MySQL账号与权限

1.账号

MySQL账号由用户名和客户端主机名组成,账号信息保存在mysql系统数据库的user表中。user表的主键由host和user两个字段组成。

mysql> desc mysql.user;
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
| Field                    | Type                              | Null | Key | Default               | Extra |
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
| Host                     | char(255)                         | NO   | PRI |                       |       |
| User                     | char(32)                          | NO   | PRI |                       |       |
| Select_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Insert_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Update_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Delete_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Create_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Drop_priv                | enum('N','Y')                     | NO   |     | N                     |       |
| Reload_priv              | enum('N','Y')                     | NO   |     | N                     |       |
| Shutdown_priv            | enum('N','Y')                     | NO   |     | N                     |       |
| Process_priv             | enum('N','Y')                     | NO   |     | N                     |       |
| File_priv                | enum('N','Y')                     | NO   |     | N                     |       |
| Grant_priv               | enum('N','Y')                     | NO   |     | N                     |       |
| References_priv          | enum('N','Y')                     | NO   |     | N                     |       |
| Index_priv               | enum('N','Y')                     | NO   |     | N                     |       |
| Alter_priv               | enum('N','Y')                     | NO   |     | N                     |       |
| Show_db_priv             | enum('N','Y')                     | NO   |     | N                     |       |
| Super_priv               | enum('N','Y')                     | NO   |     | N                     |       |
| Create_tmp_table_priv    | enum('N','Y')                     | NO   |     | N                     |       |
| Lock_tables_priv         | enum('N','Y')                     | NO   |     | N                     |       |
| Execute_priv             | enum('N','Y')                     | NO   |     | N                     |       |
| Repl_slave_priv          | enum('N','Y')                     | NO   |     | N                     |       |
| Repl_client_priv         | enum('N','Y')                     | NO   |     | N                     |       |
| Create_view_priv         | enum('N','Y')                     | NO   |     | N                     |       |
| Show_view_priv           | enum('N','Y')                     | NO   |     | N                     |       |
| Create_routine_priv      | enum('N','Y')                     | NO   |     | N                     |       |
| Alter_routine_priv       | enum('N','Y')                     | NO   |     | N                     |       |
| Create_user_priv         | enum('N','Y')                     | NO   |     | N                     |       |
| Event_priv               | enum('N','Y')                     | NO   |     | N                     |       |
| Trigger_priv             | enum('N','Y')                     | NO   |     | N                     |       |
| Create_tablespace_priv   | enum('N','Y')                     | NO   |     | N                     |       |
| ssl_type                 | enum('','ANY','X509','SPECIFIED') | NO   |     |                       |       |
| ssl_cipher               | blob                              | NO   |     | NULL                  |       |
| x509_issuer              | blob                              | NO   |     | NULL                  |       |
| x509_subject             | blob                              | NO   |     | NULL                  |       |
| max_questions            | int unsigned                      | NO   |     | 0                     |       |
| max_updates              | int unsigned                      | NO   |     | 0                     |       |
| max_connections          | int unsigned                      | NO   |     | 0                     |       |
| max_user_connections     | int unsigned                      | NO   |     | 0                     |       |
| plugin                   | char(64)                          | NO   |     | caching_sha2_password |       |
| authentication_string    | text                              | YES  |     | NULL                  |       |
| password_expired         | enum('N','Y')                     | NO   |     | N                     |       |
| password_last_changed    | timestamp                         | YES  |     | NULL                  |       |
| password_lifetime        | smallint unsigned                 | YES  |     | NULL                  |       |
| account_locked           | enum('N','Y')                     | NO   |     | N                     |       |
| Create_role_priv         | enum('N','Y')                     | NO   |     | N                     |       |
| Drop_role_priv           | enum('N','Y')                     | NO   |     | N                     |       |
| Password_reuse_history   | smallint unsigned                 | YES  |     | NULL                  |       |
| Password_reuse_time      | smallint unsigned                 | YES  |     | NULL                  |       |
| Password_require_current | enum('N','Y')                     | YES  |     | NULL                  |       |
| User_attributes          | json                              | YES  |     | NULL                  |       |
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
51 rows in set (0.00 sec)

host为“%”代表任意主机。MySQL在初始化的时候会创建四个保留账号(mysql.infoschema@localhost、mysql.session@localhost、 mysql.sys @localhost、root@localhost)。仅root@localhost未被锁定。


mysql> select user,host from mysql.user;
+------------------+-----------+
| user             | host      |
+------------------+-----------+
| code             | %         |
| code             | localhost |
| mysql.infoschema | localhost |
| mysql.session    | localhost |
| mysql.sys        | localhost |
| root             | localhost |
+------------------+-----------+
6 rows in set (0.00 sec)

root@localhost:用于管理的系统账号,具有MySQL数据库执行所有操作的权限,也被乘坐超级用户。
mysql.sys@localhost:应用与sys系统数据库的定义,这个账号被锁住的,不能用于客户端登录。
mysql.session@localhost:用于内部插件登录MySQL的账号,也是被锁住的。
mysql.infoschema@localhost:给information_schem数据可以的定义者的账号,被锁住的。

查询当前账号:

mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

【创建账号】

mysql> create user test@localhost identified by 'a123456';
Query OK, 0 rows affected (0.01 sec)

mysql> create user test1@localhost identified with mysql_native_password by 'a123456';
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host from mysql.user where user like 'test%';
+-------+-----------+
| user  | host      |
+-------+-----------+
| test  | localhost |
| test1 | localhost |
+-------+-----------+
2 rows in set (0.00 sec)

【修改密码】

mysql> alter user test@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)

或者:

mysql> set password for test1@localhost = '123456';
Query OK, 0 rows affected (0.01 sec)

【强制密码过期】过期后用户仍可使用该密码登录MySQL,但登录后在修改密码前不能执行其他操作。

mysql> alter user test@localhost password expire;
Query OK, 0 rows affected (0.00 sec)

登录:

[root@eces-40638 ~]# mysql -utest -p123456 -S /usr/local/mysql/mysql3306.sock
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 45053
Server version: 8.0.27

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select 1;
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
mysql>

在create或者alter用户时,可以给用户设定过期密码:


mysql> alter user test1@localhost identified by 'a123456' password expire interval 30 day;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host,password_last_changed,authentication_string,password_expired from mysql.user where user = 'test1';
+-------+-----------+-----------------------+-------------------------------------------+------------------+
| user  | host      | password_last_changed | authentication_string                     | password_expired |
+-------+-----------+-----------------------+-------------------------------------------+------------------+
| test1 | localhost | 2023-12-01 13:51:27   | *182EA09A38F1141B2D7916812BD097D51167C3E4 | N                |
+-------+-----------+-----------------------+-------------------------------------------+------------------+
1 row in set (0.00 sec)

系统参数default_password_lifetime默认为0,表示永不过期。

mysql> select @@default_password_lifetime;
+-----------------------------+
| @@default_password_lifetime |
+-----------------------------+
|                           0 |
+-----------------------------+
1 row in set (0.00 sec)

MySQL8.0.14开始允许给账号设置两个密码,分别是主密码和辅助密码,方便应用程序的过度(如当主库有多个副本时,主库的账号密码已修改,而复制到副本还需要一定时间,这时可以用主密码在主库上登录,还可以用旧密码在副本上登录,等待密码被复制到所有副本,再抛弃旧密码)

alter user test@localhost discard old password;

2. 权限

显示MySQL服务器支持的权限列表:show privileges\G

mysql> show privileges\G
*************************** 1. row ***************************
Privilege: Alter
  Context: Tables
  Comment: To alter the table
*************************** 2. row ***************************
Privilege: Alter routine
  Context: Functions,Procedures
  Comment: To alter or drop stored functions/procedures
*************************** 3. row ***************************
Privilege: Create
  Context: Databases,Tables,Indexes
  Comment: To create new databases and tables
  ....................................................

查看某个用户拥有的权限:

mysql> show grants for test@localhost;
+------------------------------------------+
| Grants for test@localhost                |
+------------------------------------------+
| GRANT USAGE ON *.* TO `test`@`localhost` |
+------------------------------------------+
1 row in set (0.00 sec)

给用户授予所有权限:

mysql> grant all on *.* to test@localhost;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> show grants for test@localhost;
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test@localhost                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `test`@`localhost`                                                                                                                                                                                                                                                                                                 |
| GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,XA_RECOVER_ADMIN ON *.* TO `test`@`localhost` |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

【总结】

1.all privileges:表示将所有权限授予给用户,也可指定权限比如:SELECT、CREATE、DROP等
2.on:表示这些权限对那些数据库和表生效,格式:数据库名.表名。*表示所有数据库所有表
3.to:将权限授予哪个用户,格式:用户名@登录IP或域名。%表示没有任何限制,在任何主机都可以登录;
4.identified by:指定用户的登录密码
5.with grant option:表示允许用户将自己的权限授权给其他用户
6.使用grant给用户添加权限权限会自动叠加,不会覆盖之前的权限
7.对权限做了更改之后,需要重新加载以下权限,将权限信息从内存中写入数据库:flush privileges;
8.revoke回收权限

3.访问控制

MySQL对客户端的访问进行两个阶段的控制,首先验证客户端的连接是否合法,如果验证通过在检查用户对具体对象的操作是否有权限。

将test库的test表中id字段的查询权限赋予用户test1@localhost:

grant select (id) on test.test to test1@localhost;

字段级的权限是所有权限的最低一级。

4.角色

【创建角色】:create role test_read,test_write;

mysql> create role test_read,test_write;
Query OK, 0 rows affected (0.00 sec)

【给角色赋予权限】:grant select on test.* to test_read;

mysql> grant select on test.* to test_read;
Query OK, 0 rows affected (0.01 sec)

【将角色通过赋权给用户】:grant test_read to test1@localhost;

mysql> grant test_read to test1@localhost;
Query OK, 0 rows affected (0.01 sec)

【查询用户与角色的对应关系】:select * from mysql.role_edges;

mysql> select * from mysql.role_edges;
+-----------+-----------+-----------+---------+-------------------+
| FROM_HOST | FROM_USER | TO_HOST   | TO_USER | WITH_ADMIN_OPTION |
+-----------+-----------+-----------+---------+-------------------+
| %         | test_read | localhost | test1   | N                 |
+-----------+-----------+-----------+---------+-------------------+
1 row in set (0.00 sec)

【激活角色】:set role test_read;
set default role all to 用户名;

mysql> set default role all to test1@localhost;
Query OK, 0 rows affected (0.01 sec)

或者将参数activate_all_roles_on_login设置为on:set global activate_all_roles_on_login=ON;

查看当前已经激活的角色:

mysql> select current_role();
+----------------+
| current_role() |
+----------------+
| NONE           |
+----------------+
1 row in set (0.00 sec)

【撤销用户的角色】revoke role_name from user_name;

【回收角色的权限】revoke 权限1、权限2、…权限N on 数据库名.表名 from role_name

【删除角色】 drop role 角色1、角色2…;

【查看角色拥有的权限】show grants for role_name;

mysql> show grants for test_read;
+---------------------------------------------+
| Grants for test_read@%                      |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `test_read`@`%`       |
| GRANT SELECT ON `test`.* TO `test_read`@`%` |
+---------------------------------------------+
2 rows in set (0.00 sec)

你可能感兴趣的:(MySQL,mysql,数据库)