mysql 用戶操作和權限操作

https://dev.mysql.com/doc/refman/5.7/en/grant.html

用戶管理和權限管理

mysql登錄驗證是通過三個維度的：用戶名、密碼、ip

創建david，ip無限制，密碼爲123

create user 'david'@'%' identified by '123';

創建david，ip限制爲192.168.1開頭，密碼爲123

create user 'david'@'192.168.1.*' identified by '123';

查看當前用戶的權限
show grants;

(root@localhost) [performance_schema]>show grants;
+-------------------------------------------------------------+
| Grants for root@%                                           |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------+
1 row in set (0.01 sec)

(david@localhost) [(none)]>show grants;
+-----------------------------------+
| Grants for david@%                |
+-----------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%' |
+-----------------------------------+
1 row in set (0.00 sec)

查看特定用戶權限

(david@localhost) [(none)]>show grunts for 'david'@'%';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'grunts for 'david'@'%'' at line 1
(david@localhost) [(none)]>show grants for 'david'@'%';
+-----------------------------------+
| Grants for david@%                |
+-----------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%' |
+-----------------------------------+
1 row in set (0.00 sec)

授權操作，將test.* 的select,update,insert,delete權限授予給 'david'@'%' 用戶

(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'david'@'%';
Query OK, 0 rows affected (0.00 sec)

test.* 代表test下的所有表，*.* 就是全局

注意：有一種將創建用戶和授權操作同時使用的操作，mysql不推薦這樣做，未來版本會將這種寫法刪除。

(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'amy'@'%' identified by '123';
Query OK, 0 rows affected, 1 warning (0.00 sec)

(root@localhost) [performance_schema]>show warnings;
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Level | Code | Message                                                                                                                                                   |
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Error | 1064 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'warning' at line 1 |
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

(root@localhost) [performance_schema]>

修改用戶密碼

alter user  'david'@'%' identified by '456';

添加新的權限

grant create,index on test.* to 'david'@'%' ;

收回權限

revoke create,index on test.* from 'david'@'%';

注意：revoke all on . to 'david'@'%' ; 將david的所有權限回收並不代表將用戶刪除了

將自己的權限授予其它用戶的權限:with grant option 。

(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'david'@'%' with grant option ;
Query OK, 0 rows affected (0.00 sec)

(root@localhost) [performance_schema]>show grants for 'david'@'%';
+-----------------------------------------------------------------------------------+
| Grants for david@%                                                                |
+-----------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%'                                                 |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO 'david'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

這樣我在david下就可以將自己的權限授予別人了

(david@localhost) [(none)]>grant select on test.* to 'amy'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql庫下四張保存權限的表

user 全局級別
db 庫級別
tables_priv 表級別
columns_priv 列級別

(root@localhost) [mysql]>show tables like 'user';
+------------------------+
| Tables_in_mysql (user) |
+------------------------+
| user                   |
+------------------------+
1 row in set (0.00 sec)

(root@localhost) [mysql]>show tables like 'db';
+----------------------+
| Tables_in_mysql (db) |
+----------------------+
| db                   |
+----------------------+
1 row in set (0.00 sec)

(root@localhost) [mysql]>show tables like 'tables_priv';
+-------------------------------+
| Tables_in_mysql (tables_priv) |
+-------------------------------+
| tables_priv                   |
+-------------------------------+
1 row in set (0.00 sec)

(root@localhost) [mysql]>show tables like 'columns_priv';
+--------------------------------+
| Tables_in_mysql (columns_priv) |
+--------------------------------+
| columns_priv                   |
+--------------------------------+
1 row in set (0.00 sec)

查詢david這個用戶在全局的權限

(root@localhost) [mysql]>select * from user where user='david'\G;
*************************** 1. row ***************************
                  Host: %
                  User: david
           Select_priv: N
           Insert_priv: N
           Update_priv: N
           Delete_priv: N
           Create_priv: N
             Drop_priv: N
           Reload_priv: N
         Shutdown_priv: N
          Process_priv: N
             File_priv: N
            Grant_priv: N
       References_priv: N
            Index_priv: N
            Alter_priv: N
          Show_db_priv: N
            Super_priv: N
 Create_tmp_table_priv: N
      Lock_tables_priv: N
          Execute_priv: N
       Repl_slave_priv: N
      Repl_client_priv: N
      Create_view_priv: N
        Show_view_priv: N
   Create_routine_priv: N
    Alter_routine_priv: N
      Create_user_priv: N
            Event_priv: N
          Trigger_priv: N
Create_tablespace_priv: N
              ssl_type: 
            ssl_cipher: 
           x509_issuer: 
          x509_subject: 
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: mysql_native_password
 authentication_string: *531E182E2F72080AB0740FE2F2D689DBE0146E04
      password_expired: N
 password_last_changed: 2021-04-18 18:33:09
     password_lifetime: NULL
        account_locked: N
1 row in set (0.00 sec)

可以看到全都是N ，說名david在全局下沒有權限。

再來看david在庫級別的權限

(root@localhost) [mysql]>select * from db where user='david'\G;
*************************** 1. row ***************************
                 Host: %
                   Db: test
                 User: david
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: N
            Drop_priv: N
           Grant_priv: Y
      References_priv: N
           Index_priv: N
           Alter_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
     Create_view_priv: N
       Show_view_priv: N
  Create_routine_priv: N
   Alter_routine_priv: N
         Execute_priv: N
           Event_priv: N
         Trigger_priv: N
1 row in set (0.00 sec)

ERROR: 
No query specified

可以看到david在庫級別下存在Select_priv、Insert_priv、Update_priv、Delete_priv、Grant_priv的權限。說名創建的普通用戶權限是在db級別的。

注意，強烈建議不要直接修改這四張表（user 、db、tables_priv 、columns_priv ）來達到授權目的，請使用grant命令！這樣做是存在一定風險的。

而root權限是保存到user表裏的：

(root@localhost) [mysql]>select * from user where user='root'\G;
*************************** 1. row ***************************
                  Host: %
                  User: root
           Select_priv: Y
           Insert_priv: Y
           Update_priv: Y
           Delete_priv: Y
           Create_priv: Y
             Drop_priv: Y
           Reload_priv: Y
         Shutdown_priv: Y
          Process_priv: Y
             File_priv: Y
            Grant_priv: Y
       References_priv: Y
            Index_priv: Y
            Alter_priv: Y
          Show_db_priv: Y
            Super_priv: Y
 Create_tmp_table_priv: Y
      Lock_tables_priv: Y
          Execute_priv: Y
       Repl_slave_priv: Y
      Repl_client_priv: Y
      Create_view_priv: Y
        Show_view_priv: Y
   Create_routine_priv: Y
    Alter_routine_priv: Y
      Create_user_priv: Y
            Event_priv: Y
          Trigger_priv: Y
Create_tablespace_priv: Y
              ssl_type: 
            ssl_cipher: 
           x509_issuer: 
          x509_subject: 
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: mysql_native_password
 authentication_string: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
      password_expired: N
 password_last_changed: 2021-04-18 10:45:46
     password_lifetime: NULL
        account_locked: N
1 row in set (0.00 sec)

mysql密碼加密方式

簡單查詢下mysql.user

(root@localhost) [mysql]>select user,host,authentication_string  from mysql.user;
+---------------+-----------+-------------------------------------------+
| user          | host      | authentication_string                     |
+---------------+-----------+-------------------------------------------+
| root          | %         | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| mysql.session | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys     | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| david         | %         | *531E182E2F72080AB0740FE2F2D689DBE0146E04 |
| amy           | %         | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+---------------+-----------+-------------------------------------------+
5 rows in set (0.00 sec)

authentication_string 字段保存了mysql密碼的加密後字符串，類似於md5，是一種單向的摘要算法。
內部使用mysql函數：password()來實現，如下：

(root@localhost) [mysql]>select password('456')
    -> ;
+-------------------------------------------+
| password('456')                           |
+-------------------------------------------+
| *531E182E2F72080AB0740FE2F2D689DBE0146E04 |
+-------------------------------------------+
1 row in set, 1 warning (0.00 sec)

資源限制

1、每小時執行查詢次數
2、每小時更新次數
3、每小時最大連接數
4、用戶最大連接數
max_user_connections
max_connectios_per_hour 每小時內連接數次數
max_queries_per_hour
max_updates_per_hour

david最多隻能有一個用戶連接。注意已經連上的用戶不納入記數。

alter user 'david'@'%' with max_user_connections 1;
[root@localhost ~]# mysql -udavid -p456
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1226 (42000): User 'david' has exceeded the 'max_user_connections' resource (current value: 1)

基於角色的權限管理

mysql8.0推出了這個role功能