MariaDB數據庫管理系統是MySQL的一個分支,主要由開源社區在維護,采用GPL授權許可MariaDB的目的是完全兼容MySQL,包括API和命令行,MySQL由於現在閉源了,而能輕松成為MySQL的代替品.在存儲引擎方面,使用XtraDB來代替MySQL的InnoDB,MariaDB由MySQL的創始人Michael Widenius主導開發,他早前曾以10億美元的價格,將自己創建的公司MySQL AB賣給了SUN,此後,隨著SUN被甲骨文收購MySQL的所有權也落入Oracle的手中.MariaDB名稱來自MichaelWidenius的女兒Maria的名字.

MariaDB 是一個多用戶數據庫,具有功能強大的訪問控制系統,可以為不同用戶指定允許的權限.MariaDB用戶可以分為普通用戶和ROOT用戶.ROOT用戶是超級管理員,擁有所有權限,包括創建用戶、刪除用戶和修改用戶的密碼等管理權限,普通用戶只擁有被授予的各種權限.

MariaDB 權限概述

MariaDB 服務器通過權限表來控制用戶對數據庫的訪問,權限表存放在MariaDB的數據庫中,由MySQL_install_db腳本初始化，,存儲賬戶權限信息表主要有:user、db、host、table_priv,columns_priv和procs_priv.

◆USER表◆

user表是MariaDB中最重要的一個權限表,記錄允許連接到服務器的賬號信息,裏面的權限是全局的,MariaDB中user表一共有42個字段,用戶列可分為4類,分別是用戶列,權限列,安全列和資源控制列,下面我們介紹介個常用列的作用.

用戶列:

user表的用戶列包括Host、User、Password,分別表示主機名、用戶名和密碼.其中User和Host為User表的聯合主鍵,當用戶與服務器之間建立連接時,輸入的賬戶信息中的用戶名稱、主機名和密碼必須匹配User表中對應的字段,只有3個值都匹配的時候,才允許連接建立.這3個字段的值就是創建賬戶時保存的賬戶信息,修改用戶密碼時,實際就是修改user表的Password字段的值.

權限列:

權限列的字段決定了用戶的權限,描述了在全局範圍內允許對數據和數據庫進行的操作.包括查詢權限、修改權限等普通權限,還包括了關閉服務器、超級權限和加載用戶等高級權限,普通權限用於操作數據庫,高級權限用於數據庫管理.

安全列:

安全列只有6個字段,其中兩個是SSL相關的,兩個是 x509 相關的,另外兩個是授權插件相關的,SSL用於加密, x509 標準可用於標識用戶,Plugin字段標識可以用於驗證用戶身份的插件,如果該字段為空,服務器使用內建授權驗證機制驗證用戶身份.

資源控制列:

資源控制列用來限制用戶使用的資源,包括以下4個字段,分別為:

max_questions:用戶每小時允許執行查詢次數.
max_updates:用戶每小時允許執行更新次數.
max_connections:用戶每小時允許執行的連接次數.
max_user_connection:用戶允許同時建立的連接次數.

◆DB權限表◆

DB表和HOST表,在數據庫中非常重要的權限表,DB表中存儲了用戶對某個數據庫的操作權限,決定用戶能從哪個主機存取哪個數據庫.host表中存儲了某個主機對數據庫的操作權限,配合db權限表對給定主機上數據庫級操作權限做更細致的控制.這個權限表不受GRANT 和 REVOKE語句的影響,db表比較常用,host表一般很少使用.db表和host表結構相似,字段大致可以分為兩類:用戶列和權限列.

select_priv,Insert_priv,update_priv,delete_priv,Create_priv,Drop_priv,Alter_priv,Grant_priv

DB表用戶列有3個字段,分別是Host、User、Db標識從某個主機連接某個用戶對某個數據庫的操作權限,這3個字段的組合構成了db表的主鍵.host表不存儲用戶名稱,用戶列只有2個字段,分別是Host和DB,表示從某個主機連接的用戶對某個數據庫的操作權限,其主鍵包括Host和Db兩個字段,host很少用到,一般情況下db表就可以滿足權限控制需求了.

MariaDB 賬戶管理

MariaDB提供了許多語句來管理用戶賬號,這些語句可以用來管理包括登陸和退出MariaDB服務器,創建用戶,刪除用戶,密碼管理和權限管理等,MariaDB數據庫的安全性,需要通過賬戶管理來保證.

◆查詢在線用戶◆

本地查詢: 當我們本地登錄到數據庫時,可以使用本地查詢,查詢SQL語句如下.

MariaDB [(none)]> show processlist;
+----+---------+-----------+------+---------+------+-------+------------------+----------+
| Id | User    | Host      | db   | Command | Time | State | Info             | Progress |
+----+---------+-----------+------+---------+------+-------+------------------+----------+
|  2 | root    | localhost | NULL | Query   |    0 | NULL  | show processlist |    0.000 |
|  5 | lyshark | localhost | NULL | Sleep   |    4 |       | NULL             |    0.000 |
+----+---------+-----------+------+---------+------+-------+------------------+----------+

2 rows in set (0.08 sec)

遠程查詢: 如果在遠程終端機上查詢遠程數據庫,前提是數據庫開啟了遠程授權我們可以使用以下SQL語句.

[root@localhost ~]# mysqladmin -uroot -p123 processlist
+----+---------+-----------+----+---------+------+-------+------------------+----------+
| Id | User    | Host      | db | Command | Time | State | Info             | Progress |
+----+---------+-----------+----+---------+------+-------+------------------+----------+
| 5  | lyshark | localhost |    | Sleep   | 154  |       |                  | 0.000    |
| 11 | root    | localhost |    | Query   | 0    |       | show processlist | 0.000    |
+----+---------+-----------+----+---------+------+-------+------------------+----------+

[root@localhost ~]#

查全部用戶: 我們通過構建Select語句查詢指定字段(Host,User,Password),查詢mysql.user這個數據表,SQL語句如下.

MariaDB [none]> select Host,User,Password from mysql.user;
+-----------+---------+-------------------------------------------+
| Host      | User    | Password                                  |
+-----------+---------+-------------------------------------------+
| localhost | root    | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
| 127.0.0.1 | root    | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
| ::1       | root    | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
| localhost | lyshark | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+-----------+---------+-------------------------------------------+

4 rows in set (0.01 sec)

去重查詢: 通過使用distinct命令使查詢結果不重復,自動過濾重復的記錄.

MariaDB [(none)]> select distinct User,Password from mysql.user;
+---------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| root    | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
| lyshark | *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+---------+-------------------------------------------+

2 rows in set (0.00 sec)

◆新建普通用戶◆

創建新用戶,必須有相應的權限來執行創建操作.在MariaDB數據庫中,有兩種方式創建新用戶:一種是使用CREATE USER或GRANT語句,另一種是直接操作MariaDB授權表,最好的方法是使用GRANT語句,因為這樣更精確,如果使用create語句創建用戶後用戶無權限,需要手動添加權限,而直接使用grant語句可以一步到位.

使用create user語句創建新用戶:

1.使用create user創建一個用戶,名稱為jeffrey,密碼是mypass,指定開啟%遠程權限.

MariaDB [(none)]> create user 'jeffrey'@'%' identified by 'mypass';
Query OK, 0 rows affected (0.05 sec)

2.接著繼續創建一個新用戶jeffreys,密碼是mypass,並指定使用localhost本地權限.

MariaDB [(none)]> select password('mypass');
+-------------------------------------------+
| password('mypass')                        |
+-------------------------------------------+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+-------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> create user 'jeffreys'@'localhost' identified by password '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4';
Query OK, 0 rows affected (0.00 sec)

使用grant user語句創建新用戶:

使用grant語句創建一個新用戶myuser,密碼是123123,並授予用戶對所有表的select和update權限,SQL語句如下:

MariaDB [(none)]> grant select,update ON *.* TO 'myuser'@'localhost' identified by '123123';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select Host,User,Select_priv,Update_priv from mysql.user where user='myuser';
+-----------+--------+-------------+-------------+
| Host      | User   | Select_priv | Update_priv |
+-----------+--------+-------------+-------------+
| localhost | myuser | Y           | Y           |
+-----------+--------+-------------+-------------+
1 row in set (0.00 sec)

◆刪除普通用戶◆

使用drop user語句刪除用戶:

MariaDB [(none)]> select distinct User,Host from mysql.user;
+---------+-----------+
| User    | Host      |
+---------+-----------+
| root    | 127.0.0.1 |
| root    | ::1       |
| lyshark | localhost |
| root    | localhost |
+---------+-----------+
4 rows in set (0.07 sec)

MariaDB [(none)]> drop user lyshark@"localhost";
Query OK, 0 rows affected (0.37 sec)

MariaDB [(none)]> select distinct User,Host from mysql.user;
+------+-----------+
| User | Host      |
+------+-----------+
| root | 127.0.0.1 |
| root | ::1       |
| root | localhost |
+------+-----------+
3 rows in set (0.00 sec)

MariaDB [(none)]>

使用delete語句刪除用戶:

MariaDB [(none)]> delete from mysql.user where host='localhost' and user='myuser';
Query OK, 1 row affected (0.01 sec)

◆修改用戶密碼◆

修改自身密碼: 修改自己用戶的用戶名和密碼.

MariaDB [(none)]> set password=password("123123");
Query OK, 0 rows affected (0.00 sec)

修改指定用戶的密碼: 修改lyshark用戶授權方式為localhost的密碼為123123

MariaDB [(none)]> set password for "lyshark"@"localhost"=password("123123");
Query OK, 0 rows affected (0.00 sec)

◆ROOT密碼找回◆

1.關閉MariaDB數據庫

[root@localhost ~]# systemctl stop mariadb
[root@localhost ~]# systemctl status mariadb

2.修改MariaDB的主配置文件,在Mysqld區域添加skip-grant-table語句,保存退出

[root@localhost etc]# ll /etc/my.cnf
-rw-r--r--. 1 root root 570 6月   8 2017 /etc/my.cnf
[root@localhost etc]#
[root@localhost etc]# vim /etc/my.cnf

[mysqld]

skip-grant-table       #添加我就可以了

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks

3.重啟MariaDB數據庫

[root@localhost ~]# systemctl restart mariadb
[root@localhost ~]# systemctl status mariadb

4.免密碼登陸數據庫,並執行修改數據庫的SQL語句

[root@localhost ~]# mysql -uroot -p
MariaDB [(none)]> update mysql.user set password=password("123") where user="root";
MariaDB [(none)]> Ctrl-C -- exit!

5.修改完成後將主配置文件的skip-grant-table屬性去掉,重啟數據庫即可,下次使用密碼登陸即可

[root@localhost ~]# vim /etc/my.cnf
[root@localhost ~]# systemctl restart mariadb

[root@localhost ~]# mysql -uroot -p123

MariaDB 權限管理

權限管理主要是對登錄到MariaDB的用戶進行權限驗證所有用戶的權限都存儲在MariaDB的權限表中,不合理的權限規劃會給MariaDB服務器帶來安全隱患,數據庫管理員要對所有用戶的權限進行合理規劃管理.

◆查看權限◆

查詢所有權限: 查詢數據庫中所有用戶列表和權限信息.

MariaDB [(none)]> select distinct concat("用戶:",user," 權限:",host," : ") as query from mysql.user;
+------------------------------------+
| query                              |
+------------------------------------+
| 用戶:root 權限:localhost :         |
| 用戶:root 權限:127.0.0.1 :         |
| 用戶:root 權限:::1 :               |
| 用戶:lyshark 權限:localhost :      |
| 用戶:lyshark 權限:% :              |
+------------------------------------+
8 rows in set (0.46 sec)

MariaDB [(none)]>

查詢指定權限: 查詢關於lyshark的所有權限信息

MariaDB [(none)]> show grants for lyshark;
+----------------------------------------------+
| Grants for lyshark@%                         |
+----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'lyshark'@'%' |
+----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]>

查詢指定權限: 查詢lyshark用戶的遠程%權限,和本地localhost權限

MariaDB [(none)]> show grants for "lyshark"@"%";
+----------------------------------------------+
| Grants for lyshark@%                         |
+----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'lyshark'@'%' |
+----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> show grants for "lyshark"@"localhost";
+----------------------------------------------------------------------------------------------------------------+
| Grants for lyshark@localhost                                                                                   |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'lyshark'@'localhost' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.37 sec)

MariaDB [(none)]>

◆授予權限◆

創建用戶並授權: 創建wang用戶並給予%遠程登陸的權限,並對所有數據庫全部授權

MariaDB [(none)]> grant all on *.* to "wang"@"%" identified by "123";
Query OK, 0 rows affected (0.15 sec)

MariaDB [(none)]> show grants for "wang"@"%";
+--------------------------------------------------------------------------------------------------------------+
| Grants for wang@%                                                                                            |
+--------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'wang'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

創建用戶並授權: 創建用戶名wang1,並允許localhost本機訪問,對mysql庫中的所有表具有select查詢權限,密碼為123

MariaDB [(none)]> grant select on mysql.* to "wang1"@"localhost" identified by "123";
Query OK, 0 rows affected (0.36 sec)

MariaDB [(none)]> show grants for "wang1"@"localhost";
+--------------------------------------------------------------------------------------------------------------+
| Grants for wang1@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'wang1'@'localhost' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
| GRANT SELECT ON `mysql`.* TO 'wang1'@'localhost'                                                             |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]>

創建用戶並授權: 創建用戶名wang2,且可在任意主機%登陸,並對所有數據庫有(增刪改查)權限,密碼為123

MariaDB [(none)]> grant insert,delete,update,select on *.* to "wang2"@"%" identified by "123";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show grants for "wang2"@"%";
+-------------------------------------------------------------------------------------------------------------------------------+
| Grants for wang2@%                                                                                                            |
+-------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'wang2'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+-------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]>

創建用戶並授權: 創建用戶名wang3,且只能在192.168.1.59上登陸,並對mysql數據庫有(查)權限,密碼為123

MariaDB [(none)]> grant select on mysql.* to "wang3"@"192.168.1.59" identified by "123";
Query OK, 0 rows affected (0.15 sec)

MariaDB [(none)]> show grants for "wang3"@"192.168.1.59";
+-----------------------------------------------------------------------------------------------------------------+
| Grants for [email protected]                                                                                   |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'wang3'@'192.168.1.59' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
| GRANT SELECT ON `mysql`.* TO 'wang3'@'192.168.1.59'                                                             |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.50 sec)

MariaDB [(none)]>

創建用戶並授權: 創建一個普通用戶wang4,且僅有mysql庫的(查)權限,密碼為123

MariaDB [(none)]> grant usage,select on mysql.* to "wang4"@"localhost" identified by "123";
Query OK, 0 rows affected (0.35 sec)

只授權用戶權限: 授權用戶wang4,對所有數據庫的全部權限,密碼123

MariaDB [(none)]> grant all privileges on *.* to "wang4"@"localhost" identified by "123";
Query OK, 0 rows affected (0.36 sec)

只授權用戶權限: 授權一個已存在賬號允許遠程登陸最大權限

MariaDB [(none)]> grant all on *.* to "root"@"%";
Query OK, 0 rows affected (0.07 sec)

◆收回權限◆

收回用戶授權: 撤銷lyshark用戶,對所有數據庫的遠程%用戶權限

MariaDB [(none)]> show grants for lyshark;
+----------------------------------------------+
| Grants for lyshark@%                         |
+----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'lyshark'@'%' |
+----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> revoke all on *.* from "lyshark"@"%";
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show grants for lyshark;
+-------------------------------------+
| Grants for lyshark@%                |
+-------------------------------------+
| GRANT USAGE ON *.* TO 'lyshark'@'%' |
+-------------------------------------+
1 row in set (0.00 sec)

收回用戶授權: 撤銷lyshark用戶的遠程登陸權限

MariaDB [(none)]> revoke create on *.* from "lyshark"@"%";
Query OK, 0 rows affected (0.01 sec)

刷新權限: 修改完成以後,記得執行權限的刷新操作.

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.01 sec)

MariaDB 用戶與權限管理(12)