MySQL用戶和權限管理

用戶管理

帳號名稱

MySQL帳戶名由用戶名和主機名組成，這可以爲具有相同用戶名且可以從不同主機進行連接的用戶創建不同的帳戶。

語法：

'user_name'@'host_name'

• 主機值可以是主機名或IP地址（IPv4或IPv6）。
• 主機名或IP地址值中允許 使用%和_通配符。
• %：表示任意長度的任意字符
• _：表示任意單個字符

  注：賬戶名的主機名部分（如果省略）默認爲'%'

用戶管理

創建用戶：CREATE USER

創建用戶hechunping可以在192.168.7.72這臺主機連接當前MySQL服務器

mysql> create user 'hechunping'@'192.168.7.72';
mysql> select user,host from user;
+---------------+--------------+
| user          | host         |
+---------------+--------------+
| hechunping    | 192.168.7.72 |
| root          | localhost    |
+---------------+--------------+

注：默認情況下，新建的用戶只有連接權限（USAGE）

重命名用戶：RENAME USER

重命名用戶hechunping爲hcp
mysql> rename user 'hechunping'@'192.168.7.72' to 'hcp'@'192.168.7.72';
mysql> select user,host from user;
mysql> select user,host from user;
+------+--------------+
| user | host         |
+------+--------------+
| hcp  | 192.168.7.72 |
| root | localhost    |
+------+--------------+

刪除用戶：DROP USER

刪除用戶hcp
mysql> drop user 'hcp'@'192.168.7.72';
mysql> select user,host from user;
+------+-----------+
| user | host      |
+------+-----------+
| root | localhost |
+------+-----------+

刪除空用戶
drop user ''@'host_name';

修改用戶hechunping的密碼

方法1
mysql> set password for 'hechunping'@'192.168.7.72' = password('123456');
方法2
mysql> update user set authentication_string=password('123456') where user='hechunping';
# 此方法需要執行下面指令才能生效：
mysql> flush privileges;

忘記管理員密碼的解決辦法：

[root@CentOS7-01 ~]#mysql -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

1.啓動mysqld進程時，在/etc/my.cnf文件中添加如下服務器選項  
[mysqld]
skip-networking  # 禁止遠程連接，只能在本地通過socket連接
skip-grant-tables # 忽略授權表，跳過授權檢查

2.重啓MySQL服務  
[root@CentOS7-01 ~]#systemctl restart mysqld

3.此時無需密碼就能連接數據庫，然後使用update命令修改管理員密碼  
[root@CentOS7-01 ~]#mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.28 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> update user set authentication_string=password('123456') where user='root';
Query OK, 1 row affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 1

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

4.將剛纔添加的兩個服務器選項刪掉，然後重啓MySQL服務，再使用修改後的密碼登錄
[root@CentOS7-01 ~]#sed -i -e '/skip-networking/d' -e '/skip-grant-tables/d' /etc/my.cnf
[root@CentOS7-01 ~]#systemctl restart mysqld
[root@CentOS7-01 ~]#mysql -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.28 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

權限管理

授權：GRANT

參考資料：https://mariadb.com/kb/en/library/grant/

範例：

GRANT SELECT (col1), INSERT (col1,col2) ON mydb.mytbl TO 'someuser'@'somehost‘;

【例1】授權用戶hechunping在192.168.7.0網段對mytest庫的所有表具有所有權限，並指定密碼

mysql> GRANT ALL ON mytest.* TO 'hechunping'@'192.168.7.%' IDENTIFIED BY '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW GRANTS FOR 'hechunping'@'192.168.7.%';
+------------------------------------------------------------------+
| Grants for [email protected].%                                |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'hechunping'@'192.168.7.%'                 |
| GRANT ALL PRIVILEGES ON `mytest`.* TO 'hechunping'@'192.168.7.%' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)

注：如果用戶hechunping不存在，則GRANT可以隱式創建它。ALL表示所有權限，等價於ALL PRIVILEGES。

【例2】授權用戶hechunping在192.168.7.72主機對mytest庫的student表具有SELECT權限，並指定密碼

mysql> GRANT SELECT ON mytest.student TO 'hechunping'@'192.168.7.72' IDENTIFIED BY '123456' WITH GRANT OPTION;
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

注：該WITH GRANT OPTION子句使用戶能夠將指定級別的特權授予其他用戶。

【例3】授權用戶hechunping在192.168.7.72主機對mytest庫的student表的name字段具有SELECT權限，並指定密碼

mysql> grant select(id) on mytest.student to 'hechunping'@'192.168.7.72' identified by '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

取消授權：REVOKE

參考資料：https://mariadb.com/kb/en/library/revoke/

範例：

REVOKE DELETE ON testdb.* FROM 'testuser'@‘172.16.0.%’;

【例1】取消用戶hechunping在192.168.7.72主機對mytest庫的student表的id字段的SELECT權限

mysql> revoke select(id) on mytest.student from 'hechunping'@'192.168.7.72';
Query OK, 0 rows affected (0.00 sec)

【例2】取消用戶hechunping在192.168.7.72主機對mytest庫的student表的所有權限

mysql> revoke all on mytest.student from 'hechunping'@'192.168.7.72';
Query OK, 0 rows affected (0.00 sec)

查看指定用戶獲得的授權

參考資料：https://dev.mysql.com/doc/refman/5.7/en/show-grants.html

help show grants
SHOW GRANTS;
SHOW GRANTS FOR 'user'@'host';
SHOW GRANTS FOR CURRENT_USER();

【例1】查看當前用戶的獲得的授權信息

mysql> show grants;
+---------------------------------------------------------------------+
| Grants for root@localhost                                           |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION        |
+---------------------------------------------------------------------+

【例2】查看用戶hechunping在192.168.7.72主機獲得的授權信息

mysql> show grants for 'hechunping'@'192.168.7.72';
+------------------------------------------------------------------------------------+
| Grants for [email protected]                                                 |
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'hechunping'@'192.168.7.72'                                  |
| GRANT USAGE ON `mytest`.`student` TO 'hechunping'@'192.168.7.72' WITH GRANT OPTION |
+------------------------------------------------------------------------------------+

注：MySQL服務進程啓動時會讀取mysql庫中所有授權表至內存

(1) GRANT或REVOKE等執行權限操作會保存於系統表中，MariaDB的服務進程通常會自動重讀授權表，使之生效
(2) 對於不能夠或不能及時重讀授權表的命令，可手動讓MariaDB的服務進程重讀授權表：
mysql>FLUSH PRIVILEGES;