10.创建 MySQL 用户及赋予用户权限

10.1 使用语法:

通过在 mysql 中输入 help grant 得到如下帮助信息

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';
GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;​

10.2 第一种创建用户及授权方法：

创建用户

mysql> create user oldboy@'localhost' identified by 'oldboy';
Query OK, 0 rows affected (0.00 sec)​

查看用户其权限

mysql> show grants for oldboy@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for oldboy@localhost
|
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD
'*7495041D24E489A0096DCFA036B166446FDDD992' |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)​
授权用户权限

mysql> grant all on oldboy_gbk.* to oldboy@'localhost';
Query OK, 0 rows affected (0.04 sec)
mysql> show grants for oldboy@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for oldboy@localhost
|
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD
'*7495041D24E489A0096DCFA036B166446FDDD992' |
| GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldboy'@'localhost'
|
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)​

10.3 第二种创建用户及授权方法：

mysql> grant all on oldboy_gbk.* to oldgirl@'localhost' identified by 'oldgirl';
Query OK, 0 rows affected (0.00 sec)
列表说明:
grant all on dbname.* to username@’lcoalhost’ identified by ‘password’
授 权命令对应权限
目标：库和表 用户名和客户端主机 用户密码
mysql> show grants for oldgirl@'localhost';
+----------------------------------------------------------------------------------------------------------------+
| Grants for oldgirl@localhost
|
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oldgirl'@'localhost' IDENTIFIED BY PASSWORD
'*4FD27385BB43242FE02158144D4C211F75A03F76' |
| GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldgirl'@'localhost'
|
+----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)​

10.4 创建用户及授权哪个网段的主机可以连接 oldboy_gbk 库

提示：如果是 web 连接数据库的用户，尽量不要授权 all，而是 select，insert，update，delete

10.4.1 第一种方法：

mysql> grant all on oldboy_gbk.* to oldgirl@'172.16.1.%' identified by 'oldgirl';
Query OK, 0 rows affected (0.00 sec)
%表示 172.16.1.1-255 网段​

10.4.2 第二种方法：

mysql> grant all on oldboy_gbk.* to oldgirl@'172.16.1.0/255.255.255.0' identified by 'oldgirl';
Query OK, 0 rows affected (0.00 sec)
提示:不能这样写 oldgirl@’172.16.1.0/24’​

10.5 关于 mysql 回收某个用户权限

语法格式：

REVOKE
 priv_type [(column_list)]
 [, priv_type [(column_list)]] ...
 ON [object_type] priv_level
 FROM user [, user] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...​

实例:查看 oldboy 用户回收权限前的权限

mysql> show grants for oldboy@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for oldboy@localhost
|
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD
'*7495041D24E489A0096DCFA036B166446FDDD992' |
| GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldboy'@'localhost'
|
+---------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)​

查看回收 oldboy 用户的 insert 权限之后的权限

mysql> REVOKE INSERT ON oldboy_gbk.* FROM 'oldboy'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for 'oldboy'@'localhost';
+---------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------+
| Grants for oldboy@localhost
|
+---------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD
'*7495041D24E489A0096DCFA036B166446FDDD992'
|
| GRANT SELECT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `oldboy_gbk`.* TO
'oldboy'@'localhost' |
+---------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)​

10.6 企业生产环境如何授权用户权限（mysql 主库）

博客，CMS 等产品的数据库授权：
对于 web 连接用户授权尽量采用最小化原则，很多开源软件都是 web 界面安装，因此，在安装期间除了 select，insert，update，delete4 个权限外，还需要 create，drop 等比较危险的权限

mysql> grant insert,delete,update,select on blog.* to blog@'172.16.1.%' identified by 'blog';
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for blog@'172.16.1.%';
+--------------------------------------------------------------------------------------------------------------+
| Grants for blog@172.16.1.%
|
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'blog'@'172.16.1.%' IDENTIFIED BY PASSWORD
'*A5BA49C964C6DB89302E2EA293048E9224B33F34' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `blog`.* TO 'blog'@'172.16.1.%'
|
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)​

常规情况下授权 select，insert，update，delete4 个权限即可，有的开源软件，例如 discuz bbs，
还需要 create，drop 等比较危险的权限，生成数据库表后，要收回 create、drop 权限

mysql> revoke drop,create on blog.* from blog@'172.16.1.%';
Query OK, 0 rows affected (0.00 sec)
to your MySQL server version for the right syntax to use near 'from blog@'172.16.1.%'' at line 1
mysql> show grants for blog@'172.16.1.%';
+--------------------------------------------------------------------------------------------------------------+
| Grants for blog@172.16.1.%
|
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'blog'@'172.16.1.%' IDENTIFIED BY PASSWORD
'*A5BA49C964C6DB89302E2EA293048E9224B33F34' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `blog`.* TO 'blog'@'172.16.1.%'
|
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)​