mysql权限管理(实例)

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
云数据库 RDS PostgreSQL,集群系列 2核4GB
简介:
mysql权限管理实例 

本文并没有很详细的介绍对具体的对象授权,只是简单的限制了大的权限。 

1.目前现状: 
研发一直使用root用户进行操作。不变修改代码,因此我们采用新建一个超级用户,回收root的部分权限来实现对研发用户的限制 

mysql> select user,host from user; 
+-----------+---------------+ 
| user      | host          | 
+-----------+---------------+ 
| mydba     | %             |  ---我新建的超级用户 
| root      | %             |  ---安装就自带 
| server    | %             |  ---无用用户 
| repli     | 192.168.1.3   |  ---我创建的主从复制的用户 
| root      | 192.168.1.9   |  ---无用用户 
| mysql.sys | localhost     |  
| root      | localhost     |  ---安装就自带 
+-----------+---------------+ 
7 rows in set (0.00 sec) 


回收前,先用root进入,创建一个超级用户: 
grant all privileges on *.* to mydba@'%' identified by 'tina' with grant option; 
grant all privileges on mysql.* to mydba@'%' identified by 'tina' with grant option; 


2.删除无用的用户:(上班时先回收所有权限,下班后再删除) 
mysql> use mysql 
Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 

Database changed 

mysql> show grants for server; 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for server@%                                                                                                                                                                                                                                                                                                     | 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'server'@'%' WITH GRANT OPTION | 
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION   

mysql> revoke all privileges on *.* from 'server'@'%'; 
Query OK, 0 rows affected (0.07 sec) 

mysql> show grants for server; 
+---------------------------------------------------------------------+ 
| Grants for server@%                                                 | 
+---------------------------------------------------------------------+ 
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION                | 
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION | 
+---------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

mysql> revoke all privileges on mysql.* from 'server'@'%';    ---操作会同步到从库,因此不需要到从库执行,因为主从同步的库包括mysql库 
Query OK, 0 rows affected (0.10 sec) 

mysql> show grants for server; 
+------------------------------------------------------------+ 
| Grants for server@%                                        | 
+------------------------------------------------------------+ 
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION       | 
| GRANT USAGE ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION | 
+------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

删除:delete from mysql.user where user='server' and host='%'; 
      delete from mysql.user where user='root' and host='192.168.1.9'; 

3.主从复制用户权限 
mysql> show grants for repli@'192.168.1.3'; 
+--------------------------------------------------------------------------------+ 
| Grants for repli@192.168.1.3                                                   | 
+--------------------------------------------------------------------------------+ 
| GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'repli'@'192.168.1.3'    |             --repli因为是用于主从复制的,因此需要这两个权限。 
+--------------------------------------------------------------------------------+ 
1 row in set (0.01 sec) 



4.回收root用户的file,process,super,drop,create 权限,依然可以创建、删除临时表 

原始权限: 
--------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for root@%                                                                                                                                                                                                                                                                                                                                                 | 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'%' WITH GRANT OPTION | 
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION                                                                                                                                                                                                                                                                                                 | 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

| Grants for root@localhost                                                                                                                                                                                                                                                                                                                                                 | 
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'localhost' WITH GRANT OPTION | 
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION              

回收了root远程主机的部分权限:(process权限保留了,因为要用来监控主从同步状态) 
revoke file,process,super,drop,create,create view,reload, shutdown,index, alter, replication slave, replication client, create view,create routine, 
alter routine, create user,create tablespace on *.* from 'root'@'%'; 

回收本地root对mysql库的所有权限: 
revoke all privileges on mysql.* from 'root'@'localhost';  

测试一下: 
mysql> select * from t1 into outfile '/tmp/a.txt' fields terminated by ','; 
ERROR 1045 (28000): Access denied for user 'root'@'%' (using password: YES)    --load的权限被禁用了 

mysql> create view v_2 as select id from t2 where id<5; 
ERROR 1142 (42000): CREATE VIEW command denied to user 'root'@'192.168.1.4' for table 'v_2';  ---不能创建视图 

mysql> create index i_2 on t2(id); 
ERROR 1142 (42000): INDEX command denied to user 'root'@'192.168.1.4' for table 't2'  --不能创建索引 

mysql> show index from t1;          --可以查看索引 
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ 
| Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | Index_comment | 
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ 
| t1    |          1 | i_1      |            1 | id          | A         |           0 |     NULL | NULL   | YES  | BTREE      |         |               | 
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ 
1 row in set (0.03 sec) 

6.刷新权限 
flush privileges; 


7.回收后: 
mysql> select user,host from user; 
+-----------+---------------+ 
| user      | host          | 
+-----------+---------------+ 
| mydba     | %             | 
| root      | %             | 
| repli     | 192.168.1.4 | 
| mysql.sys | localhost     | 
| root      | localhost     | 
+-----------+---------------+ 
5 rows in set (0.00 sec) 

mysql> show grants for root; 
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for root@%                                                                                                                                                                 | 
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process ,SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'%' WITH GRANT OPTION | 
| GRANT USAGE ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION                                                                                                                          | 
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

mysql> show grants for root@'localhost'; 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for root@localhost                                                                                                                                                                 | 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'localhost' WITH GRANT OPTION | 
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION                                                                                                                              | 
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

mysql> show grants for mydba; --超级用户: 
+--------------------------------------------------------------------+ 
| Grants for mydba@%                                                 | 
+--------------------------------------------------------------------+ 
| GRANT ALL PRIVILEGES ON *.* TO 'mydba'@'%' WITH GRANT OPTION       | 
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'mydba'@'%' WITH GRANT OPTION | 
+--------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 


补充说明: 
1.usage权限:可以连接db,可以show databases和tables,但是没有其他权限,select都不行 
2.mysql的权限是会叠加的,如果第一次授予了这个用户select权限,第二次授予了全部权限,当你回收所有权限后,会发现还有select权限,必须逐条回收
相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助 &nbsp; &nbsp; 相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
相关文章
|
2月前
|
存储 关系型数据库 MySQL
环比、环比增长率、同比、同比增长率 ,占比,Mysql 8.0 实例(最简单的方法之一)(sample database classicmodels _No.2 )
环比、环比增长率、同比、同比增长率 ,占比,Mysql 8.0 实例(最简单的方法之一)(sample database classicmodels _No.2 )
122 1
|
2月前
|
SQL 前端开发 关系型数据库
全表数据核对 ,行数据核对,列数据核对,Mysql 8.0 实例(sample database classicmodels _No.3 )
全表数据核对 ,行数据核对,列数据核对,Mysql 8.0 实例(sample database classicmodels _No.3 )
53 0
全表数据核对 ,行数据核对,列数据核对,Mysql 8.0 实例(sample database classicmodels _No.3 )
|
27天前
|
关系型数据库 MySQL 数据库
【赵渝强老师】启动与关闭MySQL数据库实例
MySQL数据库安装完成后,可以通过命令脚本启动、查看状态、配置开机自启、查看自启列表及关闭数据库。本文提供了详细的操作步骤和示例代码,并附有视频讲解。
|
2月前
|
关系型数据库 MySQL Java
Django学习二:配置mysql,创建model实例,自动创建数据库表,对mysql数据库表已经创建好的进行直接操作和实验。
这篇文章是关于如何使用Django框架配置MySQL数据库,创建模型实例,并自动或手动创建数据库表,以及对这些表进行操作的详细教程。
79 0
Django学习二:配置mysql,创建model实例,自动创建数据库表,对mysql数据库表已经创建好的进行直接操作和实验。
|
2月前
|
存储 关系型数据库 MySQL
mysql 8.0 的 建表 和八种 建表引擎实例
mysql 8.0 的 建表 和八种 建表引擎实例
26 0
|
2月前
|
存储 关系型数据库 MySQL
Key_Value 形式 存储_5级省市城乡划分代码 (mysql 8.0 实例)
本文介绍了如何使用MySQL8.0数据库中的Key_Value形式存储全国统计用区划代码和城乡划分代码(5级),包括导入数据、通过数学函数提取省市区信息,以及查询5级行政区划的详细数据。
35 0
|
2月前
|
算法 关系型数据库 MySQL
复购率 mysql 实例(sample database classicmodels _No.1 )
复购率 mysql 实例(sample database classicmodels _No.1 )
31 0
|
3月前
|
关系型数据库 MySQL 数据库
docker启动mysql多实例连接报错Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’
docker启动mysql多实例连接报错Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’
214 0
|
4月前
|
固态存储 关系型数据库 MySQL
mysql多实例一键部署
mysql多实例一键部署
35 0
|
4月前
|
前端开发 Java 关系型数据库
通过HTML网页对mysql数据库进行增删改查(CRUD实例)
通过HTML网页对mysql数据库进行增删改查(CRUD实例)
250 0