Mysql DBA 高級運維學習筆記-創建mysql用戶及授權的多種方法實戰
9.8.1通過help查看grant命令幫助
1.通過在mysql中輸入“help grant”得到如下幫助信息。
mysql> help grant; ……省略部分……. CREATE USER ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘; GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘; GRANT SELECT ON db2.invoice TO ‘jeffrey‘@‘localhost‘; GRANT USAGE ON *.* TO ‘jeffrey‘@‘localhost‘ WITH MAX_QUERIES_PER_HOUR 90; ……省略部分…….
2.運維人員比較常用的創建用戶的方法是,使用grant命令在創建用戶的同時進行權限授權具體授權例子為:
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;3.上述grant命令幫助裏還提供了一個先用create命令創建用戶,然後再用Grant授權的方法,即創建用戶和授權權限分開進行,列如:
CREATE USER ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘;以上兩條命令相當於下面一條命令
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;9.8.2 通過grant命令創建用戶並授權
1.Grant命令簡單語法如下
Grant all privileges on dbname.* to username@localhost identified by ‘passwd’;2.列表說明
3.案例:創建用戶zhangsan,對test庫具備所有權限,允許從localhost主機登錄管理數據庫,密碼是zhangsan123。
實現上述操作的具體命令為
mysql> grant all privileges on test.* to ‘zhangsan‘@‘localhost‘ identified by ‘zhangsan123‘; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
檢查授權用戶zhangsan的具體權限
mysql> show grants for ‘zhangsan‘@‘localhost‘;
Grants for zhangsan@localhost
GRANT USAGE ON *.* TO ‘zhangsan‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*7E72D61D7B957897AA8ECED9A9397B649BE3B546‘ |
GRANT ALL PRIVILEGES ON `test`.* TO ‘zhangsan‘@‘localhost‘
2 rows in set (0.00 sec)9.8.3 Create和grant配合法
1.首先創建用戶username及密碼passwd,授權主機localhost。
CREATE USER ‘username‘@‘localhost‘ IDENTIFIED BY ‘passwd‘;
mysql> create user ‘lisi‘@‘localhost‘ identified by ‘kisi123‘;
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for ‘lisi‘@‘localhost‘;
Grants for lisi@localhost GRANT USAGE ON *.* TO ‘lisi‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*686008E0BFD16925072B84AA099EB5BC8375C35B‘
1 row in set (0.00 sec)默認權限是USAGE,及連接的權限,因為此時還沒有權限。
2.然後授權localhost主機上通過用戶username管理test數據庫的所有權限,無需密碼。
mysql> grant all on test.* to ‘lisi‘@‘localhost‘;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for ‘lisi‘@‘localhost‘;
Grants for lisi@localhost
GRANT USAGE ON *.* TO ‘lisi‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*686008E0BFD16925072B84AA099EB5BC8375C35B‘
GRANT ALL PRIVILEGES ON `test`.* TO ‘lisi‘@‘localhost‘ 提示:可以看到默認權限是usage即連接的權限,後面又增加了ALL權限。
9.8.4 授權局域網內主機遠程連接數據庫
根據grant命令的語法我們知道,test@localhost位置為授權訪問數據庫的主機,localhost可以用域名,IP地址或者IP段來替代,因此要授權局域網內主機可以通過如下方法來實現。
a.百分號匹配法
system@ceshi 01:5945->grant all privileges on test.* to ‘zbf‘@‘192.168.1.%‘ identified by ‘zbf123‘;
Query OK, 0 rows affected (0.01 sec)
system@ceshi 01:5950->show grants for ‘zbf‘@‘192.168.1.%‘;
Grants for [email protected].%
GRANT USAGE ON *.* TO ‘zbf‘@‘192.168.1.%‘ IDENTIFIED BY PASSWORD ‘*E2190B1F46FD9E171DD25B61138EA7F4F4D82B8C‘
GRANT ALL PRIVILEGES ON `test`.* TO ‘zbf‘@‘192.168.1.%‘
2 rows in set (0.00 sec)
system@ceshi 02:0023->flush privileges;
Query OK, 0 rows affected (0.00 sec)b.子網掩碼配置法
system@ceshi 02:3013->grant all privileges on test.* to ‘wwn‘@‘192.168.1.0/255.255.255.0‘ identified by ‘wwn520‘;
Query OK, 0 rows affected (0.01 sec)
system@ceshi 02:3127->flush privileges;
Query OK, 0 rows affected (0.00 sec)通過mysql客戶端連接異地數據庫服務:
1.本地mysql –uroot –pzbf666連接數據庫相當於mysql –uroot –pzbf666 –h localhost
2.要遠程連接192.168.1.108的數據庫,命令為 mysql -uwwn -pwwn520 -h 192.168.1.108
3.通過php服務器連接mysql服務器的代碼寫法為
<?php
//$link_id=mysql_connect(‘主機名‘,‘用戶‘,‘密碼‘);
$link_id=mysql_connect(‘192.168.1.108‘,‘wwn‘,‘wwn123‘);
if($link_id){
echo "mysql successful by wwn";
}else{
echo mysql_error();
}
?>9.8.5 MySQL用戶可以授權的權限有哪些?
通過實驗獲得ALL PRIVILEGES包括哪些權限
1.先看看有哪些用戶
system@ceshi 03:3751->select user,host from mysql.user;
+--------+---------------------------+
| user | host |
+--------+---------------------------+
| zbf| 192.168.1.% |
| wwn| 192.168.1.0/255.255.255.0 |
| system | localhost |
+--------+---------------------------+2.看看授權過的wwn的權限
system@ceshi 03:3920->show grants for ‘wwn‘@‘192.168.1.0/255.255.255.0‘;
| Grants for [email protected]/255.255.255.0
GRANT USAGE ON *.* TO ‘wwn‘@‘192.168.1.0/255.255.255.0‘ IDENTIFIED BY PASSWORD ‘*C9CE90EB588AA17159BB7C612DC7B34259AC0816‘ |
| GRANT ALL PRIVILEGES ON `test`.* TO ‘wwn‘@‘192.168.1.0/255.255.255.0‘ 註意這個地方的test.,我們後面取消只讀權限的時候也這樣寫成test.
這時候查看還是ALL PRIVILEGES權限,沒有細分。
3.取消wwn的只讀權限(SELECT)。
(1) 先看一下幫助,幫助裏面提供了語法,revoke在sql語言介紹那節已經提到過了,意思是取消授權。
system@ceshi 03:4001->help revoke
……省略……….
The REVOKE statement enables system administrators to revoke privileges
from MySQL accounts. Each account name uses the format described in
http://dev.mysql.com/doc/refman/5.1/en/account-names.html.For example:
REVOKE INSERT ON *.* FROM ‘jeffrey‘@‘localhost‘;
If you specify only the user name part of the account name, a host name
part of ‘%‘ is used.
……省略……(2) 取消授權,將ALL PRIVILEGES權限細分。
system@ceshi 03:4909->REVOKE INSERT ON test.* FROM ‘wwn‘@‘192.168.1.0/255.255.255.0‘;
Query OK, 0 rows affected (0.00 sec)
system@ceshi 03:5216->flush privileges;
Query OK, 0 rows affected (0.00 sec)(3)再查看一下用戶wwn的權限就已經被細分了。
system@ceshi 03:5224->show grants for ‘wwn‘@‘192.168.1.0/255.255.255.0‘;
GRANT USAGE ON *.* TO ‘wwn‘@‘192.168.1.0/255.255.255.0‘ IDENTIFIED BY PASSWORD ‘*C9CE90EB588AA17159BB7C612DC7B34259AC0816‘
GRANT SELECT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `test`.* TO ‘wwn‘@‘192.168.1.0/255.255.255.0提示:此時wwn用戶的權限,ALL PRIVILEGES權限已經被細分了。按照下面的步驟我們可以更加清楚的知道ALL PRIVILEGES的權限包括哪些內容。
(1) 我們用-e 不登錄mysql數據庫直接查看用戶wwn有哪些權限
[root@localhost ~]# mysql -usystem -pzbf666 -e "show grants for ‘wwn‘@‘192.168.1.0/255.255.255.0‘;"|grep -i grant|tail -1
GRANT SELECT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `test`.* TO ‘wwn‘@‘192.168.1.0/255.255.255.0‘(2) 查看用戶wwn有哪些權限之後,我們要把有用的篩選出來。grep的-i參數是忽略大小寫的意思。
[root@localhost ~]# mysql -usystem -pzbf666 -e "show grants for ‘wwn‘@‘192.168.1.0/255.255.255.0‘;"|grep -i grant|tail -1|tr ‘,‘ ‘\n‘>all1.txt(3) 好我們查看一下過濾的內容,下面內容就是用戶wwn所具有的所有權限。
[root@localhost ~]# cat all1.txt -n
1 SELECT
2 UPDATE
3 INSERT
4 DELETE
5 CREATE
6 DROP
7 REFERENCES
8 INDEX
9 ALTER
10 CREATE TEMPORARY TABLES
11 LOCK TABLES
12 EXECUTE
13 CREATE VIEW
14 SHOW VIEW
15 CREATE ROUTINE
16 ALTER ROUTINE
17 EVENT
18 TRIGGER ON註意:在授權時可以授權用戶最小的滿足業務的權限,而不是一味的授權“ALL PRIVILEGES”
9.8.6 企業環境授權用戶權限
1.博客,CMS等產品的數據庫授權
對於web連接用戶授權盡量采用最小化規則,很多開源軟件都是web界面安裝,因此,在安裝期間除了select,insert,update,delete4個權限外,還需要create,drop等比較危險的權限。
system@ceshi 04:5606->grant select,insert,update,delete,create,drop on blog.* to ‘blog‘@‘192.168.1.%‘ identified by ‘1b23456‘;
Query OK, 0 rows affected (0.00 sec)
system@ceshi 04:5907->flush privileges;
Query OK, 0 rows affected (0.00 sec)常規情況下授權select,insert,update,delete4個權限即可,有的開源軟件,列如discuzbbs,還需要create,drop等比較危險的權限。
2.生成數據庫表之後,要收回create、drop授權
system@ceshi 04:5925->help revoke
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
REVOKE INSERT ON *.* FROM ‘jeffrey‘@‘localhost‘;
2 rows in set (0.01 sec)
system@ceshi 05:1327->REVOKE CREATE,DROP ON blog.* FROM ‘blog‘@‘192.168.1.%‘;
Query OK, 0 rows affected (0.00 sec)
system@ceshi 05:1452->flush privileges;
Query OK, 0 rows affected (0.00 sec)
system@ceshi 05:1543->show grants for ‘blog‘@‘192.168.1.%‘\G;
*************************** 1. row ***************************
Grants for [email protected].%: GRANT USAGE ON *.* TO ‘blog‘@‘192.168.1.%‘ IDENTIFIED BY PASSWORD ‘*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9‘
*************************** 2. row ***************************
Grants for [email protected].%: GRANT SELECT, INSERT, UPDATE, DELETE ON `blog`.* TO ‘blog‘@‘192.168.1.%‘
2 rows in set (0.00 sec)2018/1/27 0:54:16
Mysql DBA 高級運維學習筆記-創建mysql用戶及授權的多種方法實戰