2、用户权限管理
(1)创建用户及授权
Mysql用户创建可以通过create user/grant命令创建,也可以通过insert语句直接操作MySQL系统权限表来创建。
创建及给用户授权命令:
创建用户:CREATE USER username@'host' IDENTIFIED BY 'password'
用户授权:GRANT permission ON database.tables TO username@’host’
创建用户并授权:GRANT permission ON database.tables TO username@'hostt' WITH GRANT OPTION;
MYSQL创建用户及给用户授权的用户名主机部分由两部分组成,分别为用户名和登录主机名,格式为’username’@’hostname’;hostname字段可以使用主机名或者ip地址,同时hostname字段允许使用”%”和”_”两种字符进行匹配。
1.# 创建用户dayi123并授予本地登录所有库所有权限
2.mysql> create user 'dayi123'@'localhost' identified by 'dayi123';
3.mysql> grant all privileges on *.* to 'dayi123'@'localhost' with grant option;
4.# 创建用户用户dayi通过192.168.0.0段ip地址登录的增删该查跟新库web的权限
5.mysql> grant select,insert,update,delete,create,drop on web.* to 'dayi'@'192.168.%.%' identified by 'dayi123';
6.# 给root用户授权可以通过192.168.0.0段地址登录
7.mysql> grant all on *.* to root@'192.168.%.%' identified by 'dayi123';
(2)用户权限查看
查看已经授权给用户权限信息命令:show grants for ‘username’@’host’
1.# 查看授权给'dayi'@'192.168.%.%'的权限信息
2.mysql> show grants for 'dayi'@'192.168.%.%';
3.+---------------------------------------+
4.| Grants for dayi@192.168.%.% |
5.+---------------------------------------------------+
6.| GRANT USAGE ON *.* TO 'dayi'@'192.168.%.%' |
7.| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `web`.* TO 8.'dayi'@'192.168.%.%' |
9.+---------------------------------------------------+
2 rows in set (0.00 sec)
查看创建用户的语句:show create user ‘username’@’host’
1.# 查看给用户’dayi’没有授权的信息
2.mysql> show create user dayi@'192.168.%.%';
3.+------------------------------------------+
4.| CREATE USER for dayi@192.168.%.% |
5.+--------------------------------------------+
6.| CREATE USER 'dayi'@'192.168.%.%' IDENTIFIED WITH 'mysql_native_password' AS '*8FD40AC91E6D5D89D1060096FDEF8A4ECAA05B5C' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
7.+-----------------------------------------------+
8.1 row in set (0.00 sec)
(3)收回用户权限
收回用户权限是可以通过语句revoke完成,命令格式为:
Revoke permission on ‘database’,’tables’ from ‘username’@’host’
- # 收回用户dayi远程登录的drop权限;
- mysql> revoke drop on web.* from dayi@'192.168.%.%';
- Query OK, 0 rows affected (0.00 sec)
(4)设置用户密码
Mysql数据库一般在创建用户时就给用户设置了密码,如果在用户创建完成后想修改密码,可通过相应的命令来完成。
1)修改其他用户密码(当前用户要有权限),一般在root用户下操作
登录mysql后的修改命令:
Alter user ‘username’@’host’ identified by ‘newpassword’
Set password for ‘username’@’host’=password(‘newpassword’)
Grant user on permission to ‘user’@’host’ identified by ‘newpassword’
在系统命令行下修改:
mysqladmin –u uername –h host password “newpassword”
- # 修改dayi123的密码为dayi1234
- mysql> alter user 'dayi123'@'localhost' identified by 'dayi1234';
- Query OK, 0 rows affected (0.35 sec)
- # 修改dayi远程登录密码为dayi1234
- mysql> set password for 'dayi'@'192.168.%.%'=password('dayi1234');
- Query OK, 0 rows affected, 1 warning (0.00 sec)
2)修改当前用户密码
alter user user() identified by ‘newpassword’
set password=password(‘newpassword’)
- # 修改当前登录的root的密码为dayi1234
- mysql> alter user user() identified by 'dayi1234';
- Query OK, 0 rows affected (0.00 sec)
(5)mysql用户删除
删除命令:drop user ‘username’@’host’
- # 删除用户dayi远程登录
- mysql> drop user 'dayi'@'192.168.%.%';
- Query OK, 0 rows affected (0.00 sec)
- # 查看删除后的用户
- mysql> select user,host from mysql.user;
- +---------------+-------------+
- | user | host |
- +---------------+-------------+
- | root | 192.168.%.% |
- | dayi | localhost |
- | dayi123 | localhost |
- | mysql.session | localhost |
- | mysql.sys | localhost |
- | root | localhost |
- +---------------+-------------+
(6)用户的锁定与解锁
在创建用户时或用户创建后可以将用户锁定,用户被锁定后,此用户无法完成登录,锁定与解锁的命令如下:
在创建用户时锁定用户:
Create user ‘username’@’host’ identified by ‘password’ account lock;
用户创建受锁定用户L
Alter user ‘username’@’host’ account lock
解锁用户:alter user ‘username’@’host’ account unlock;
- # 锁定用户dayi123
- mysql> alter user 'dayi123'@'localhost' account lock;
- Query OK, 0 rows affected (0.00 sec)
- # 用户被锁定后等录时报如下错:
- ~]# mysql -udayi123 -p
- Enter password:
- ERROR 3118 (HY000): Access denied for user 'dayi123'@'localhost'. Account is locked.
- # 解锁用户dayi123
- mysql> alter user 'dayi123'@'localhost' account unlock;
- Query OK, 0 rows affected (0.00 sec)
(7)设置密码过期策略
Mysql数据库用户同系统用户一样,可以设置密码过期策略,密码的过期天数可以在配置文件里面设置,也可以通过命令设置,通过命令为每个用户设置密码的过期天数则会覆盖系统配置文件中的设置。
1)配置文件中设置
选项:default_password_lifetime=”过期天数” :如果设置为0,则密码永不过期。
2)通过命令设置
命令:alter user ‘username’@’localhost’ password expire interval number day; 设置过期天数
alter user ‘username’@’localhost’ password expire never; 设置密码不过期
alter user ‘username’@’localhost’ password expire default; 默认过期策略
alter user ‘username’@’localhost’ password expire; 手动强制密码过期
- #设置用户dayi123的密码180天后过期
- mysql> alter user 'dayi123'@'localhost' password expire interval 180 day;
- Query OK, 0 rows affected (0.00 sec)
- # 设置用户dayi的密码立即过期
- mysql> alter user 'dayi'@'localhost' password expire;
- Query OK, 0 rows affected (0.00 sec)
- # 设置密码过期后执行命令时需要修改密码才能执行命令
- ]# mysql -udayi –p
- ……
- mysql> show databases;
- ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
(8)mysql数据库用户资源限制
通过修改mysql数据库资源限制可以限制用户在某个时间段内连接mysql数据库的时间、执行语句的次数等。
1)设置参数:
max_user_connections:全局选项,限制所有用户在同一时间连接mysql数据库实例的数量
MAX_QUERIES_PER_HOUR:一个用户在一个小时内可以执行查询的次数(基本包含所有语句)
MAX_UPDATES_PER_HOUR:一个用户在一个小时内可以执行修改的次数(仅包含修改数据库或表的语句)
MAX_CONNECTIONS_PER_HOUR:一个用户在一个小时内可以连接MySQL的时间
MAX_USER_CONNECTIONS:一个用户可以在同一时间连接MySQL实例的数量
2)设置mysql数据库用户资源限制
设置mysql数据库用户资源限制时可以在创建用户时设置,也可以在用户创建完成后通过命令设置。
1.# 创建用户day,并对用户day的资源进行控制
2.mysql> create user 'day'@'localhost' identified by 'dayi123' with max_queries_per_hour 20 max_updates_per_hour 10 max_connections_per_hour 5 max_user_connections 2;
3.Query OK, 0 rows affected (0.00 sec)
4.对用户dayi进行资源控制
5.mysql> alter user 'dayi'@'localhost' with max_queries_per_hour 20 max_updates_per_hour 10 max_connections_per_hour 5 max_user_connections 2;
6.Query OK, 0 rows affected (0.00 sec)
当需要取消某个选项的,只需将某个选项的值设置为0即可。
