一.MySQL的用户管理
1>.用户账号的组成
MySQL在使用用户时比较独特,它的用户账号由两部分组成,即用户名和主机(username@hostname),这个username我们可以自定义,而hostname可以是一个网段,也可以是一个主机名,hostname支持通配符。
2>.用户账号管理的常用命令
create user #创建用户 drop user #删除用户 rename user #修改用户账号名称 set password #设置用户密码
3>.权限管理的命令
grant
#授权
revoke
#取消权限
4>.查看用户能够使用的权限:
mysql>show grants for username@'hostname'
以下是MySQL实例:
mysql> create user chensiting@'%' identified by '123'; #注意,这里使用的是允许远程访问的IP可以访问 Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; #通知MySQL服务器重读授权表 Query OK, 0 rows affected (0.00 sec) #进行以上操作后,我们新建一个终端进行以下验证: [root@10e0e0e12 ~]# mysql -u chensiting -h 10.0.0.15 -p123; Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 5 Server version: 5.6.50 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]> MySQL [(none)]> MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec) MySQL [(none)]> create database testdb; #很明显,我们用户并没有权限创建数据库,只有一些查看的权限 ERROR 1044 (42000): Access denied for user 'chensiting'@'%' to database 'testdb'
mysql> ;create user chensiting@'%' identified by '123'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> rename user chensiting@'%' to 'yhh'@'%'; #由于MySQL用户是有用户和主机名组成,因此我们在修改MySQL用户的时候,既可以修改用户的字符也可以修改mysql的字符,使用我们修改的用户即可正常登录 Query OK, 0 rows affected (0.01 sec) [root@10e0e0e12 ~]# mysql -u yhh -h 10.0.0.15 -p123; #我们会发现当你再次用你之前创建的用户登录数据库是会报错,但是更换新的修改后的用户,即可成功登录 Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 6 Server version: 5.6.50 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]>
mysql> rename user chensiting@'%' to 'yhh'@'%'; #改名操作 Query OK, 0 rows affected (0.01 sec) mysql> set password for 'yhh'@'%' =password('666'); #对改名后的MySQL用户重新设置登录密码 Query OK, 0 rows affected (0.00 sec) [root@10e0e0e12 ~]# mysql -u yhh -h 10.0.0.15 -p123; #发现用之前的数据库密码无法登录 ERROR 1045 (28000): Access denied for user 'yhh'@'cobbler' (using password: YES) [root@10e0e0e12 ~]# mysql -u yhh -h 10.0.0.15 -p666; #但是我们用修改后的密码就可以完成登录操作 Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 8 Server version: 5.6.50 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]>
二.Mysql的权限类型
1>.管理类权限
create temporary tables #临时表 create user #创建用户 file #允许用户读或者写某些文件 lock tables #添加显式锁 process: #查看用户的线程 reload: #相当于执行flush和reset replication client #查询有哪些复制客户端 replication slave #赋予用户复制权限 show databases #查看数据库权限 shutdown #关闭MySQL服务 super #杂项管理类命令
2>. 数据库访问权限(库级别)
alter #修改表的权限
alter routine #修改存储历程
create #可以穿件表和库的
create routine #创建存储过程,存储函数
create view #创建视图
delete #删除表中的行
drop #删除数据库或者表的
execute #是否能执行存储过程或存储函数的
grant option #将自己的权限复制给别的用户
index #创建或删除索引
show view #查看一个视图是如何被创建的
3>.数据操作类权限(表级别)
select #在表中执行查询操作 insert #在表中插入数据 update #修改表中的数据 delete #删除表中的数据
4>.字段级别
select(col1,....) #查询 update(col1,....) #修改字符 insert(col1,....) #插入字符
5>.所有权限
ALL [PRIVILEGES ] #用户的所有权限
三.MySQL的权限操作
1.查看授权的(grant)帮助信息
mysql> help grant Name: 'GRANT' Description: Syntax: GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level #如果[object_type] 不指定,默认类型为表; TO user [auth_option] [, user [auth_option]] ... #指定授权用户,可以一次性指定多个,用逗号(,)分隔; [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] #要求基于ssl_option进行连接,需要在前面加REQUIRE关键字,如果不加默认不启用该功能; [WITH {GRANT OPTION | resource_option} ...] GRANT PROXY ON user TO user [, user] ... [WITH GRANT OPTION] object_type: { (指定授权类型,如果不指定,默认为表) TABLE #表 | FUNCTION #函数 | PROCEDURE #过程 } priv_level: { (指定授权对象) * #指定所有数据对象 | *.* #指定所有库的所有表 | db_name.* #指定库的所有表 | db_name.tbl_name #指定库的某个表 | tbl_name #指定表名 | db_name.routine_name #指定库的存储历程 } user: #可以直接跟用户,不需要指定密码,但是前提是你之前已经创建过该用户并配置的有密 (see https://dev.mysql.com/doc/refman/5.6/en/account-names.html) auth_option: { #如果之前创建过用户,则这里是为该用户修改密码 IDENTIFIED BY [PASSWORD] 'auth_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin AS 'auth_string' } tls_option: { SSL #基于SSL协议,该选项用的较频繁 | X509 #基于X509的证书格式 | CIPHER 'cipher' #指定使用的加密机制 | ISSUER 'issuer' #指定颁发的证书 | SUBJECT 'subject' #指定证书的承受着 } resource_option: { #将自己的权限转赠给别人,不建议使用,这种操作很危险; | MAX_QUERIES_PER_HOUR count #每小时允许执行的最大查询次数 | MAX_UPDATES_PER_HOUR count #每小时允许执行的最大更新次数 | MAX_CONNECTIONS_PER_HOUR count #每小时允许执行的最大连接次数 | MAX_USER_CONNECTIONS count #使用同一个账号可以同时连接的次数 } The GRANT statement grants privileges to MySQL user accounts. GRANT also serves to specify other account characteristics such as use of secure connections and limits on access to server resources. To grant a privilege with GRANT, you must have the GRANT OPTION privilege, and you must have the privileges that you are granting. (Alternatively, if you have the UPDATE privilege for the grant tables in the mysql system database, you can grant any account any privilege.) When the read_only system variable is enabled, GRANT additionally requires the SUPER privilege. The REVOKE statement is related to GRANT and enables administrators to remove account privileges. See [HELP REVOKE]. Each account name uses the format described in https://dev.mysql.com/doc/refman/5.6/en/account-names.html. For example: GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; The host name part of the account, if omitted, defaults to '%'. Normally, a database administrator first uses CREATE USER to create an account, then GRANT to define its privileges and characteristics. For example: CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password'; GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost'; GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90; *Note*: Examples shown here include no IDENTIFIED clause. It is assumed that you establish passwords with CREATE USER at account-creation time to avoid creating insecure accounts. If an account named in a GRANT statement does not already exist, GRANT may create it under the conditions described later in the discussion of the NO_AUTO_CREATE_USER SQL mode. From the mysql program, GRANT responds with Query OK, 0 rows affected when executed successfully. To determine what privileges result from the operation, use SHOW GRANTS. See [HELP SHOW GRANTS]. URL: https://dev.mysql.com/doc/refman/5.6/en/grant.html
以下是授权的实例仅供参考:
mysql> grant create on chensiting.students to yhh@'%'; #值运行MySQL用户'yhh'@'%'在chensiting这个库中创建名字为student的表名 Query OK, 0 rows affected (0.00 sec) #进行以上操作后,我们新建一个终端进行以下验证: MySQL [(none)]> use chensiting Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [chensiting]> show grants for 'yhh'@'%'; #查看授权信心 +-----------------------------------------------------------------+ | Grants for yhh@% | +-----------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'yhh'@'%' IDENTIFIED BY PASSWORD <secret> | | GRANT CREATE ON `chensiting`.`students` TO 'yhh'@'%' | +-----------------------------------------------------------------+ 2 rows in set (0.00 sec) #这里的授权是只能创建一个表 MySQL [chensiting]> create table students (Name varchar(30) not null) engine=innodb default charset=utf8; #我们发现可以在chensiting库中创建tb1的表名 ERROR 1050 (42S01): Table 'students' already exists MySQL [chensiting]> create table tb1 (Name varchar(30) not null) engine=innodb default charset=utf8; #但是我们却没有权限创建其他名称的表名 ERROR 1142 (42000): CREATE command denied to user 'yhh'@'cobbler' for table 'tb1' MySQL [chensiting]>
mysql> grant drop on chensiting.* to 'yhh'@'%'; Query OK, 0 rows affected (0.01 sec) #进行以上操作后,我们新建一个终端进行以下验证: root@10e0e0e12 ~]# mysql -u yhh -h 10.0.0.15 -p666; Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 9 Server version: 5.6.50 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]> MySQL [chensiting]> show grants for 'yhh'@'%'; +-----------------------------------------------------------------+ | Grants for yhh@% | +-----------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'yhh'@'%' IDENTIFIED BY PASSWORD <secret> | | GRANT DROP ON `chensiting`.* TO 'yhh'@'%' | | GRANT CREATE ON `chensiting`.`students` TO 'yhh'@'%' | +-----------------------------------------------------------------+ 3 rows in set (0.00 sec) MySQL [chensiting]> show tables; +----------------------+ | Tables_in_chensiting | +----------------------+ | Classes | | score | | students | | tb1 | | tearchers | +----------------------+ 5 rows in set (0.00 sec) MySQL [chensiting]> drop table tb2; ERROR 1051 (42S02): Unknown table 'chensiting.tb2' MySQL [chensiting]> MySQL [chensiting]> drop table students; Query OK, 0 rows affected (0.01 sec) MySQL [chensiting]> drop table score; #你会发现你是可以可劲的删除表 Query OK, 0 rows affected (0.02 sec) MySQL [chensiting]> desc Classes; #但是仍然是没有select权限哟!因此不能查看表结构,想要获得此权限授权即可 ERROR 1142 (42000): SELECT command denied to user 'yhh'@'cobbler' for table 'Classes' MySQL [chensiting]>
mysql> grant select,insert,update,delete on chensiting.* to 'yhh'@'%'; Query OK, 0 rows affected (0.00 sec) [root@10e0e0e12 ~]# mysql -u yhh -h 10.0.0.15 -p123; Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 43 Server version: 5.6.50 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]> use chensiting Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [chensiting]> show tables; +----------------------+ | Tables_in_chensiting | +----------------------+ | Classes | | score | | students | | tearchers | +----------------------+ 4 rows in set (0.00 sec) MySQL [chensiting]> desc students; +-----------+--------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+--------------------+------+-----+---------+----------------+ | StudentID | mediumint(9) | NO | PRI | NULL | auto_increment | | Name | varchar(50) | NO | PRI | NULL | | | Age | tinyint(4) | NO | MUL | NULL | | | Gender | enum('boy','girl') | YES | | NULL | | | ClassID | tinyint(4) | YES | | NULL | | | TeacherID | tinyint(4) | YES | | NULL | | +-----------+--------------------+------+-----+---------+----------------+ 6 rows in set (0.00 sec)
2.查看回收权限用法帮助信息
mysql> help revoke Name: 'REVOKE' Description: Syntax: REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user [, user] ... #我们可以指定从某个用户收回个别的权限 REVOKE ALL PRIVILEGES, GRANT OPTION #一也可以一次性收回所有的权限 FROM user [, user] ... REVOKE PROXY ON user FROM user [, user] ...
以下收回权限的一个案例,仅供参考,通过以下案例,你也可以做其他操作:
mysql> revoke create,select,insert,update,delete on chensiting.* from 'yhh'@'%'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; #刷新授权信息,让在线的用户也能重读授权表,这样用户不需要退出当前客户端就能读取到最新的授权信息 Query OK, 0 rows affected (0.00 sec) mysql> show grants for 'yhh'@'%'; +----------------------------------------------------------------------------------------------------+ | Grants for yhh@% | +----------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'yhh'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' | +----------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec) mysql> grant select,insert,update,delete on chensiting.* to 'yhh'@'%'; Query OK, 0 rows affected (0.00 sec) mysql> show grants for 'yhh'@'%'; +----------------------------------------------------------------------------------------------------+ | Grants for yhh@% | +----------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'yhh'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' | | GRANT SELECT, INSERT, UPDATE, DELETE ON `chensiting`.* TO 'yhh'@'%' | +----------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> revoke create,select,insert,update,delete on chensiting.* from 'yhh'@'%'; Query OK, 0 rows affected (0.01 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.01 sec)
3.几个跟用户授权相关的表:
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | chensiting | | mysql | | performance_schema | | yanhuihuang | +--------------------+ 5 rows in set (0.01 sec) mysql> use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | columns_priv | #列(字段)级别的权限 | db | #库级别的权限 | event | | func | | general_log | | help_category | | help_keyword | | help_relation | | help_topic | | innodb_index_stats | | innodb_table_stats | | ndb_binlog_index | | plugin | | proc | #存储过程和存储函数相关的权限 | procs_priv | | proxies_priv | | servers | | slave_master_info | | slave_relay_log_info | | slave_worker_info | | slow_log | | tables_priv | #表级别权限 | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 28 rows in set (0.00 sec)
补充: proxies_priv表是存储代理用户权限的
4.练习
1>.授权testuser能够通过10.0.0.0/16网络内的任意主机访问当前mysql服务器的权限 grant alter on *.* to 'testuser'@'10.0.%.%' identified by 'password' 2>.让此用户能够创建和删除testdb数据库,及库中的表 grant create,drop on testdb.* to 'testuser'@'10.0.%.%'; 3>.让此用户能够在testdb库中的t1表中执行查询、删除、更新和插入操作 grant select,update,insert,delect on testdb.t1 to 'testuser'@'10.0.%.%' 4>.让此用户能够在testdb库上创建和删除索引 grant index,drop index on testdb to 'testuser'@'10.0.%.%'; 5>.让此用户能够在testdb.t2表上查询id和name字段,并允许其将此权限传授予其他用户 grant select(id,name) on testdb.t2 to 'testuser'@'10.0.%.%' grant grant option on testdb.t2 to 'testuser'@'10.0.%.%'