MySQL Study之--MySQL用戶及權(quán)限管理
MySQL服務(wù)器通過(guò)MySQL權(quán)限表來(lái)控制用戶對(duì)數(shù)據(jù)庫(kù)的訪問(wèn),MySQL權(quán)限表存放在mysql數(shù)據(jù)庫(kù)里,由mysql_install_db腳本初始化。這些MySQL權(quán)限表分別user,db,table_priv,columns_priv和host。下面分別介紹一下這些表的結(jié)構(gòu)和內(nèi)容:
user權(quán)限表:記錄允許連接到服務(wù)器的用戶帳號(hào)信息,里面的權(quán)限是全局級(jí)的。
db權(quán)限表:記錄各個(gè)帳號(hào)在各個(gè)數(shù)據(jù)庫(kù)上的操作權(quán)限。
table_priv權(quán)限表:記錄數(shù)據(jù)表級(jí)的操作權(quán)限。
columns_priv權(quán)限表:記錄數(shù)據(jù)列級(jí)的操作權(quán)限。
host權(quán)限表:配合db權(quán)限表對(duì)給定主機(jī)上數(shù)據(jù)庫(kù)級(jí)操作權(quán)限作更細(xì)致的控制。這個(gè)權(quán)限表不受GRANT和REVOKE語(yǔ)句的影響。
案例分析:
一、創(chuàng)建用戶并授權(quán)(root用戶)
[root@mysrv ~]# mysql -u root -poracle
mysql> select version()\g
+-------------------------------------------+
| version() |
+-------------------------------------------+
| 5.6.25-enterprise-commercial-advanced-log |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| prod |
| test |
+--------------------+
5 rows in set (0.01 sec)
1、建立tom用戶并授權(quán)(特權(quán)管理用戶)
mysql> grant all on prod.* to 'tom'@'%' identified by 'tom' with grant option;
Query OK, 0 rows affected (0.00 sec)
查看用戶創(chuàng)建是否成功:
mysql> select user,host from user ;
+-------+-----------+
| user | host |
+-------+-----------+
| tom | % |
| root | 127.0.0.1 |
| root | ::1 |
| | localhost |
| root | localhost |
| scott | localhost |
| | mysrv |
| root | mysrv |
+-------+-----------+
8 rows in set (0.00 sec)
查看tom用戶的授權(quán):
mysql> show grants for tom;
+----------------------------------------------------------------------------------------------------+
| Grants for tom@% |
+----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tom'@'%' IDENTIFIED BY PASSWORD '*71FF744436C7EA1B954F6276121DB5D2BF68FC07' |
| GRANT ALL PRIVILEGES ON `prod`.* TO 'tom'@'%' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------+
GRANT 語(yǔ)法:
GRANT privileges (columns)
ON what
TO user IDENTIFIED BY "password"
WITH GRANT OPTION
權(quán)限列表:
ALTER: 修改表和索引。
CREATE: 創(chuàng)建數(shù)據(jù)庫(kù)和表。
DELETE: 刪除表中已有的記錄。
DROP: 拋棄(刪除)數(shù)據(jù)庫(kù)和表。
INDEX: 創(chuàng)建或拋棄索引。
INSERT: 向表中插入新行。
REFERENCE: 未用。
SELECT: 檢索表中的記錄。
UPDATE: 修改現(xiàn)存表記錄。
FILE: 讀或?qū)懛?wù)器上的文件。
PROCESS: 查看服務(wù)器中執(zhí)行的線程信息或殺死線程。
RELOAD: 重載授權(quán)表或清空日志、主機(jī)緩存或表緩存。
SHUTDOWN: 關(guān)閉服務(wù)器。
ALL: 所有權(quán)限,ALL PRIVILEGES同義詞。
USAGE: 特殊的 "無(wú)權(quán)限" 權(quán)限。
用 戶賬戶包括 "username" 和 "host" 兩部分,后者表示該用戶被允許從何地接入。tom@'%' 表示任何地址,默認(rèn)可以省略。還可以是 "tom@192.168.1.%"、"tom@%.abc.com" 等。數(shù)據(jù)庫(kù)格式為 db@table,可以是 "test.*" 或 "*.*",前者表示 test 數(shù)據(jù)庫(kù)的所有表,后者表示所有數(shù)據(jù)庫(kù)的所有表。
子句 "WITH GRANT OPTION" 表示該用戶可以為其他用戶分配權(quán)限。
2、我們用 root 再創(chuàng)建幾個(gè)用戶,然后由 test 數(shù)據(jù)庫(kù)的管理員tom為他們分配權(quán)限。
mysql> create user 'tom1' identified by 'tom1' ,'tom2' identified by 'tom2';
Query OK, 0 rows affected (0.00 sec)
mysql> select user,host from user ;
+-------+-----------+
| user | host |
+-------+-----------+
| tom | % |
| tom1 | % |
| tom2 | % |
| root | 127.0.0.1 |
| root | ::1 |
| | localhost |
| root | localhost |
| scott | localhost |
| | mysrv |
| root | mysrv |
+-------+-----------+
10 rows in set (0.00 sec)
root用戶退出,tom登陸,并授權(quán)用戶訪問(wèn)prod庫(kù)
[root@mysrv ~]# mysql -u tom -ptom
ERROR 1045 (28000): Access denied for user 'tom'@'localhost' (using password: YES)
tom用戶竟不能登陸!!!
再對(duì)tom用戶授權(quán):
mysql> grant all on prod.* to 'tom'@'localhost' identified by 'tom' with grant option;;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for tom;
+----------------------------------------------------------------------------------------------------+
| Grants for tom@% |
+----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tom'@'%' IDENTIFIED BY PASSWORD '*71FF744436C7EA1B954F6276121DB5D2BF68FC07' |
| GRANT ALL PRIVILEGES ON `prod`.* TO 'tom'@'%' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> use mysql;
Database changed
mysql> select user,host from user ;
+-------+-----------+
| user | host |
+-------+-----------+
| tom | % |
| tom1 | % |
| tom2 | % |
| root | 127.0.0.1 |
| root | ::1 |
| | localhost |
| root | localhost |
| scott | localhost |
| tom | localhost |
| | mysrv |
| root | mysrv |
+-------+-----------+
11 rows in set (0.00 sec)
tom登陸:
[root@mysrv ~]# mysql -u tom -ptom prod
mysql> select database();
+------------+
| database() |
+------------+
| prod |
+------------+
1 row in set (0.01 sec)
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| tom@localhost |
+----------------+
1 row in set (0.00 sec)
創(chuàng)建表:
mysql> show tables;
+----------------+
| Tables_in_prod |
+----------------+
| t1 |
+----------------+
1 row in set (0.00 sec)
mysql> create table t2 as select * from t1;
Query OK, 3 rows affected (0.15 sec)
Records: 3 Duplicates: 0 Warnings: 0
查看表信息:
mysql> desc t2;
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| name | varchar(10) | YES | | NULL | |
+-------+-------------+------+-----+---------+-------+
2 rows in set (0.01 sec)
mysql> show create table t2;
+-------+---------------------------------------------------------------------------------------------------------------------------+
| Table | Create Table |
+-------+---------------------------------------------------------------------------------------------------------------------------+
| t2 | CREATE TABLE `t2` (
`id` int(11) DEFAULT NULL,
`name` varchar(10) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |
+-------+---------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.01 sec)
mysql> show create table t2\G;
*************************** 1. row ***************************
Table: t2
Create Table: CREATE TABLE `t2` (
`id` int(11) DEFAULT NULL,
`name` varchar(10) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1
1 row in set (0.00 sec)
mysql> select * from t2;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
3、tom用戶為tom1,tom2授權(quán)
mysql> grant select on prod.* to tom1;
Query OK, 0 rows affected (0.00 sec)
mysql> grant select on prod.* to tom2;
Query OK, 0 rows affected (0.02 sec)
mysql> grant insert,update on prod.* to tom2;
Query OK, 0 rows affected (0.00 sec)
tom2登陸(從遠(yuǎn)程登陸):
C:\Users\Administrator>mysql -h 192.168.8.240 -utom2 -ptom2
mysql> select database();
+------------+
| database() |
+------------+
| NULL |
+------------+
1 row in set (0.00 sec)
mysql> use prod;
Database changed
mysql> select database();
+------------+
| database() |
+------------+
| prod |
+------------+
1 row in set (0.00 sec)
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| tom2@% |
+----------------+
1 row in set (0.00 sec)
mysql> show grants for tom2;
+------------------------------------------------------------------+
| Grants for tom2@% |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tom2'@'%' IDENTIFIED BY PASSWORD
|
| GRANT SELECT, INSERT, UPDATE ON `prod`.* TO 'tom2'@'%' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show tables;
+----------------+
| Tables_in_prod |
+----------------+
| t1 |
| t2 |
+----------------+
2 rows in set (0.00 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
mysql> select * from t2;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
mysql> insert into t1 values (40,'john');
Query OK, 1 row affected (0.00 sec)
mysql> commit;
Query OK, 0 rows affected (0.09 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | john |
+------+-------+
4 rows in set (0.00 sec)
mysql> update t1 set name='ellen' where id=40;
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | ellen |
+------+-------+
4 rows in set (0.00 sec)
mysql> delete from t1;
ERROR 1142 (42000): DELETE command denied to user 'tom2'@'192.168.8.254' for tab
le 't1'
mysql> commit;
Query OK, 0 rows affected (0.05 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | ellen |
+------+-------+
4 rows in set (0.00 sec)
4、回收tom2的update權(quán)限:
mysql> revoke update on prod.* from tom2;
Query OK, 0 rows affected (0.00 sec)
tom2再重新登陸:
C:\Users\Administrator>mysql -h 192.168.8.240 -utom2 -ptom2
mysql> use prod;
Database changed
mysql> update t1 set name='lily' where id=10;
ERROR 1142 (42000): UPDATE command denied to user 'tom2'@'192.168.8.254' for tab
le 't1'
---update失敗!
二、修改用戶口令:
1、root用戶修改普通用戶口令
mysql> set password for tom1=password('oracle');
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
tom1重新登陸:
C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -ptom1
Warning: Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'tom1'@'192.168.8.254' (using passwor
d: YES)
---舊口令登陸失敗!
C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -poracle
mysql>
2、普通用戶修改自己密碼:
C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -poracle
mysql> set password=password('tom1');
Query OK, 0 rows affected (0.00 sec)
重新登陸:
C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -ptom1
mysql>
---新密碼登陸成功 !
三、刪除用戶:
1、回收用戶所有權(quán)限
mysql> revoke all on prod.* from tom2;
Query OK, 0 rows affected (0.01 sec)
2、刪除用戶
mysql> drop user tom2;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> select user,host from user;
+-------+-----------+
| user | host |
+-------+-----------+
| jerry | % |
| rose | % |
| tom | % |
| tom1 | % |
| root | 127.0.0.1 |
| root | ::1 |
| | localhost |
| jerry | localhost |
| root | localhost |
| rose | localhost |
| scott | localhost |
| tom | localhost |
| | mysrv |
| root | mysrv |
+-------+-----------+
14 rows in set (0.00 sec)
創(chuàng)建用戶:
GRANT insert, update ON testdb.* TO user1@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;
CREATE USER user2 IDENTIFIED BY 'password';
分配權(quán)限:
GRANT select ON testdb.* TO user2;
查看權(quán)限:
SHOW GRANTS FOR user1;
修改密碼:
SET PASSWORD FOR user1 = PASSWORD('newpwd');
SET PASSWORD = PASSWORD('newpwd');
移除權(quán)限:
REVOKE all ON *.* FROM user1;
刪除用戶:
DROP USER user1;
數(shù)據(jù)庫(kù)列表:
SHOW DATABASES;
數(shù)據(jù)表列表:
SHOW TABLES;
當(dāng)前數(shù)據(jù)庫(kù):
SELECT DATABASE();
當(dāng)前用戶:
SELECT USER();
數(shù)據(jù)表結(jié)構(gòu):
DESCRIBE table1;
刷新權(quán)限:
FLUSH PRIVILEGES;
grant和revoke可以在幾個(gè)層次上控制訪問(wèn)權(quán)限
1,整個(gè)服務(wù)器,使用 grant ALL 和revoke ALL
2,整個(gè)數(shù)據(jù)庫(kù),使用on database.*
3,特點(diǎn)表,使用on database.table
4,特定的列
5,特定的存儲(chǔ)過(guò)程
user表中host列的值的意義
% 匹配所有主機(jī)
localhost localhost不會(huì)被解析成IP地址,直接通過(guò)UNIXsocket連接
127.0.0.1 會(huì)通過(guò)TCP/IP協(xié)議連接,并且只能在本機(jī)訪問(wèn);
::1 ::1就是兼容支持ipv6的,表示同ipv4的127.0.0.1
grant 普通數(shù)據(jù)用戶,查詢、插入、更新、刪除 數(shù)據(jù)庫(kù)中所有表數(shù)據(jù)的權(quán)利。
grant select on testdb.* to common_user@’%’
grant insert on testdb.* to common_user@’%’
grant update on testdb.* to common_user@’%’
grant delete on testdb.* to common_user@’%’
或者,用一條 MySQL 命令來(lái)替代:
grant select, insert, update, delete on testdb.* to common_user@’%’
grant 數(shù)據(jù)庫(kù)開(kāi)發(fā)人員,創(chuàng)建表、索引、視圖、存儲(chǔ)過(guò)程、函數(shù)。。等權(quán)限。
grant 創(chuàng)建、修改、刪除 MySQL 數(shù)據(jù)表結(jié)構(gòu)權(quán)限。
grant create on testdb.* to developer@’192.168.0.%’;
grant alter on testdb.* to developer@’192.168.0.%’;
grant drop on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 外鍵權(quán)限。
grant references on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 臨時(shí)表權(quán)限。
grant create temporary tables on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 索引權(quán)限。
grant index on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 視圖、查看視圖源代碼 權(quán)限。
grant create view on testdb.* to developer@’192.168.0.%’;
grant show view on testdb.* to developer@’192.168.0.%’;
grant 操作 MySQL 存儲(chǔ)過(guò)程、函數(shù) 權(quán)限。
grant create routine on testdb.* to developer@’192.168.0.%’; -- now, can show procedure status
grant alter routine on testdb.* to developer@’192.168.0.%’; -- now, you can drop a procedure
grant execute on testdb.* to developer@’192.168.0.%’;
grant 普通 DBA 管理某個(gè) MySQL 數(shù)據(jù)庫(kù)的權(quán)限。
grant all privileges on testdb to dba@’localhost’
其中,關(guān)鍵字 “privileges” 可以省略。
grant 高級(jí) DBA 管理 MySQL 中所有數(shù)據(jù)庫(kù)的權(quán)限。
grant all on *.* to dba@’localhost’
MySQL grant 權(quán)限,分別可以作用在多個(gè)層次上。
1. grant 作用在整個(gè) MySQL 服務(wù)器上:
grant select on *.* to dba@localhost; -- dba 可以查詢 MySQL 中所有數(shù)據(jù)庫(kù)中的表。
grant all on *.* to dba@localhost; -- dba 可以管理 MySQL 中的所有數(shù)據(jù)庫(kù)
2. grant 作用在單個(gè)數(shù)據(jù)庫(kù)上:
grant select on testdb.* to dba@localhost; -- dba 可以查詢 testdb 中的表。
3. grant 作用在單個(gè)數(shù)據(jù)表上:
grant select, insert, update, delete on testdb.orders to dba@localhost;
4. grant 作用在表中的列上:
grant select(id, se, rank) on testdb.apache_log to dba@localhost;
5. grant 作用在存儲(chǔ)過(guò)程、函數(shù)上:
grant execute on procedure testdb.pr_add to ’dba’@’localhost’
grant execute on function testdb.fn_add to ’dba’@’localhost’
注意:修改完權(quán)限以后 一定要刷新服務(wù),或者重啟服務(wù),刷新服務(wù)用:FLUSH PRIVILEGES。
聲明:本網(wǎng)頁(yè)內(nèi)容旨在傳播知識(shí),若有侵權(quán)等問(wèn)題請(qǐng)及時(shí)與本網(wǎng)聯(lián)系,我們將在第一時(shí)間刪除處理。TEL:177 7030 7066 E-MAIL:11247931@qq.com
