MySQL用户和权限管理

用户管理

帐号名称

MySQL帐户名由用户名和主机名组成，这可以为具有相同用户名且可以从不同主机进行连接的用户创建不同的帐户。

语法：

'user_name'@'host_name'

• 主机值可以是主机名或IP地址（IPv4或IPv6）。
• 主机名或IP地址值中允许 使用%和_通配符。
• %：表示任意长度的任意字符
• _：表示任意单个字符

  注：账户名的主机名部分（如果省略）默认为'%'

用户管理

创建用户：CREATE USER

创建用户hechunping可以在192.168.7.72这台主机连接当前MySQL服务器

mysql> create user 'hechunping'@'192.168.7.72';
mysql> select user,host from user;
+---------------+--------------+
| user          | host         |
+---------------+--------------+
| hechunping    | 192.168.7.72 |
| root          | localhost    |
+---------------+--------------+

注：默认情况下，新建的用户只有连接权限（USAGE）

重命名用户：RENAME USER

重命名用户hechunping为hcp
mysql> rename user 'hechunping'@'192.168.7.72' to 'hcp'@'192.168.7.72';
mysql> select user,host from user;
mysql> select user,host from user;
+------+--------------+
| user | host         |
+------+--------------+
| hcp  | 192.168.7.72 |
| root | localhost    |
+------+--------------+

删除用户：DROP USER

删除用户hcp
mysql> drop user 'hcp'@'192.168.7.72';
mysql> select user,host from user;
+------+-----------+
| user | host      |
+------+-----------+
| root | localhost |
+------+-----------+

删除空用户
drop user ''@'host_name';

修改用户hechunping的密码

方法1
mysql> set password for 'hechunping'@'192.168.7.72' = password('123456');
方法2
mysql> update user set authentication_string=password('123456') where user='hechunping';
# 此方法需要执行下面指令才能生效：
mysql> flush privileges;

忘记管理员密码的解决办法：

[root@CentOS7-01 ~]#mysql -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

1.启动mysqld进程时，在/etc/my.cnf文件中添加如下服务器选项  
[mysqld]
skip-networking  # 禁止远程连接，只能在本地通过socket连接
skip-grant-tables # 忽略授权表，跳过授权检查

2.重启MySQL服务  
[root@CentOS7-01 ~]#systemctl restart mysqld

3.此时无需密码就能连接数据库，然后使用update命令修改管理员密码  
[root@CentOS7-01 ~]#mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.28 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> update user set authentication_string=password('123456') where user='root';
Query OK, 1 row affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 1

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

4.将刚才添加的两个服务器选项删掉，然后重启MySQL服务，再使用修改后的密码登录
[root@CentOS7-01 ~]#sed -i -e '/skip-networking/d' -e '/skip-grant-tables/d' /etc/my.cnf
[root@CentOS7-01 ~]#systemctl restart mysqld
[root@CentOS7-01 ~]#mysql -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.28 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

权限管理

授权：GRANT

参考资料：https://mariadb.com/kb/en/library/grant/

范例：

GRANT SELECT (col1), INSERT (col1,col2) ON mydb.mytbl TO 'someuser'@'somehost‘;

【例1】授权用户hechunping在192.168.7.0网段对mytest库的所有表具有所有权限，并指定密码

mysql> GRANT ALL ON mytest.* TO 'hechunping'@'192.168.7.%' IDENTIFIED BY '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW GRANTS FOR 'hechunping'@'192.168.7.%';
+------------------------------------------------------------------+
| Grants for [email protected].%                                |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'hechunping'@'192.168.7.%'                 |
| GRANT ALL PRIVILEGES ON `mytest`.* TO 'hechunping'@'192.168.7.%' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)

注：如果用户hechunping不存在，则GRANT可以隐式创建它。ALL表示所有权限，等价于ALL PRIVILEGES。

【例2】授权用户hechunping在192.168.7.72主机对mytest库的student表具有SELECT权限，并指定密码

mysql> GRANT SELECT ON mytest.student TO 'hechunping'@'192.168.7.72' IDENTIFIED BY '123456' WITH GRANT OPTION;
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

注：该WITH GRANT OPTION子句使用户能够将指定级别的特权授予其他用户。

【例3】授权用户hechunping在192.168.7.72主机对mytest库的student表的name字段具有SELECT权限，并指定密码

mysql> grant select(id) on mytest.student to 'hechunping'@'192.168.7.72' identified by '123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

取消授权：REVOKE

参考资料：https://mariadb.com/kb/en/library/revoke/

范例：

REVOKE DELETE ON testdb.* FROM 'testuser'@‘172.16.0.%’;

【例1】取消用户hechunping在192.168.7.72主机对mytest库的student表的id字段的SELECT权限

mysql> revoke select(id) on mytest.student from 'hechunping'@'192.168.7.72';
Query OK, 0 rows affected (0.00 sec)

【例2】取消用户hechunping在192.168.7.72主机对mytest库的student表的所有权限

mysql> revoke all on mytest.student from 'hechunping'@'192.168.7.72';
Query OK, 0 rows affected (0.00 sec)

查看指定用户获得的授权

参考资料：https://dev.mysql.com/doc/refman/5.7/en/show-grants.html

help show grants
SHOW GRANTS;
SHOW GRANTS FOR 'user'@'host';
SHOW GRANTS FOR CURRENT_USER();

【例1】查看当前用户的获得的授权信息

mysql> show grants;
+---------------------------------------------------------------------+
| Grants for root@localhost                                           |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION        |
+---------------------------------------------------------------------+

【例2】查看用户hechunping在192.168.7.72主机获得的授权信息

mysql> show grants for 'hechunping'@'192.168.7.72';
+------------------------------------------------------------------------------------+
| Grants for [email protected]                                                 |
+------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'hechunping'@'192.168.7.72'                                  |
| GRANT USAGE ON `mytest`.`student` TO 'hechunping'@'192.168.7.72' WITH GRANT OPTION |
+------------------------------------------------------------------------------------+

注：MySQL服务进程启动时会读取mysql库中所有授权表至内存

(1) GRANT或REVOKE等执行权限操作会保存于系统表中，MariaDB的服务进程通常会自动重读授权表，使之生效
(2) 对于不能够或不能及时重读授权表的命令，可手动让MariaDB的服务进程重读授权表：
mysql>FLUSH PRIVILEGES;