Mysql-账户管理

阅读量：4110 次

发布时间：2019-05-25

本文共 23020 字，大约阅读时间需要 76 分钟。

MySQL账户体系

mysql> use mysql;mysql> show tables;+---------------------------+| Tables_in_mysql           |+---------------------------+| columns_priv              || db                        || procs_priv                || proxies_priv              || tables_priv               || user                      |+---------------------------+31 rows in set (0.00 sec)

根据账户所具有的权限的不同，MySQL的账户可以分为以下几种：

服务实例级账号

如果某用户如root,拥有服务实例级分配的权限，那么该账号就可以删除所有的数据库、连同这些库中的表。

数据库级别账号-db

该账号可以在具有权限的数据库中执行增删改查的所有操作（如果分配了这些权限）。

db表列出数据库，而用户有权限访问它们。在这里指定的权限适用于一个数据库中的所有表。

mysql> desc db;+-----------------------+---------------+------+-----+---------+-------+| Field                 | Type          | Null | Key | Default | Extra |+-----------------------+---------------+------+-----+---------+-------+| Host                  | char(60)      | NO   | PRI |         |       || Db                    | char(64)      | NO   | PRI |         |       || User                  | char(32)      | NO   | PRI |         |       || Select_priv           | enum('N','Y') | NO   |     | N       |       || Insert_priv           | enum('N','Y') | NO   |     | N       |       || Update_priv           | enum('N','Y') | NO   |     | N       |       || Delete_priv           | enum('N','Y') | NO   |     | N       |       || Create_priv           | enum('N','Y') | NO   |     | N       |       || Drop_priv             | enum('N','Y') | NO   |     | N       |       || Grant_priv            | enum('N','Y') | NO   |     | N       |       || References_priv       | enum('N','Y') | NO   |     | N       |       || Index_priv            | enum('N','Y') | NO   |     | N       |       || Alter_priv            | enum('N','Y') | NO   |     | N       |       || Create_tmp_table_priv | enum('N','Y') | NO   |     | N       |       || Lock_tables_priv      | enum('N','Y') | NO   |     | N       |       || Create_view_priv      | enum('N','Y') | NO   |     | N       |       || Show_view_priv        | enum('N','Y') | NO   |     | N       |       || Create_routine_priv   | enum('N','Y') | NO   |     | N       |       || Alter_routine_priv    | enum('N','Y') | NO   |     | N       |       || Execute_priv          | enum('N','Y') | NO   |     | N       |       || Event_priv            | enum('N','Y') | NO   |     | N       |       || Trigger_priv          | enum('N','Y') | NO   |     | N       |       |+-----------------------+---------------+------+-----+---------+-------+22 rows in set (0.00 sec)*************************** 7. row ***************************                 Host: %                   Db: sunld_db                 User: account_sunld_db          Select_priv: Y          Insert_priv: Y          Update_priv: Y          Delete_priv: Y          Create_priv: Y            Drop_priv: Y           Grant_priv: Y      References_priv: Y           Index_priv: Y           Alter_priv: YCreate_tmp_table_priv: Y     Lock_tables_priv: Y     Create_view_priv: Y       Show_view_priv: Y  Create_routine_priv: Y   Alter_routine_priv: Y         Execute_priv: Y           Event_priv: Y         Trigger_priv: Y7 rows in set (0.00 sec)

数据表级别账号-tables_priv

该账号可以在具有权限的表上执行增删改查等所有操作（如果分配了这些权限）。

tables_priv表指定表级权限，在这里指定的一个权限适用于一个表的所有列。

mysql> desc tables_priv;+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------+| Field       | Type                                                                                                                              | Null | Key | Default           | Extra                       |+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------+| Host        | char(60)                                                                                                                          | NO   | PRI |                   |                             || Db          | char(64)                                                                                                                          | NO   | PRI |                   |                             || User        | char(32)                                                                                                                          | NO   | PRI |                   |                             || Table_name  | char(64)                                                                                                                          | NO   | PRI |                   |                             || Grantor     | char(93)                                                                                                                          | NO   | MUL |                   |                             || Timestamp   | timestamp                                                                                                                         | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP || Table_priv  | set('Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View','Show view','Trigger') | NO   |     |                   |                             || Column_priv | set('Select','Insert','Update','References')                                                                                      | NO   |     |                   |                             |+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------+8 rows in set (0.00 sec)*************************** 4. row ***************************       Host: %         Db: sunld_db       User: account_sunld_table Table_name: tb_a    Grantor: root@localhost  Timestamp: 0000-00-00 00:00:00 Table_priv: Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,TriggerColumn_priv:

字段级别的权限-columns_priv

该账号可以对某些表中具有权限的字段进行操作（取决于所分配的权限）。

columns_priv表指定列级权限。这里指定的权限适用于一个表的特定列。

mysql> desc columns_priv;+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+| Field       | Type                                         | Null | Key | Default           | Extra                       |+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+| Host        | char(60)                                     | NO   | PRI |                   |                             || Db          | char(64)                                     | NO   | PRI |                   |                             || User        | char(32)                                     | NO   | PRI |                   |                             || Table_name  | char(64)                                     | NO   | PRI |                   |                             || Column_name | char(64)                                     | NO   | PRI |                   |                             || Timestamp   | timestamp                                    | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP || Column_priv | set('Select','Insert','Update','References') | NO   |     |                   |                             |+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------+7 rows in set (0.00 sec)

存储程序级别的账号

该账号可以对存储程序进行增删改查的操作（取决于所分配的权限）

user表

user表列出可以连接服务器的用户及其口令，并且它指定他们有哪种全局（超级用户）权限。在user表启用的任何权限均是全局权限，并适用于所有数据库。例如，如果你启用了DELETE权限，在这里列出的用户可以从任何表中删除记录，所以在你这样做之前要认真考虑。

mysql> desc user;+------------------------+-----------------------------------+------+-----+-----------------------+-------+| Field                  | Type                              | Null | Key | Default               | Extra |+------------------------+-----------------------------------+------+-----+-----------------------+-------+| Host                   | char(60)                          | NO   | PRI |                       |       || User                   | char(32)                          | NO   | PRI |                       |       || Select_priv            | enum('N','Y')                     | NO   |     | N                     |       || Insert_priv            | enum('N','Y')                     | NO   |     | N                     |       || Update_priv            | enum('N','Y')                     | NO   |     | N                     |       || Delete_priv            | enum('N','Y')                     | NO   |     | N                     |       || Create_priv            | enum('N','Y')                     | NO   |     | N                     |       || Drop_priv              | enum('N','Y')                     | NO   |     | N                     |       || Reload_priv            | enum('N','Y')                     | NO   |     | N                     |       || Shutdown_priv          | enum('N','Y')                     | NO   |     | N                     |       || Process_priv           | enum('N','Y')                     | NO   |     | N                     |       || File_priv              | enum('N','Y')                     | NO   |     | N                     |       || Grant_priv             | enum('N','Y')                     | NO   |     | N                     |       || References_priv        | enum('N','Y')                     | NO   |     | N                     |       || Index_priv             | enum('N','Y')                     | NO   |     | N                     |       || Alter_priv             | enum('N','Y')                     | NO   |     | N                     |       || Show_db_priv           | enum('N','Y')                     | NO   |     | N                     |       || Super_priv             | enum('N','Y')                     | NO   |     | N                     |       || Create_tmp_table_priv  | enum('N','Y')                     | NO   |     | N                     |       || Lock_tables_priv       | enum('N','Y')                     | NO   |     | N                     |       || Execute_priv           | enum('N','Y')                     | NO   |     | N                     |       || Repl_slave_priv        | enum('N','Y')                     | NO   |     | N                     |       || Repl_client_priv       | enum('N','Y')                     | NO   |     | N                     |       || Create_view_priv       | enum('N','Y')                     | NO   |     | N                     |       || Show_view_priv         | enum('N','Y')                     | NO   |     | N                     |       || Create_routine_priv    | enum('N','Y')                     | NO   |     | N                     |       || Alter_routine_priv     | enum('N','Y')                     | NO   |     | N                     |       || Create_user_priv       | enum('N','Y')                     | NO   |     | N                     |       || Event_priv             | enum('N','Y')                     | NO   |     | N                     |       || Trigger_priv           | enum('N','Y')                     | NO   |     | N                     |       || Create_tablespace_priv | enum('N','Y')                     | NO   |     | N                     |       || ssl_type               | enum('','ANY','X509','SPECIFIED') | NO   |     |                       |       || ssl_cipher             | blob                              | NO   |     | NULL                  |       || x509_issuer            | blob                              | NO   |     | NULL                  |       || x509_subject           | blob                              | NO   |     | NULL                  |       || max_questions          | int(11) unsigned                  | NO   |     | 0                     |       || max_updates            | int(11) unsigned                  | NO   |     | 0                     |       || max_connections        | int(11) unsigned                  | NO   |     | 0                     |       || max_user_connections   | int(11) unsigned                  | NO   |     | 0                     |       || plugin                 | char(64)                          | NO   |     | mysql_native_password |       || authentication_string  | text                              | YES  |     | NULL                  |       || password_expired       | enum('N','Y')                     | NO   |     | N                     |       || password_last_changed  | timestamp                         | YES  |     | NULL                  |       || password_lifetime      | smallint(5) unsigned              | YES  |     | NULL                  |       || account_locked         | enum('N','Y')                     | NO   |     | N                     |       |+------------------------+-----------------------------------+------+-----+-----------------------+-------+45 rows in set (0.00 sec)*************************** 12. row ***************************                  Host: %                  User: account_sunld_db_2           Select_priv: N           Insert_priv: N           Update_priv: N           Delete_priv: N           Create_priv: N             Drop_priv: N           Reload_priv: N         Shutdown_priv: N          Process_priv: N             File_priv: N            Grant_priv: N       References_priv: N            Index_priv: N            Alter_priv: N          Show_db_priv: N            Super_priv: N Create_tmp_table_priv: N      Lock_tables_priv: N          Execute_priv: N       Repl_slave_priv: N      Repl_client_priv: N      Create_view_priv: N        Show_view_priv: N   Create_routine_priv: N    Alter_routine_priv: N      Create_user_priv: N            Event_priv: N          Trigger_priv: NCreate_tablespace_priv: N              ssl_type:             ssl_cipher:            x509_issuer:           x509_subject:          max_questions: 0           max_updates: 0       max_connections: 0  max_user_connections: 0                plugin: mysql_native_password authentication_string: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9      password_expired: N password_last_changed: 2017-12-30 12:33:32     password_lifetime: NULL        account_locked: N

配置权限

grant 命令语法格式

grant 权限名称[字段列表] on [数据库资源类型]数据库资源 to MySQL账户1,[MySQL账户2] [with grant option]#增删改数据库数据权限grant select, insert, update, delete on ****#创建、修改、删除 MySQL 数据表结构权限grant create ,alter  ,drop   on ****#操作 MySQL 外键权限。grant references on ****#操作 MySQL 临时表权限grant create temporary tables on ****#操作 MySQL 索引权限grant index on ****#操作 MySQL 视图、查看视图源代码 权限grant create view on ****grant show   view on ****#操作 MySQL 存储过程、函数 权限grant create routine on ****; -- now, can show procedure statusgrant alter  routine on ****; -- now, you can drop a proceduregrant execute        on ****;#普通 DBA 管理某个 MySQL 数据库的权限grant all privileges on db*** to其中，关键字 “privileges” 可以省略。#高级 DBA 管理 MySQL 中所有数据库的权限grant all on *.* to

创建服务实例级账号

#创建账号sunld_all，拥有所有数据库权限，并且具有grant权限，可以创建其他拥有服务实例权限的其他用户。#查询mysql> show grants for account_sunld_all;ERROR 1141 (42000): There is no such grant defined for user 'account_sunld_all' on host '%'#创建grant all privileges on *.* to 'account_sunld_all'@'%' identified by '123456' with grant option;flush privileges;#查询mysql> show grants for account_sunld_all;+--------------------------------------------------------------------------+| Grants for account_sunld_all@%                                           |+--------------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO 'account_sunld_all'@'%' WITH GRANT OPTION |+--------------------------------------------------------------------------+1 row in set (0.00 sec)

创建数据库实例账号

#创建账号sunld_db,拥有sunlddb数据库的所有权限，可以对该库中的表进行所有操作。#查询mysql> show grants for account_sunld_db;ERROR 1141 (42000): There is no such grant defined for user 'account_sunld_db' on host '%'#创建grant all privileges on sunld_db.* to 'account_sunld_db'@'%' identified by '123456' with grant option;#查询mysql> show grants for account_sunld_db;+----------------------------------------------------------------------------------+| Grants for account_sunld_db@%                                                    |+----------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'account_sunld_db'@'%'                                     || GRANT ALL PRIVILEGES ON `sunld_db`.* TO 'account_sunld_db'@'%' WITH GRANT OPTION |+----------------------------------------------------------------------------------+2 rows in set (0.00 sec)

创建数据表级别的账号

#创建账号sunld_table，对sunlddb数据中的tb_a表拥有所有权限#查询mysql> show grants for account_sunld_table;ERROR 1141 (42000): There is no such grant defined for user 'account_sunld_table' on host '%'#创建grant all privileges on table sunld_db.tb_a to 'account_sunld_table'@'%' identified by '123456';#查询mysql> show grants for account_sunld_table;+------------------------------------------------------------------------+| Grants for account_sunld_table@%                                       |+------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'account_sunld_table'@'%'                        || GRANT ALL PRIVILEGES ON `sunld_db`.`tb_a` TO 'account_sunld_table'@'%' |+------------------------------------------------------------------------+2 rows in set (0.00 sec)#这里在给一个用户授权多张表时，可以多次执行以上语句。例如：grant select(user_id,username) on smp.users to mo_user@'%' identified by '123345';grant select on smp.mo_sms to mo_user@'%' identified by '123345';

作用在表中的列上

grant select(id, se, rank) on testdb.apache_log to dba@localhost;

作用在存储过程、函数上

grant execute on procedure testdb.pr_add to 'dba'@'localhost'grant execute on function testdb.fn_add to 'dba'@'localhost'

字段设置冗余复杂，则每次MySQL在进行SQL执行的时候回进行同样复杂的权限判断，造成效率降低性能下降，同时也会存在安全隐患。因此简单、易管理的、高可用的权限才是可取的。

权限的增删改查

#查询mysql> show grants for account_sunld_db_1;ERROR 1141 (42000): There is no such grant defined for user 'account_sunld_db_1' on host '%'#比如原本的权限为：grant select,insert on sunld_db.* to 'account_sunld_db_1'@'%' identified by '123456' with grant option;#查询mysql> show grants for account_sunld_db_1;+------------------------------------------------------------------------------------+| Grants for account_sunld_db_1@%                                                    |+------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'account_sunld_db_1'@'%'                                     || GRANT SELECT, INSERT ON `sunld_db`.* TO 'account_sunld_db_1'@'%' WITH GRANT OPTION |+------------------------------------------------------------------------------------+2 rows in set (0.00 sec)#想要增加update, delete,alter 权限可以如下操作：grant update,delete,alter on sunld_db.* to 'account_sunld_db_1'@'%' identified by '123456' with grant option;#然后使用show grants for account_sunld_db_1;mysql> show grants for account_sunld_db_1;+-----------------------------------------------------------------------------------------------------------+| Grants for account_sunld_db_1@%                                                                           |+-----------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'account_sunld_db_1'@'%'                                                            || GRANT SELECT, INSERT, UPDATE, DELETE, ALTER ON `sunld_db`.* TO 'account_sunld_db_1'@'%' WITH GRANT OPTION |+-----------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)#删除权限insertrevoke insert on sunld_db.* from  'account_sunld_db_1'@'%';查看mysql> show grants for account_sunld_db_1;+---------------------------------------------------------------------------------------------------+| Grants for account_sunld_db_1@%                                                                   |+---------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'account_sunld_db_1'@'%'                                                    || GRANT SELECT, UPDATE, DELETE, ALTER ON `sunld_db`.* TO 'account_sunld_db_1'@'%' WITH GRANT OPTION |+---------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)

用户管理

用户管理也无非是增加用户、删除用户、密码修改和授权之类的。

查询用户

查询数据库mysql下的表user;

mysql> select user,host from user;+----------------------------+-----------+| user                       | host      |+----------------------------+-----------+| account_sunld_all          | %         || account_sunld_db           | %         || account_sunld_db_1         | %         || account_sunld_table        | %         || inspurCloudDB              | %         || inspurCloudCheckDBDiskSize | 127.0.0.1 || inspurCloudDB              | 127.0.0.1 || root                       | 127.0.0.1 || inspurCloudDB              | localhost || mysql.sys                  | localhost || root                       | localhost |+----------------------------+-----------+11 rows in set (0.00 sec)

增加用户

create user 'USER_NAME'@'HOST' identified by 'PASSOWRD';#例子create user 'account_sunld_db_2'@'%' identified by '123456';

设置用户密码

set password=password('123456');其实这个命令不仅能够设置当前用户的密码，也可以设置其他用户的密码，这个命令的完整格式是：set password [for USER] = passowrd('新密码');#例子set password for account_sunld_db_2=password('123456');

在安装validate_password插件之后会出现如下信息

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> SHOW VARIABLES LIKE 'validate_password%';+--------------------------------------+--------+| Variable_name                        | Value  |+--------------------------------------+--------+| validate_password_check_user_name    | OFF    || validate_password_dictionary_file    |        || validate_password_length             | 8      || validate_password_mixed_case_count   | 1      || validate_password_number_count       | 1      || validate_password_policy             | MEDIUM || validate_password_special_char_count | 1      |+--------------------------------------+--------+7 rows in set (0.00 sec)

validate_password_policy有以下取值：

Policy	Tests Performed
0 or LOW	Length
1 or MEDIUM	Length; numeric, lowercase/uppercase, and special characters
2 or STRONG	Length; numeric, lowercase/uppercase, and special characters; dictionary file

mysql> set global validate_password_policy=0;mysql> set global validate_password_length=1;mysql> set password=password('123456a?');

删除用户

drop user USER_NAME；#例子drop user account_sunld_db_2;

其他

注意事项

MySQL grant、revoke 用户权限注意事项

1. grant, revoke 用户权限后，该用户只有重新连接 MySQL 数据库，权限才能生效。

2. 如果想让授权的用户，也可以将这些权限 grant 给其他用户，需要选项 “grant option“

grant select on testdb.* to 'dba'@'localhost' with grant option;

这个特性一般用不到。实际中，数据库权限最好由 DBA 来统一管理。

@符号

当不加@选项时，效果与加@'%'是一样的，'%'从名义上包括任何主机，（%必须加上引号，不然与@放在一起可能不会被辨认出。）不过有些时候（有些版本）'%'不包括localhost，要单独对@'localhost'进行赋值。

参考

转载地址：http://ofasi.baihongyu.com/

你可能感兴趣的文章

Spring框架的ImportSelector到底可以干嘛

查看>>

Linux学习日记（十四）——Ubuntu下 make工程管理器的使用

查看>>

Mysql中下划线问题

查看>>

Linux命令之 cat less more tail head

Spring之rest full 服务搭建

Mysql之默认存储引擎设置及root用户密码添加

查看>>

Nginx之linux安装

查看>>

CSS之id和class区别以及字体加粗样式

查看>>

Hadoop的MR中获取JobTracker配置

apache common base64编码

查看>>

apache common md5编码

查看>>