問題;
爲什麼Openstack在創建數據庫時要同時賦予用戶在%和localhost登陸的權限而在MySQL中的%已經包含了localhost?
要回答這個問題我們可以先看看不這樣做會怎樣;
openstack-db --init --service keystone --pass keystone做了三件事情:
1、mysql> CREATE DATABASE keystone;
2、mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
3、mysql> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
我們看看不做第三步會發生什麼:
mysql> create database keystone; Query OK, 1 row affected (0.01 sec) mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> select user,host,password from mysql.user; +----------+-----------+-------------------------------------------+ | user | host | password | +----------+-----------+-------------------------------------------+ | root | localhost | | | root | db1 | | | root | 127.0.0.1 | | | | localhost | | | | db1 | | | keystone | % | *936E8F7AB2E21B47F6C9A7E5D9FE14DBA2255E5A | +----------+-----------+-------------------------------------------+ 6 rows in set (0.00 sec)
模擬登陸:
[root@db1 ~]# mysql -u keystone -pkeystone ERROR 1045 (28000): Access denied for user 'keystone'@'localhost' (using password: YES)
被拒絕登陸了
用空密碼嘗試登陸:
[root@db1 ~]# mysql -u keystone Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 14 Server version: 5.1.52-log Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | test | +--------------------+ 2 rows in set (0.00 sec)
登陸成功,不過不能顯示keystone數據庫
那麼執行第三步會怎樣呢?
mysql> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; Query OK, 0 rows affected (0.01 sec)
再次模擬登陸:
[root@db1 ~]# mysql -u keystone -pkeystone Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 11 Server version: 5.1.52-log Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | test | +--------------------+ 3 rows in set (0.01 sec)
登陸成功了
分析:
執行第三步前:
mysql> select user,host,password from mysql.user; +----------+-----------+-------------------------------------------+ | user | host | password | +----------+-----------+-------------------------------------------+ | root | localhost | | | root | db1 | | | root | 127.0.0.1 | | | | localhost | | | | db1 | | | keystone | % | *936E8F7AB2E21B47F6C9A7E5D9FE14DBA2255E5A | +----------+-----------+-------------------------------------------+ 6 rows in set (0.00 sec)
mysql -u keystone -pkeystone使用的用戶是keystone@localhost,此時的權限表裏並沒有明確匹配這一用戶的授權,於是MySQL將優先查找host='localhost,'的權限,這裏匹配到了''@'localhost'密碼爲空,而mysql -u keystone -pkeystone提交的密碼是keystone,MySQL認爲密碼不匹配於是拒絕登陸.而mysql -u keystone使用空密碼恰好能匹配上於是反而空密碼能登陸,不過由於''@'localhost'不具有keystone數據庫的訪問權限,所以登陸後看不到keystone庫。
爲了安全考慮應該移除該權限,那麼openstack初始化數據庫時可以不用重複授權