MySQL权限管理
文章目录
- 前言
- 一、账号管理
-
- 1.创建账号并赋予权限
- 2.查看账号权限
- 3.更改账号权限
- 4.修改账号密码
- 5.删除账号
- 二、权限系统的工作原理
- 三、权限表的存取
- 总结
前言
本篇主要介绍创建用户和赋予用户权限的基本使用。
一、账号管理
1.创建账号并赋予权限
创建用户
基本语法:
create user username@'[%|ip|localhost]' [identified by 'password'];
其中@符后面表示运行连接的地址,mysql数据库中是通过user表的host字段来进行控制,host可以是以下类型的赋值:
- 可以是主机名或者ip,或’localhost’
- 可以在host列指定通配符“%”和“_”
- host通配符“%”表示匹配任何主机。空host等价于%,它们的含义与LIKE操作符的模式匹配操作相同。如“%.mysql.com”匹配mysq.com域的所有主机。
创建用户是可以指定登陆密码,可以不指定
mysql> create user nopsd_user;
Query OK, 0 rows affected (0.01 sec)
mysql> SELECT * FROM user WHERE User='nopsd_user'\G;
*************************** 1. row ***************************
Host: %
User: nopsd_user
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Select_priv: N
Insert_priv: N
....
authentication_string:
....
-- 登陆
[root@localhost temp]# mysql -unopsd_user
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.24-log MySQL Community Server (GPL)
...
mysql>
-- 创建有密码用户
mysql> create user psd_user identified by '123456';
Query OK, 0 rows affected (0.00 sec)
-- 查看mysql库user表
ysql> SELECT * FROM user WHERE User='psd_user'\G;
*************************** 1. row ***************************
Host: %
User: psd_user
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
...
plugin: mysql_native_password
authentication_string: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
...
[root@localhost temp]# mysql -upsd_user
ERROR 1045 (28000): Access denied for user 'psd_user'@'localhost' (using password: NO)
[root@localhost temp]# mysql -upsd_user -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.24-log MySQL Community Server (GPL)
...
mysql>
# 指定ip
mysql> create user local_user @'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT * FROM user WHERE User='local_user'\G;
*************************** 1. row ***************************
Host: localhost
User: local_user
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
...
从上面看出,这种方式创建出的用户默认所有ip都能连接,还没有权限操作数据库跟表资源。
用户信息的查看在mysql.user表中
权限设置
基本语法:
GRANT piv_type[column_list][,piv_type[column_list]]... ON [object_type]{tabl_name|*|*.*|db_name.*|db_name.tab_name} TO user username[@'ip|%']
为psd_user设置所有权限
-- 注意:psd_user用户在mysql.user表中host列存储的是'%'
mysql> grant all privileges on *.* to psd_user@'localhost';
ERROR 1133 (42000): Can't find any matching row in the user table
mysql> grant all privileges on *.* to psd_user;
Query OK, 0 rows affected (0.01 sec)
mysql> grant all privileges on *.* to psd_user@'%';
Query OK, 0 rows affected (0.00 sec)
-- 查看mysql.user
mysql> SELECT * FROM user WHERE user='psd_user'\G;
*************************** 1. row ***************************
Host: %
User: psd_user
Select_priv: Y
Insert_priv: Y
...
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: N
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
...
Create_routine_priv: Y
...
plugin: mysql_native_password
authentication_string: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
...
1 row in set (0.00 sec)
除了Grant_priv权限外,所有权限在user表中都是’Y’.也可通过下面的语法赋予grant权限
grant all privileges on *.* to psd_user@'%' with grant option;
赋予nopsd_user用户sakila库的指定权限
mysql> grant select,insert,update,delete on sakila.* to nopsd_user;
Query OK, 0 rows affected (0.01 sec)
从mysql库的user表和db表查看权限信息
mysql> SELECT * FROM user WHERE user='nopsd_user'\G;
*************************** 1. row ***************************
Host: %
User: nopsd_user
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string:
password_expired: N
password_last_changed: 2021-02-18 07:12:11
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
ERROR:
No query specified
mysql> SELECT * FROM db WHERE user='nopsd_user'\G;
*************************** 1. row ***************************
Host: %
Db: sakila
User: nopsd_user
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)
在db表中,可以看到可以设置drop,alter等权限。
2.查看账号权限
基本语法:
SHOW GRANTS FOR user@host
mysql> SHOW GRANTS FOR nopsd_user;
+------------------------------------------------------------------------+
| Grants for nopsd_user@% |
+------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'nopsd_user'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sakila`.* TO 'nopsd_user'@'%' |
+------------------------------------------------------------------------+
host不填,默认是%
mysql> SHOW GRANTS FOR local_user;
ERROR 1141 (42000): There is no such grant defined for user 'local_user' on host '%'
mysql> SHOW GRANTS FOR local_user@'localhost';
+------------------------------------------------+
| Grants for local_user@localhost |
+------------------------------------------------+
| GRANT USAGE ON *.* TO 'local_user'@'localhost' |
+------------------------------------------------+
mysql> SHOW GRANTS FOR nopsd_user;
+------------------------------------------------------------------------------+
| Grants for nopsd_user@% |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'nopsd_user'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE, DROP ON `sakila`.* TO 'nopsd_user'@'%' |
+------------------------------------------------------------------------------+
对于MySQL5.0以后的版本,也可以通过查看information_schema数据库查看权限。
mysql> use information_schema;
mysql> SELECT * FROM SCHEMA_PRIVILEGES WHERE GRANTEE="'nopsd_user'@'%'";
+------------------+---------------+--------------+----------------+--------------+
| GRANTEE | TABLE_CATALOG | TABLE_SCHEMA | PRIVILEGE_TYPE | IS_GRANTABLE |
+------------------+---------------+--------------+----------------+--------------+
| 'nopsd_user'@'%' | def | sakila | SELECT | NO |
| 'nopsd_user'@'%' | def | sakila | INSERT | NO |
| 'nopsd_user'@'%' | def | sakila | UPDATE | NO |
| 'nopsd_user'@'%' | def | sakila | DELETE | NO |
| 'nopsd_user'@'%' | def | sakila | DROP | NO |
+------------------+---------------+--------------+----------------+--------------+
3.更改账号权限
可以进行权限的新增和回收。权限变更有两种方法,使用GRANT(新增)和REVOKE(回收)语句
GRANT使用
前面已经使用过了
mysql> SHOW GRANTS FOR local_user@'localhost';
+------------------------------------------------+
| Grants for local_user@localhost |
+------------------------------------------------+
| GRANT USAGE ON *.* TO 'local_user'@'localhost' |
+------------------------------------------------+
mysql> GRANT SELECT ON *.* to local_user@'localhost';
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR local_user@'localhost';
+-------------------------------------------------+
| Grants for local_user@localhost |
+-------------------------------------------------+
| GRANT SELECT ON *.* TO 'local_user'@'localhost' |
+-------------------------------------------------+
继续给local_user@'localhost赋予SELECT,INSERT权限,和已有的SELECT权限合并。
mysql> GRANT SELECT,INSERT ON *.* TO local_user@'localhost';
Query OK, 0 rows affected (0.01 sec)
mysql> SHOW GRANTS FOR local_user@'localhost';
+---------------------------------------------------------+
| Grants for local_user@localhost |
+---------------------------------------------------------+
| GRANT SELECT, INSERT ON *.* TO 'local_user'@'localhost' |
+---------------------------------------------------------+
1 row in set (0.00 sec)
REVOKE使用
基本语法:
REVOKE pri_type[(column_list)][,priv_type[(column_list)]]...ON [object_type]{tab_name|*|*.*|dbname.*} FROM user[,user]...
REVOKE ALL PRIVILEGES,GRANT OPTION FROM user[,user]...
收回local_user@'localhost用户的INSERT权限。
mysql> REVOKE INSERT ON *.* FROM 'local_user'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR local_user@'localhost';
+-------------------------------------------------+
| Grants for local_user@localhost |
+-------------------------------------------------+
| GRANT SELECT ON *.* TO 'local_user'@'localhost' |
+-------------------------------------------------+
1 row in set (0.00 sec)
4.修改账号密码
方法一:可以用mysqladmin命令在命令行指定密码
[root@localhost bin]# mysqladmin -u local_user -h localhost password '456789'
方法二:执行set password语句
mysql> SET PASSWORD FOR 'local_user'@'localhost'=PASSWORD('123456');
方法三:在全局级别使用GRANT USAGE 语句来指定某个账户的密码而不影响账户当前的权限
mysql> GRANT USAGE ON *.* TO 'psd_user'@'%' IDENTIFIED BY '456789';
Query OK, 0 rows affected, 1 warning (0.00 sec)
方法四:密码的产生跟设置一般来说不会在同一个客户端。通过下面这种方式设置相对上面的方式会更加安全。
--
mysql> SELECT PASSWORD('123466');
+-------------------------------------------+
| PASSWORD('123466') |
+-------------------------------------------+
| *B09DB121B7DAFA9B5336BEDB0672DB999F846FA3 |
+-------------------------------------------+
1 row in set, 1 warning (0.00 sec)
mysql> GRANT USAGE ON *.* TO 'psd_user'@'%' IDENTIFIED BY
-> PASSWORD '*B09DB121B7DAFA9B5336BEDB0672DB999F846FA3';
Query OK, 0 rows affected, 2 warnings (0.00 sec)
5.删除账号
要彻底删除账号,也有两种实现方法:即DROP USER命令和修改权限表。下面介绍第一种
基本语法:
DROP USER user[,user]
将用户nopsd_user删除
mysql> SHOW GRANTS FOR nopsd_user;
+------------------------------------------------------------------------------+
| Grants for nopsd_user@% |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'nopsd_user'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE, DROP ON `sakila`.* TO 'nopsd_user'@'%' |
+------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> DROP USER nopsd_user;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW GRANTS FOR nopsd_user;
ERROR 1141 (42000): There is no such grant defined for user 'nopsd_user' on host '%'
二、权限系统的工作原理
对于身份的确认,MySQL是通过IP地址和用户名联合进行确认的。例如MySQL安装后默认创建的用户root@localhost表示用户root只能从本地进行连接才可以通过认证。此用户从其他任何主机对数据库进行的连接都将被拒接。
MySQL的权限表是在数据库启动的时候载入内存,当用户通过身份认证后,就在内存中进行相应权限的存取,这样用户就可以在数据库中做权限范围内的操作。
三、权限表的存取
在权限存取这两个过程,系统会用到“mysql”数据库中的user,db这两个重要的表,它们的定义如下
当用户进行连接时,权限表的存钱过程如下:
- 先从user表中的host,user,password这3个字段中验证连接信息
- 如果验证通过,则按照user,db,tables_priv,columns_priv的顺序得到数据库权限
其中,user表中的每个权限代表了多所有数据库都有的权限,db表保存的是具体数据库的权限。
总结
本篇主键介绍了管理数据库账号的方法,包括账号创建,权限管理和密码的修改。