MySQL 數據庫用戶和權限管理
阿新 • • 發佈:2018-06-28
允許 目標 AS comm 進行 用戶命令 提示 新用戶 data MySQL 數據庫用戶和權限管理
技能目標
- 掌握MySQL 用戶管理
- 添加管理用戶
- 修改密碼及忘記密碼修改
用戶授權
數據庫是信息系統中非常重要的環節,合理高效的對它進行管理是很重要的工作。通常是由擁有最高權限的管理員創建不同的管理賬戶,然後分配不同的操作權限,把這些賬戶交給相應的管理人員使用
用戶管理
1: 新建用戶
新建用戶的命令格式如下
CREATE USER ‘username‘@‘host‘ [IDENTIFIED BY [PASSWORD]‘password‘] #大寫是固定格式大括弧是一個整體再寫命令的時候沒有
- username 將創建的用戶名
- host 指定用戶允許那些主機終端可以登錄,可以是IP地址、網段、指定本地用戶localhost、如果讓該用戶可以從任意遠程主機登錄可以用通配符%
- password 設置登錄的密碼
下面是MySQL安裝之後創建的用戶密碼,在數據庫中顯示的密碼是以密文的形式保存的大大的增強了安全性
mysql> select User,authentication_string,Host from user; +-----------+-------------------------------------------+-----------+ | User | authentication_string | Host | +-----------+-------------------------------------------+-----------+ | root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost | | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost | +-----------+-------------------------------------------+-----------+ 2 rows in set (0.01 sec)
創建新用戶
mysql> create user ‘accp‘@‘localhost‘ identified by ‘123123‘; Query OK, 0 rows affected (0.01 sec) mysql> select User,authentication_string,Host from user; +-----------+-------------------------------------------+-----------+ | User | authentication_string | Host | +-----------+-------------------------------------------+-----------+ | root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost | | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost | | accp | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost | +-----------+-------------------------------------------+-----------+ 3 rows in set (0.00 sec)
刪除用戶命令格式如下
DROP USER ‘username‘@‘host‘
mysql> drop user ‘accp‘@‘localhost‘; #刪除accp
Query OK, 0 rows affected (0.00 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
用戶重命名,格式如下
RENAME USER ‘old_user‘@‘host‘ TO ‘new_user‘ @ ‘host‘
mysql> select User,authentication_string,Host from user; #這邊我們把bent重命名為accp
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> rename user ‘bent‘@‘localhost‘ to ‘accp‘@‘localhost‘ ;
Query OK, 0 rows affected (0.00 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
給用戶設置密碼
1:給當前用戶設置密碼
SET PASSWORD=PASSWORD(‘password‘)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> set password=password(‘123123‘); #當前用戶是root我把root用戶密碼改為了"123123"與上面的root密碼對比一下秘聞的區別
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
2:使用超級管理員root修改其他用戶密碼,格式如下
SET PASSWORD FOR ‘username‘@‘host‘=PASSWORD(‘password‘);
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> set password for ‘accp‘@‘localhost‘=password(‘951116‘); #同樣對比一下密文密碼的區別
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
忘記root密碼解決方法
[root@localhost ~] systemctl stop mysqld.service #關閉服務
[root@localhost ~] netstat -ntap | grep 3306 #查看端口有沒有關閉
[root@localhost ~] mysql --skip-grant-tables #會出現以下代碼不要去動它重新開一個終端
2018-06-28T02:16:16.399381Z 0 [Note] - ‘::‘ resolves to ‘::‘;
2018-06-28T02:16:16.399402Z 0 [Note] Server socket created on IP: ‘::‘.
2018-06-28T02:16:16.400217Z 0 [Note] InnoDB: Loading buffer pool(s) from /usr/local/mysql/data/ib_buffer_pool
2018-06-28T02:16:16.401959Z 0 [Note] InnoDB: Buffer pool(s) load completed at 180628 10:16:16
2018-06-28T02:16:16.410638Z 0 [Note] Executing ‘SELECT * FROM INFORMATION_SCHEMA.TABLES;‘ to get a list of tables using the deprecated partition engine. You may use the startup option ‘--disable-partition-engine-check‘ to skip this check.
2018-06-28T02:16:16.410661Z 0 [Note] Beginning of list of non-natively partitioned tables
2018-06-28T02:16:16.423678Z 0 [Note] End of list of non-natively partitioned tables
2018-06-28T02:16:16.423748Z 0 [Note] mysqld: ready for connections.
Version: ‘5.7.17‘ socket: ‘/usr/local/mysql/mysql.sock‘ port: 3306 Source distribution
[root@localhost ~] mysql -u root #直接這樣登錄跳過密碼選項
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.17 Source distribution
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql>
登入進去後改用戶密碼
mysql> update mysql.user set authentication_string=password(‘123123‘)where user=‘root‘; #修改root密碼
Query OK, 1 row affected, 1 warning (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 1
mysql> flush privileges; #刷新數據庫
Query OK, 0 rows affected (0.01 sec)
[root@localhost ~]# mysql -u root -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.17 Source distribution
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
授權控制
再MySQL中,權限設置非常重要,分配權限可以清晰的劃分責任。管理人員只需要關註完成自己的任務即可,最重要的是保證系統數據的安全
1:授予權限
(1):權限控制主要出於安全因素,需要遵循以下原則
1):只授予能滿足需要的最小權限,防止誤操作和做壞事
2):創建用戶的時候限制用戶的登錄主機,一般限制指定IP或者內網IP網段
3):初始化數據庫時刪除沒有密碼的用戶,MySQL安裝完成是會自動創建沒有密碼的用戶
4):為每個用戶設置滿足要求的密碼
5):定期清理不需要的用戶
(2):授予權限使用GRANT命令,命令格式如下
GRANT 權限列表 ON 庫名.表明 TO 用戶@主機地址[IDENTIFIED BY‘密碼‘]
命令個是很明確,是指定用戶允許它操作某些表,對這些表擁有相應的操作權限
下面演示GRANT的使用方法
mysql> grant select on ×××表.×××信息 to ‘accp‘@‘localhost‘ identified by ‘123123‘;
Query OK, 0 rows affected, 1 warning (0.00 sec)
上面命令的意思是使用戶accp可以在主機localhost登錄,連接密碼是123123,它擁有對數據庫(×××表.×××信息)的select權限
登錄accp用戶驗證以下
[root@localhost ~]# mysql -u accp -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.7.17 Source distribution
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> insert into imployee_英航客戶表.×××信息 values (2,‘張三‘,‘廣州珠海‘,‘18888888‘);
ERROR 1142 (42000): INSERT command denied to user ‘accp‘@‘localhost‘ for table ‘×××信息‘
上圖顯示select語句可以正常使用,但執行insert語句是沒有足夠權限
當當用戶和主機名在列表中不存在時,用戶和主機名會被自動創建,如果限制用戶密碼與原用密碼不同時會自動覆蓋原密碼
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
#用戶列表中只有三個用戶此時,做一個用戶列表中不存在用戶權限
mysql> grant select on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘1223123‘;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User | authentication_string | Host |
+-----------+-------------------------------------------+-----------+
| root | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| benet | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| accp | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
4 rows in set (0.00 sec)
#上面自動創建了benet用戶登陸密碼為‘123123’
下面設置benet用戶限制原密碼為123123,我把限制密碼改以新密碼‘321321’然後看一下用原密碼能不能登錄
mysql> grant insert on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘3221321‘;
Query OK, 0 rows affected, 1 warning (0.00 sec)
[root@localhost ~]# mysql -u benet -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user ‘benet‘@‘localhost‘ (using password: YES)
#提示你輸入正確的登陸密碼
查看用戶權限
SHOW GRANTS FOR ‘username‘@‘主機地址‘
mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------------------------------------------+
| Grants for accp@localhost |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘ |
| GRANT SELECT ON "×××表"."×××信息" TO ‘accp‘@‘localhost‘ |
+------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
撤銷用戶權限
REVOKE 權限列表 ON 數據庫名.表名 FROM 用戶@主機地址
mysql> revoke select on ×××表.×××信息 from ‘accp‘@‘localhost‘;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------+
| Grants for accp@localhost |
+------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘ |
+------------------------------------------+
1 row in set (0.00 sec)
撤銷用戶所有權限
REVOKE ALL ON 數據庫名.表名 FROM 用戶@主機地址
MySQL 數據庫用戶和權限管理