Mysql DBA 高級運維學習筆記-生產場景mysql主從復制讀寫分離授權方案及實戰
1.生產MySQL復制環境用戶授權方案
那麽怎麽才能達到上述效果呢?
(1) 生產環境主庫用戶授權
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘ identified ‘123456‘;
提示:特殊業務可能權限會略多,如果業務安全性不高也可以all privileges
(2) 生產環境從庫用戶的授權
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘ identified ‘123456‘;
REVOKE INSERT,UPDATE,DELETE ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘;
(3) 生產授權案例說明:這裏表示給192.168.10.%的用戶blog管理blog數據庫的所有表(*表示所有表)只讀權限(SELECT),密碼為123456。
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘ identified ‘123456‘;
生產環境主從庫用戶授權
主庫:
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘ identified ‘123456‘;
從庫:
GRANT SELECT ON ‘blog‘.* TO ‘blog‘@‘192.168.10.%‘ identified ‘123456‘;
如何實現上述授權方案
最簡單的方法是在主庫配置binlog-ignore-db=mysql
2.忽略授權表的方式防止數據寫從庫的方法及實踐
生產環境中一般采用忽略授權表的方式同步,然後對從服務器(slave)上的用戶僅授權select讀權限,不同步mysql庫,這樣我們就保證主庫和從庫相同的用戶可以授權不同的權限。指定mysql庫不同步。
replicate-ignore-db=mysql
binlog-ignore-db = mysql
binlog-ignore-db = performance_schema
binlog-ignore-db = information_schema
提示:如何在主庫上忽略mysql庫的同步,方法:
(1)只有在[主從]庫上分別設置replicate-ignore-db=mysql才可以做到從庫不同步mysql庫。
(2)在主庫上設置binlog-ignore-db=mysql不記錄有關mysql庫更新的binlog來達到從庫不同步mysql庫。
3.通過read-only參數防止數據庫寫從庫的方案
除了上面從庫僅做SELECT的授權外,還可以在slave服務器啟動選項增加參數或者在my.cnf配置文件中加read-only參數來確保從庫只讀,使用授權用戶和read-only參數二者同時操作效果更佳。
註意read-only參數可以讓slave服務器只允許來自slave服務器線程或具有SUPER權限的用戶的更新。可以確保slave服務器不接受來自普通用戶的更新。
(1)配置從庫my.cnf配置文件mysqld下重啟從數據庫
[root@mysql ~]# egrep "\[mysqld]|read-only" /data/3307/my.cnf
[mysqld]
read-only
[root@mysql ~]# /data/3307/mysql stop
Stoping MySQL....
[root@mysql ~]# /data/3307/mysql start
Starting MySQL......
(2)read-only參數對SUPER權限的用戶無效,用SUPER用戶登錄創建一個普通用戶
mysql> grant select,insert,update,delete on *.* to ‘nana‘@‘localhost‘ identified by ‘123456‘;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
(3)在school庫中創建一個表退出用普通用戶登錄,在創建的表中插入一條記錄,演示read-only的效果。
[root@mysql ~]# mysql -unana -p123456 -S /data/3307/mysql.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.5.32 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> select user();
+----------------+
| user() |
+----------------+
| nana@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> use school;
Database changed
mysql> show tables;
+------------------+
| Tables_in_school |
+------------------+
| t|
+------------------+
1 row in set (0.00 sec)
mysql> insert into t values(2);
ERROR 1290 (HY000): The MySQL server is running with the --read-only option so it cannot execute this statement
(4)最後我們看一下是否能同步主庫
主庫中插入數據
[root@mysql ~]# mysql -uroot -p123456 -S /data/3306/mysql.sock <<EOF
> use linzhongniao
> insert into test1 values(4,‘不認識‘),(5,‘你是誰‘);
> exit
> EOF
從庫同步情況
[root@mysql ~]# mysql -unana -p123456 -S /data/3307/mysql.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.5.32 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> select * from linzhongniao.test1;
+----+-----------+
| id | name |
+----+-----------+
| 1 | 張三 |
| 2 | 張三 |
| 3 | 我是誰|
| 4 | 不認識|
| 5 | 你是誰|
+----+-----------+
5 rows in set (0.00 sec)
Mysql DBA 高級運維學習筆記-生產場景mysql主從復制讀寫分離授權方案及實戰