879Z 0 [Note] /usr/sbin/mysqld: ready for connections.
    Version: '5.7.42'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
    #内容存在 说明配置成功
    
    

二进制日志

  • 数据恢复必备日志
  • 主从复制依赖
#修改配置文件
[root@mysql ~]# cat /etc/my.cnf | grep server_id 
server_id=6
[root@mysql ~]# cat /etc/my.cnf | grep log_bin
# log_bin
log_bin=/logs/binlogs/mysql-bin

#server_id 5.7版本后开启二进制日志必加参数
#创建文件夹 授权
[root@mysql ~]# mkdir -p /logs/binlogs/
[root@mysql ~]# chown -R mysql:mysql /logs/*

[root@mysql ~]# ll /logs/binlogs/
总用量 8
-rw-r-----. 1 mysql mysql 154 612 16:13 mysql-bin.000001
-rw-r-----. 1 mysql mysql  31 612 16:13 mysql-bin.index
#mysql-bin 配置文件配置的前缀 000001 mysql每次重启重新生成新的

  • 二进制文件内容除了查询类的语句,都会记录,即所有数据库变更类语句。
mysql> select @@binlog_format;
+-----------------+
| @@binlog_format |
+-----------------+
| ROW |
+-----------------+

--DDL、DCL直接以语句(statement)方式记录 .
--DML 语句有三种模式:SBR、RBR、MBR

--statement---->SBR:做什么记录什么,即SQL语句
--row---------->RBR:记录数据行的变化(默认模式,推荐)
--mixed-------->MBR:自动判断记录模式
#修改配置文件
[root@mysql ~]# vi /etc/my.cnf
[root@mysql ~]# cat /etc/my.cnf | grep binlog_format
binlog_format='ROW'
[root@mysql ~]# systemctl restart mysqld

--查看工作模式
mysql> show variables like "binlog%";
+--------------------------------------------+--------------+
| Variable_name                              | Value        |
+--------------------------------------------+--------------+
| binlog_cache_size                          | 32768        |
| binlog_checksum                            | CRC32        |
| binlog_direct_non_transactional_updates    | OFF          |
| binlog_error_action                        | ABORT_SERVER |
| binlog_format                              | ROW          |
| binlog_group_commit_sync_delay             | 0            |
| binlog_group_commit_sync_no_delay_count    | 0            |
| binlog_gtid_simple_recovery                | ON           |
| binlog_max_flush_queue_time                | 0            |
| binlog_order_commits                       | ON           |
| binlog_row_image                           | FULL         |
| binlog_rows_query_log_events               | OFF          |
| binlog_stmt_cache_size                     | 32768        |
| binlog_transaction_dependency_history_size | 25000        |
| binlog_transaction_dependency_tracking     | COMMIT_ORDER |
+--------------------------------------------+--------------+

二进制日志事件

  • 事件为最小记录单位
  • 对于DDL和DCL,语句即事件
  • 对于DML,只记录提交的事务的DML语句
begin ; 事件1
a 事件2
b 事件3
commit; 事件4

查看二进制日志事件

[root@mysql ~]# cd /logs/binlogs/
[root@mysql binlogs]# mysqlbinlog mysql-bin.000001
...
AUIDoJM=
'/*!*/;
# at 123 #事件开始
#230612 16:18:14#事件发生时间 server id 6  end_log_pos #事件结束 154 CRC32 0x9c400eca  Previous-GTIDs
# [empty]
# at 154
#230612 16:33:25 server id 6  end_log_pos 177 CRC32 0x3ccc2292  Stop
SET @@SESSION.GTID_NEXT= 'AUTOMATIC' /* added by mysqlbinlog */ /*!*/;
DELIMITER ;#事件内容
...


--二进制日志配置
mysql>  show variables like '%log_bin%';
+---------------------------------+-------------------------------+
| Variable_name                   | Value                         |
+---------------------------------+-------------------------------+
| log_bin                         | ON                            |
| log_bin_basename                | /logs/binlogs/mysql-bin       |
| log_bin_index                   | /logs/binlogs/mysql-bin.index |
| log_bin_trust_function_creators | OFF                           |
| log_bin_use_v1_row_events       | OFF                           |
| sql_log_bin                     | ON                            |
+---------------------------------+-------------------------------+

--log_bin 开启二进制日志的开关
--log_bin_basename 位置
--sql_log_bin 临时开启或关闭二进制日志的小开关


--显示当前所有二进制日志文件
mysql> show binary logs;
+------------------+-----------+
| Log_name         | File_size |
+------------------+-----------+
| mysql-bin.000001 |       177 |
| mysql-bin.000002 |       154 |
+------------------+-----------+

--显示二进制文件事件信息
mysql> show binlog events in 'mysql-bin.000001';
+------------------+-----+----------------+-----------+-------------+---------------------------------------+
| Log_name         | Pos | Event_type     | Server_id | End_log_pos | Info                                  |
+------------------+-----+----------------+-----------+-------------+---------------------------------------+
| mysql-bin.000001 |   4 | Format_desc    |         6 |         123 | Server ver: 5.7.42-log, Binlog ver: 4 |
| mysql-bin.000001 | 123 | Previous_gtids |         6 |         154 |                                       |
| mysql-bin.000001 | 154 | Stop           |         6 |         177 |                                       |
+------------------+-----+----------------+-----------+-------------+---------------------------------------+


二进制日志文件数据恢复实例

  • 操作
create database binlog charset utf8mb4;

use binlog;

create table t1(id int) engine=innodb charset=utf8mb4;

insert into t1 values (1),(2),(3);

insert into t1 values (11),(12),(13);

commit ;
--此时t1数据
mysql> select * from t1;
+------+
| id   |
+------+
|    1 |
|    2 |
|    3 |
|   11 |
|   12 |
|   13 |
+------+


update t1 set id=10 where id >10;

commit ;

--更改后
mysql> select * from t1;
+------+
| id   |
+------+
|    1 |
|    2 |
|    3 |
|   10 |
|   10 |
|   10 |
+------+


  • 删除数据
drop database binlog;
  • 数据恢复
--确认起点和终点
mysql> show master status;
+------------------+----------+--------------+------------------+-------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000002 |     1631 |              |                  |                   |
+------------------+----------+--------------+------------------+-------------------+

mysql> show binlog events in 'mysql-bin.000002';
| mysql-bin.000002 |  154 | Anonymous_Gtid |         6 |         219 | SET @@SESSION.GTID_NEXT= 'ANONYMOUS'  
...                                                                 |
| mysql-bin.000002 |  219 | Query          |         6 |         375 | /* ApplicationName=DataGrip 2023.1.2 */ create database binlog charset utf8mb4   --起点                           |
| mysql-bin.000002 | 1428 | Anonymous_Gtid |         6 |        1493 | SET @@SESSION.GTID_NEXT= 'ANONYMOUS' 

| mysql-bin.000002 | 1493 | Query          |         6 |        1631 | /* ApplicationName=DataGrip 2023.1.2 */ drop database binlog        --终点                         
  • 截取日志
[root@mysql ~]# mysqlbinlog --start-position=219 --stop-position=1493 /logs/binlogs/mysql-bin.000002 > /data/bin.sql

  • 恢复日志
mysql> set sql_log_bin=0; # 临时关闭当前会话的binlog记录
mysql> source /data/bin.sql;
mysql> set sql_log_bin=1; # 打开当前会话的binlog记录
  • 查看是否恢复信息
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| binlog             |
| db1                |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
6 rows in set (0.01 sec)

mysql> use binlog;
Database changed
--成功恢复
mysql> select * from t1;
+------+
| id   |
+------+
|    1 |
|    2 |
|    3 |
|   10 |
|   10 |
|   10 |
+------+

基于gtid二进制日志管理

  • 全局唯一事务编号
  • 幂等性
  • gtid包括:
    • server_uuid
    • tx_id

gtid配置

--查看gtid
mysql> show variables like '%gtid%';
+----------------------------------+-----------+
| Variable_name                    | Value     |
+----------------------------------+-----------+
| binlog_gtid_simple_recovery      | ON        |
| enforce_gtid_consistency         | OFF       |
| gtid_executed_compression_period | 1000      |
| gtid_mode                        | OFF       |
| gtid_next                        | AUTOMATIC |
| gtid_owned                       |           |
| gtid_purged                      |           |
| session_track_gtids              | OFF       |
+----------------------------------+-----------+

#修改配置
[root@mysql ~]# vi /etc/my.cnf

gtid_mode=on # 开启 gtid
enforce_gtid_consistency=true # 强制GTID一致性
log_slave_updates=1 # 主从复制中从库记录 binlog,并统一GTID信息

[root@mysql ~]# systemctl restart mysqld

基于gtid截取日志

  • 对于DDL,DCL一个操作就是一个gtid
  • 对于DML,一个完整事务就是gtid
mysql>  show variables like '%gtid%';
+----------------------------------+-----------+
| Variable_name                    | Value     |
+----------------------------------+-----------+
| binlog_gtid_simple_recovery      | ON        |
| enforce_gtid_consistency         | ON        |
| gtid_executed_compression_period | 1000      |
| gtid_mode                        | ON        |
| gtid_next                        | AUTOMATIC |
| gtid_owned                       |           |
| gtid_purged                      |           |
| session_track_gtids              | OFF       |
+----------------------------------+-----------+


mysql> show master status;
+------------------+----------+--------------+------------------+-------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000001 |      154 |              |                  |                   |
+------------------+----------+--------------+------------------+-------------------+


  • –include-gtids=包含
  • –exclude-gtids=排除
  • –skip-gtids=跳过

基于gtid截取日志实例

  • 环境准备
--准备环境

create database gtid charset utf8mb4;

use gtid;

create table t1(id int) engine=innodb charset=utf8mb4;

insert into t1 values(1),(2),(3);

commit;

insert into t1 values(11),(12),(13);

 commit;
 
 mysql> select * from t1;
+------+
| id   |
+------+
|    1 |
|    2 |
|    3 |
|   11 |
|   12 |
|   13 |
+------+

--删除数据
drop database gtid;
--查看当前数据库
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| db1                |
| mysql              |
| performance_schema |
| sys                |
+--------------------+

  • 找寻起点终点(gtid)
mysql> show master status;
+------------------+----------+--------------+------------------+------------------------------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set                        |
+------------------+----------+--------------+------------------+------------------------------------------+
| mysql-bin.000001 |     1324 |              |                  | 5bae2709-0933-11ee-ad07-000c2977e40f:1-5 |
+------------------+----------+--------------+------------------+------------------------------------------+

show binlog events in 'mysql-bin.000001'

...  --省略
mysql-bin.000001,154,Gtid,6,219,SET @@SESSION.GTID_NEXT= '5bae2709-0933-11ee-ad07-000c2977e40f:1' --这里是起点 创建库
mysql-bin.000001,219,Query,6,369,/* ApplicationName=DataGrip 2023.1.2 */ create database gtid charset utf8mb4
... --省略
mysql-bin.000001,1127,Gtid,6,1192,SET @@SESSION.GTID_NEXT= '5bae2709-0933-11ee-ad07-000c2977e40f:5'
mysql-bin.000001,1192,Query,6,1324,/* ApplicationName=DataGrip 2023.1.2 */ drop database gtid --终点删除库  推荐一个数据库操作工具dataGrip很好用


  • 截取日志
#5是删除数据库所有只截取到1-4
[root@mysql ~]# mysqlbinlog --skip-gtids --include-gtids='5bae2709-0933-11ee-ad07-000c2977e40f:1-4' /logs/binlogs/mysql-bin.000001 > /data/gtid.sql

  • 恢复数据
mysql> set sql_log_bin=0;

mysql> source /data/gtid.sql
mysql> set sql_log_bin=1;

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| db1                |
| gtid               |
| mysql              |
| performance_schema |
| sys                |
+--------------------+

mysql> use gtid;
Database changed
mysql> select * from t1;
+------+
| id   |
+------+
|    1 |
|    2 |
|    3 |
|   11 |
|   12 |
|   13 |
+------+
--数据恢复成功

二进制日志其他操作

自动清理日志

--查看自动清理周期
show variables like '%expire%';

disconnect_on_expired_password,ON
expire_logs_days,0

--设置自动清理周期
set global expire_logs_days = 7;
show variables like '%expire%';

disconnect_on_expired_password,ON
expire_logs_days,7

#永久生效

[root@mysql ~]# vi /etc/my.cnf
[root@mysql ~]# cat /etc/my.cnf | grep expire
expire_logs_days=15

[root@mysql ~]# systemctl restart mysqld

show variables like '%expire%';

disconnect_on_expired_password,ON
expire_logs_days,15

你可能感兴趣的:(#,MySQL,mysql,数据库)