MySQL用户和权限管理
- 元数据数据库:mysql
- 系统授权表:
db, host, user
columns_priv, tables_priv, procs_priv, proxies_priv - 用户账号:
'USERNAME'@'HOST'
@'HOST': - 主机名
IP地址或Network
通配符: % _
示例:172.16.%.% - 查看系统账户
MariaDB [(none)]> SELECT user,host,password from mysql.user;
+------+-----------------------+----------+
| user | host | password |
+------+-----------------------+----------+
| root | localhost | |
| root | localhost.localdomain | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | localhost.localdomain | |
+------+-----------------------+----------+
用户管理
- 创建用户:CREATE USER
默认权限:USAGE
#CREATE USER 'USERNAME'@'HOST' [IDENTIFIED BY 'password'];
CREATE USER 'chen'@'%' IDENTIFIED BY 'centos';
- 用户重命名:RENAME USER
#RENAME USER old_user_name TO new_user_name;
RENAME USER chen to wang ;
- 删除用户:
DROP USER 'USERNAME'@'HOST'
#删除默认的空用户
DROP USER ''@'localhost';
#示例:
DROP USER wang;
- 修改密码:
#方法1
SET PASSWORD FOR 'user'@'host' = PASSWORD('password');
#方法2
UPDATE mysql.user SET password=PASSWORD('password') WHERE *;
FLUSH PRIVILEGES;
#方法3
mysqladmin -u root -poldpass password 'newpass'
#示例:
SET PASSWORD FOR chen = PASSWORD('chen');
- 忘记管理员密码的解决办法:
- 启动mysqld进程前,添加这2条配置
vim /etc/my.cnf skip-grant-tables #忽略授权表 skip-networking #禁止网络连接 #启动服务 service mysqld restart - 使用UPDATE命令修改管理员密码
mysql> UPDATE mysql.user SET password=password('你的密码') where user='root'; - 关闭mysqld进程,移除上述两个选项,重启mysqld
- 启动mysqld进程前,添加这2条配置
- 关闭名字解析
vim /etc/my.cnf
skip_name_resolve=on
授权
MySQL权限管理
权限类别:管理类、程序类、数据库级别、表级别、字段级别
| 管理类 | 程序类 | 库和表级别 | 数据操作 | 字段级别 | 所有权限 |
|---|---|---|---|---|---|
| CREATE TEMPORARY TABLES | FUNCTION | DATABASE | SELECT | SELECT(col1,col2,...) | ALL |
| CREATE USER | PROCEDURE | TABLE | INSERT | UPDATE(col1,col2,...) | |
| FILE | TRIGGER | ALTER | DELETE | INSERT(col1,col2,...) | |
| SUPER | CREATE | CREATE | UPDATE | ||
| SHOW DATABASES | ALTER | CREATE VIEW | |||
| RELOAD | DROP | DROP | |||
| SHUTDOWN | EXCUTE | INDEX | |||
| REPLICATION SLAVE | SHOW VIEW | ||||
| REPLICATION CLIENT | GRANT OPTION |
能将自己获得的权限转赠给其他用户
LOCK TABLES
PROCESS
GRANT
参考:https://dev.mysql.com/doc/refman/5.7/en/grant.html
- 查看权限
MariaDB [test2]> show grants for chen\G
*************************** 1. row ***************************
Grants for chen@%: GRANT USAGE ON *.* TO 'chen'@'%' IDENTIFIED BY PASSWORD '*128977E278358FF80A246B5046F51043A2B1FCED'
1 row in set (0.000 sec)
我们可以看到,刚创建的用户有USAGE权限,而这个其实是没有什么权限的,因此表示该用户在所有表上没有权限。
- 格式
GRANT priv_type [(column_list)],... ON [object_type] priv_level TO 'user'@'host' [IDENTIFIED BY 'password'] [WITH GRANT OPTION];
priv_type: ALL [PRIVILEGES]
object_type:TABLE | FUNCTION | PROCEDURE
priv_level: *(所有库) | *.* | db_name.* | db_name.tbl_name | tbl_name(当前库的表) | db_name.routine_name(指定库的函数,存储过程,触发器)
with_option: GRANT OPTION
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
- 授权示例:
#GRANT SELECT (col1), INSERT (col1,col2) ON mydb.mytbl TO 'someuser'@'somehost';
GRANT ALL ON hellodb.* TO test@'192.168.99.%' identified by 'centos'
- 回收授权
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user [, user] ...
示例:
REVOKE DELETE ON testdb.* FROM 'testuser'@'172.16.0.%';
- 查看指定用户获得的授权
#查看帮助
Help SHOW GRANTS
#查看指定权限
SHOW GRANTS FOR 'user'@'host';
#查看当前用户权限
SHOW GRANTS FOR CURRENT_USER;
注意:MariaDB服务进程启动时会读取mysql库中所有授权表至内存
(1) GRANT或REVOKE等执行权限操作会保存于系统表中,MariaDB的服务进程通常会自动重读授权表,使之生效
(2) 对于不能够或不能及时重读授权表的命令,可手动让MariaDB的服务进程重读授权表:mysql> FLUSH PRIVILEGES;