009-LAMP_MySQL_privilege
用戶及賬號管理
創建用戶
Syntax:
CREATE USER user_specification
[, user_specification] ...
user_specification:
user
[
IDENTIFIED BY [PASSWORD] 'password'
| IDENTIFIED WITH auth_plugin [AS 'auth_string']
]
The CREATE USER statement creates new MySQL accounts. To use it, you
must have the global CREATE USER privilege or the INSERT privilege for
the mysql database. For each account, CREATE USER creates a new row in
the mysql.user table and assigns the account no privileges. An error
occurs if the account already exists.
Each account name uses the format described in
http://dev.mysql.com/doc/refman/5.5/en/account-names.html. For example:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
If you specify only the user name part of the account name, a host name
part of '%' is used.
The user specification may indicate how the user should authenticate
when connecting to the server:
o To enable the user to connect with no password (which is insecure),
include no IDENTIFIED BY clause:
CREATE USER 'jeffrey'@'localhost';
In this case, the account uses built-in authentication and clients
must provide no password.
o To assign a password, use IDENTIFIED BY with the literal plaintext
password value:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
The account uses built-in authentication and clients must match the
given password.
o To avoid specifying the plaintext password if you know its hash value
(the value that PASSWORD() would return for the password), specify
the hash value preceded by the keyword PASSWORD:
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The account uses built-in authentication and clients must match the
given password.
o To authenticate the account using a specific authentication plugin,
use IDENTIFIED WITH, where auth_plugin is the plugin name. It can be
an unquoted name or a quoted string literal. 'auth_string' is an
optional quoted string literal to pass to the plugin. The plugin
interprets the meaning of the string, so its format is plugin
specific. Consult the documentation for a given plugin for
information about the authentication string values it accepts.
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED WITH my_auth_plugin;
For connections that use this account, the server invokes the named
plugin and clients must provide credentials as required for the
authentication method that the plugin implements. If the server
cannot find the plugin, either at account-creation time or connect
time, an error occurs. IDENTIFIED WITH can be used as of MySQL 5.5.7.
The IDENTIFIED BY and IDENTIFIED WITH clauses are mutually exclusive,
so at most one of them can be specified for a given user.
創建一個用戶shirley,其通過主機172.16.249.207登陸到mysql-server,密碼爲2012
MariaDB [(none)]> CREATE USER 'shirley'@'172.16.249.207' IDENTIFIED BY '2012';
Query OK, 0 rows affected (0.00 sec)
在host爲172.16.249.207的主機以shirley用戶登錄mariadb-server,server的地址爲172.16.249.206
# 在另一臺主機172.16.249.207上安裝mysql服務器,包括客戶端
[root@localhost ~]# yum install mysql-server
# 使用mysql客戶端連接
[root@localhost ~]# mysql -ushirley -h172.16.249.206 -p2012
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.5.41-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; # 可以發現shirley用戶的權限有限
+--------------------+
| Database |
+--------------------+
| information_schema |
| test |
+--------------------+
2 rows in set (0.00 sec)ffot
以下是mysql.user表中的用戶信息,表示shirley用戶可以通過172.16.249.207遠程登錄
MariaDB [mysql]> select Host,User,Password from mysql.user where User='shirley';
+----------------+---------+-------------------------------------------+
| Host | User | Password |
+----------------+---------+-------------------------------------------+
| 172.16.249.207 | shirley | *9F6F2DC1B40B6DF5D2A5F762E1CF33782CA1AB29 |
+----------------+---------+-------------------------------------------+
1 row in set (0.00 sec)重要的事情說三遍
注意:在上面有兩個IP地址,我在這裏的時候真的真的萌B了;需要指出的是,創建用戶的時候@的IP表示允許遠程登陸的主機;而mysql -ushirley -hx.x.x.x表示的是遠程的mariadb的服務器地址!
注意:在上面有兩個IP地址,我在這裏的時候真的真的萌B了;需要指出的是,創建用戶的時候@的IP表示允許遠程登陸的主機;而mysql -ushirley -hx.x.x.x表示的是遠程的mariadb的服務器地址!
注意:在上面有兩個IP地址,我在這裏的時候真的真的萌B了;需要指出的是,創建用戶的時候@的IP表示允許遠程登陸的主機;而mysql -ushirley -hx.x.x.x表示的是遠程的mariadb的服務器地址!
刪除用戶
<font color=099ff size=5 face="΢ÈíÑźÚ">這裏的user使用'username'@'host'完整表示</font>
Syntax:
DROP USER user [, user] ...
The DROP USER statement removes one or more MySQL accounts and their
privileges. It removes privilege rows for the account from all grant
tables. To use this statement, you must have the global CREATE USER
privilege or the DELETE privilege for the mysql database. Each account
name uses the format described in
http://dev.mysql.com/doc/refman/5.5/en/account-names.html. For example:
DROP USER 'jeffrey'@'localhost';
If you specify only the user name part of the account name, a host name
part of '%' is used.
刪除shirley用戶
MariaDB [mysql]> DROP USER 'shirley'@'172.16.249.207';
[root@localhost ~]# mysql -ushirley -h172.16.249.206 -p2012
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.5.41-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; # 授權之後shirley用戶可以有人以權限了。
+--------------------+
| Database |
+--------------------+
| information_schema |
| db01 |
| mysql |
| performance_schema |
| sdb |
| test |
| wordpress |
+--------------------+
7 rows in set (0.00 sec)用戶授權
Syntax:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_specification [, user_specification] ...
[REQUIRE {NONE | ssl_option [[AND] ssl_option] ...}]
[WITH with_option ...]
priv_type:#指定的權限
ALL
SELECT
DELETE
GRANT PROXY ON user_specification
TO user_specification [, user_specification] ...
[WITH GRANT OPTION]
object_type:#區分是表名還是存儲過程
TABLE
| FUNCTION
| PROCEDURE
priv_level:#授權哪個數據庫的哪個表或過程
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
user_specification:
user
[
IDENTIFIED BY [PASSWORD] 'password'
| IDENTIFIED WITH auth_plugin [AS 'auth_string']
]
ssl_option:
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
with_option:
GRANT OPTION
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
The GRANT statement grants privileges to MySQL user accounts. GRANT
also serves to specify other account characteristics such as use of
secure connections and limits on access to server resources. To use
GRANT, you must have the GRANT OPTION privilege, and you must have the
privileges that you are granting.
Normally, a database administrator first uses CREATE USER to create an
account, then GRANT to define its privileges and characteristics. For
example:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';
GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;
However, if an account named in a GRANT statement does not already
exist, GRANT may create it under the conditions described later in the
discussion of the NO_AUTO_CREATE_USER SQL mode.
The REVOKE statement is related to GRANT and enables administrators to
remove account privileges. See [HELP REVOKE].
When successfully executed from the mysql program, GRANT responds with
Query OK, 0 rows affected. To determine what privileges result from the
operation, use SHOW GRANTS. See [HELP SHOW GRANTS].
URL: http://dev.mysql.com/doc/refman/5.5/en/grant.html
授權shirley用戶可以訪問所有數據庫,並刷新授權表
MariaDB [mysql]> GRANT ALL PRIVILEGES ON *.* TO 'shirley'@'172.16.249.207';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)授權husa用戶可以訪問mysql.user表,且在這個表上的權限有限
MariaDB [mysql]> GRANT SELECT,INSERT,DELETE PRIVILEGES ON mysql.user TO 'husa'@'172.16.249.207';
Query OK, 0 rows affected (0.00 sec)查看授權
Syntax:
SHOW GRANTS [FOR user]
This statement lists the GRANT statement or statements that must be
issued to duplicate the privileges that are granted to a MySQL user
account. The account is named using the same format as for the GRANT
statement; for example, 'jeffrey'@'localhost'. If you specify only the
user name part of the account name, a host name part of '%' is used.
For additional information about specifying account names, see [HELP
GRANT].
mysql> SHOW GRANTS FOR 'root'@'localhost';
+---------------------------------------------------------------------+
| Grants for root@localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
To list the privileges granted to the account that you are using to
connect to the server, you can use any of the following statements:
SHOW GRANTS;
SHOW GRANTS FOR CURRENT_USER;
SHOW GRANTS FOR CURRENT_USER();
If SHOW GRANTS FOR CURRENT_USER (or any of the equivalent syntaxes) is
used in DEFINER context, such as within a stored procedure that is
defined with SQL SECURITY DEFINER), the grants displayed are those of
the definer and not the invoker.
URL: http://dev.mysql.com/doc/refman/5.5/en/show-grants.html
查看root用戶權限
MariaDB [db01]> SHOW GRANTS for CURRENT_USER;
+---------------------------------------------------------------------+
| Grants for root@localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)查看shirley用戶權限
mysql> SHOW GRANTS for CURRENT_USER\g\c
+------------------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected] |
+------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'shirley'@'172.16.249.207' IDENTIFIED BY PASSWORD '*9F6F2DC1B40B6DF5D2A5F762E1CF33782CA1AB29' |
+------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)回收權限
Syntax:
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user [, user] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
REVOKE PROXY ON user
FROM user [, user] ...
The REVOKE statement enables system administrators to revoke privileges
from MySQL accounts. Each account name uses the format described in
http://dev.mysql.com/doc/refman/5.5/en/account-names.html. For example:
REVOKE INSERT ON *.* FROM 'jeffrey'@'localhost';
If you specify only the user name part of the account name, a host name
part of '%' is used.
For details on the levels at which privileges exist, the permissible
priv_type and priv_level values, and the syntax for specifying users
and passwords, see [HELP GRANT]
To use the first REVOKE syntax, you must have the GRANT OPTION
privilege, and you must have the privileges that you are revoking.
To revoke all privileges, use the second syntax, which drops all
global, database, table, column, and routine privileges for the named
user or users:
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
To use this REVOKE syntax, you must have the global CREATE USER
privilege or the UPDATE privilege for the mysql database.
URL: http://dev.mysql.com/doc/refman/5.5/en/revoke.html
回收shirley用戶對mysql.user表的查看權限
MariaDB [mysql]> REVOKE SELECT ON *.* FROM 'shirley'@'172.16.249.207';
Query OK, 0 rows affected (0.00 sec)
[root@localhost ~]# mysql -ushirley -h172.16.249.206 -p2012
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.5.41-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT Host,User,Password FROM mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'shirley'@'172.16.249.207' for table 'user'回收權限後並不能對已經鏈接的shirley用戶立即生效,只有在shirley用戶退出登錄並重新連接後,權限纔會重新生效
注意:mariadb服務進程啓動時,會讀取mysql庫的所有授權表至內存中
1、GRANT或REVOKE命令等執行的操作權限會保存至授權表中,mariadb此時一般會自動重讀授權表,權限修改會立即生效
2、其他方式實現的權限修改,要想生效,必須手動運行FLUSH PRIVILEGES命令才行
mysql_secure_installation
安裝mysql之後,會有一個設置mysql用戶安全機制的腳本,運行之確保server的安全。
[root@husa ~]# mysql_secure_installation #幫助實現安全設定,然後就可以設置密碼
/usr/bin/mysql_secure_installation:行379: find_mysql_client: 未找到命令
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
