https://dev.mysql.com/doc/refman/5.7/en/grant.html
用戶管理和權限管理
mysql登錄驗證是通過三個維度的:用戶名、密碼、ip
創建david,ip無限制,密碼爲123
create user 'david'@'%' identified by '123';
創建david,ip限制爲192.168.1開頭,密碼爲123
create user 'david'@'192.168.1.*' identified by '123';
查看當前用戶的權限
show grants;
(root@localhost) [performance_schema]>show grants;
+-------------------------------------------------------------+
| Grants for root@% |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------+
1 row in set (0.01 sec)
(david@localhost) [(none)]>show grants;
+-----------------------------------+
| Grants for david@% |
+-----------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%' |
+-----------------------------------+
1 row in set (0.00 sec)
查看特定用戶權限
(david@localhost) [(none)]>show grunts for 'david'@'%';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'grunts for 'david'@'%'' at line 1
(david@localhost) [(none)]>show grants for 'david'@'%';
+-----------------------------------+
| Grants for david@% |
+-----------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%' |
+-----------------------------------+
1 row in set (0.00 sec)
授權操作,將test.* 的select,update,insert,delete權限授予給 'david'@'%' 用戶
(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'david'@'%';
Query OK, 0 rows affected (0.00 sec)
test.*
代表test下的所有表,*.*
就是全局
注意:有一種將創建用戶和授權操作同時使用的操作,mysql不推薦這樣做,未來版本會將這種寫法刪除。
(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'amy'@'%' identified by '123';
Query OK, 0 rows affected, 1 warning (0.00 sec)
(root@localhost) [performance_schema]>show warnings;
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Level | Code | Message |
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Error | 1064 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'warning' at line 1 |
+-------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
(root@localhost) [performance_schema]>
修改用戶密碼
alter user 'david'@'%' identified by '456';
添加新的權限
grant create,index on test.* to 'david'@'%' ;
收回權限
revoke create,index on test.* from 'david'@'%';
注意:revoke all on . to 'david'@'%' ; 將david的所有權限回收並不代表將用戶刪除了
將自己的權限授予其它用戶的權限:with grant option 。
(root@localhost) [performance_schema]>grant select,update,insert,delete on test.* to 'david'@'%' with grant option ;
Query OK, 0 rows affected (0.00 sec)
(root@localhost) [performance_schema]>show grants for 'david'@'%';
+-----------------------------------------------------------------------------------+
| Grants for david@% |
+-----------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'david'@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO 'david'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
這樣我在david下就可以將自己的權限授予別人了
(david@localhost) [(none)]>grant select on test.* to 'amy'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql庫下四張保存權限的表
user 全局級別
db 庫級別
tables_priv 表級別
columns_priv 列級別
(root@localhost) [mysql]>show tables like 'user';
+------------------------+
| Tables_in_mysql (user) |
+------------------------+
| user |
+------------------------+
1 row in set (0.00 sec)
(root@localhost) [mysql]>show tables like 'db';
+----------------------+
| Tables_in_mysql (db) |
+----------------------+
| db |
+----------------------+
1 row in set (0.00 sec)
(root@localhost) [mysql]>show tables like 'tables_priv';
+-------------------------------+
| Tables_in_mysql (tables_priv) |
+-------------------------------+
| tables_priv |
+-------------------------------+
1 row in set (0.00 sec)
(root@localhost) [mysql]>show tables like 'columns_priv';
+--------------------------------+
| Tables_in_mysql (columns_priv) |
+--------------------------------+
| columns_priv |
+--------------------------------+
1 row in set (0.00 sec)
查詢david這個用戶在全局的權限
(root@localhost) [mysql]>select * from user where user='david'\G;
*************************** 1. row ***************************
Host: %
User: david
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Repl_client_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
Create_tablespace_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *531E182E2F72080AB0740FE2F2D689DBE0146E04
password_expired: N
password_last_changed: 2021-04-18 18:33:09
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
可以看到全都是N ,說名david在全局下沒有權限。
再來看david在庫級別的權限
(root@localhost) [mysql]>select * from db where user='david'\G;
*************************** 1. row ***************************
Host: %
Db: test
User: david
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: N
Drop_priv: N
Grant_priv: Y
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
1 row in set (0.00 sec)
ERROR:
No query specified
可以看到david在庫級別下存在Select_priv、Insert_priv、Update_priv、Delete_priv、Grant_priv的權限。說名創建的普通用戶權限是在db級別的。
注意,強烈建議不要直接修改這四張表(user 、db、tables_priv 、columns_priv )來達到授權目的,請使用grant命令!這樣做是存在一定風險的。
而root權限是保存到user表裏的:
(root@localhost) [mysql]>select * from user where user='root'\G;
*************************** 1. row ***************************
Host: %
User: root
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
password_expired: N
password_last_changed: 2021-04-18 10:45:46
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
mysql密碼加密方式
簡單查詢下mysql.user
(root@localhost) [mysql]>select user,host,authentication_string from mysql.user;
+---------------+-----------+-------------------------------------------+
| user | host | authentication_string |
+---------------+-----------+-------------------------------------------+
| root | % | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| mysql.session | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| david | % | *531E182E2F72080AB0740FE2F2D689DBE0146E04 |
| amy | % | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+---------------+-----------+-------------------------------------------+
5 rows in set (0.00 sec)
authentication_string 字段保存了mysql密碼的加密後字符串,類似於md5,是一種單向的摘要算法。
內部使用mysql函數:password()來實現,如下:
(root@localhost) [mysql]>select password('456')
-> ;
+-------------------------------------------+
| password('456') |
+-------------------------------------------+
| *531E182E2F72080AB0740FE2F2D689DBE0146E04 |
+-------------------------------------------+
1 row in set, 1 warning (0.00 sec)
資源限制
1、每小時執行查詢次數
2、每小時更新次數
3、每小時最大連接數
4、用戶最大連接數
max_user_connections
max_connectios_per_hour 每小時內連接數次數
max_queries_per_hour
max_updates_per_hour
david最多隻能有一個用戶連接。注意已經連上的用戶不納入記數。
alter user 'david'@'%' with max_user_connections 1;
[root@localhost ~]# mysql -udavid -p456
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1226 (42000): User 'david' has exceeded the 'max_user_connections' resource (current value: 1)
基於角色的權限管理
mysql8.0推出了這個role功能