目录
MySQL用户授权
一,密码策略
1,查看临时密码
2,查看数据库当前密码策略:
二, 用户授权和撤销授权
1、创建用户
2,删除用户
3,授权和回收权限
MySQL用户授权
一,密码策略
mysql刚安装时,临时密码会存储在 /var/log/mysqld.log
1,查看临时密码
方法一:直接给出密码
[root@localhost ~]# awk '/temporary password/ {print $NF}' /var/log/mysqld.log*2D):irrJ_!_
方法二:查到的语句的最后为密码
[root@localhost ~]# grep 'password' /var/log/mysqld.log2023-02-07T13:07:17.842453Z 6 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: *2D):irrJ_!_
2,查看数据库当前密码策略:
mysql8.0.30 [(none)]>show VARIABLES like"%password%";
二, 用户授权和撤销授权
MySql8有新的安全要求,不能像之前的版本那样一次性创建用户并授权。需要先创建用户,再进行授权操作。
mysql8.0.30 [(none)]>grant all privileges on *.* to 'xiaoming'@'%';
ERROR 1410 (42000): You are not allowed to create a user with GRANT
1、创建用户
创建新用户,语法:create user 'username'@'host' identified by 'password';
说明:username为自定义的用户名,host为客户端的域名或者IP,如果host为'%'时表示为任意IP,password为密码。
(1)创建一个用户名为xiaoming,客户端的ip为任意,密码为Guest123!的新用户
mysql8.0.30 [(none)]>create user xiaoming@'%' identified by 'Guest123!';Query OK, 0 rows affected (0.01 sec)
(2)查看刚创建的的用户信息
mysql8.0.30 [(none)]>select user,host from mysql.user;+------------------+-----------+| user | host |+------------------+-----------+| root | % || xiaoming | % || mysql.infoschema | localhost || mysql.session | localhost || mysql.sys | localhost |+------------------+-----------+5 rows in set (0.00 sec)
(3)使用xiaoming用户登录一下数据库:
[root@localhost ~]# mysql -uxiaoming -p'Guest123!';mysql: [Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 12Server version: 8.0.32 MySQL Community Server - GPLCopyright (c) 2000, 2023, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(4)使用xiaoming用户查看所有的数据库:
mysql8.0.30 [(none)]>show databases;+--------------------+| Database |+--------------------+| information_schema || performance_schema |+--------------------+2 rows in set (0.01 sec)
(5)也可以在windows端登录xiaoming用户:
2,删除用户
(1)删除用户名为xiaoming,客户端的ip为任意,密码为Guest123!的用户
mysql8.0.30 [(none)]>drop user xiaoming@'%';Query OK, 0 rows affected (0.01 sec)
(2)删除后的user表中已经没了xiaoming的信息
mysql8.0.30 [(none)]>select user,host from mysql.user;+------------------+-----------+| user | host |+------------------+-----------+| root | % || mysql.infoschema | localhost || mysql.session | localhost || mysql.sys | localhost |+------------------+-----------+4 rows in set (0.00 sec)
注意,如果删除用户时显示如下提示:
mysql8.0[mysql]>drop user xiaoming;
ERROR 1227(42000): Access denied; you need (atleast oneof) the SYSTEM_USER privilege(s) forthis operation
需要执行该语句:
【mysql8.0 [(none)]>grant system_user on *.* to root@'%';】
3,授权和回收权限
授予权限的原则:
(1)只授予能满足需要的最小权限 ,防止用户干坏事。比如用户只是需要查
询,那就只给 select 权限就可以了,不要给用户赋予update 、 insert 或
者 delete 权限
(2)创建用户的时候限制用户的登录主机 ,一般是限制成指定 IP 或者内网
IP 段。
(3)为每个用户设置满足密码复杂度的密码 。
(4)定期清理不需要的用户 ,回收权限或者删除用户。
授权语法:grant 权限列表 on 库名.表名 to 用户名@'主机' [with GRANT option];
没有with GRANT option,被授权者无法授权于下一个人用户
mysql用户常用权限列表 | 说明 |
all 或者all privileges | 授予用户所有权限 |
create | 授予用户创建新数据库和表的权限 |
drop | 授予用户删除数据库和表的权限 |
delete | 授予用户删除表中的行的权限 |
alter | 授予用户修改表结构的权限 |
insert | 授予用户在表中插入行(add)的权限 |
select | 授予用户运行select命令以从表中读取数据的权限 |
update | 授予用户更新表中的数据的权限 |
查看授予用户的权限的四种方法:
(1) 查看root用户的权限(方法一)
mysql8.0.30 [(none)]>show grants;+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Grants for root@% |+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`%` WITH GRANT OPTION |+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)
(2)查看xiaoming用户的权限(方法二)
mysql8.0.30 [(none)]>show grants for xiaoming@'%';+--------------------------------------+| Grants for xiaoming@% |+--------------------------------------+| GRANT USAGE ON *.* TO `xiaoming`@`%` |+--------------------------------------+1 row in set (0.00 sec)
(3)mysql8.0[mysql]>select* from mysql.user;(方法三)
(4)方法四:
授权操作
不具有授予下一个人权限的权利的授权
(1)此时,xiaoming用户可以访问以下两个数据库,须授予其他数据库的访问权限,才能对其
它数据库进行操作
mysql8.0.30 [(none)]>show databases;+--------------------+| Database |+--------------------+| information_schema || performance_schema |+--------------------+2 rows in set (0.01 sec)
(2)给xiaoming用户授予所有权限
*.*中第一个*表示所有数据库,第二个*表示所有数据表
mysql8.0.30 [(none)]>grant all privileges on *.* to xiaoming@'%';Query OK, 0 rows affected (0.01 sec)
(3)此时xiaoming用户拥有和root用户一样的权限,可以访问其它数据库的权限
mysql8.0.30 [(none)]>show databases;+--------------------+| Database |+--------------------+| chap03 || information_schema || mysql || performance_schema || sys |+--------------------+5 rows in set (0.00 sec)
(4)此时的xiaoming用户没有赋予下一个人权限的权利
mysql8.0.30 [(none)]>grant all privileges on *.* to xiaohei@'%';ERROR 1045 (28000): Access denied for user 'xiaoming'@'%' (using password: YES)mysql8.0.30 [(none)]>
具有授予下一个人权限的权利的授权
(1)重新授予xiaoming用户授予其他用户权限的权利
mysql8.0.30 [(none)]>grant all privileges on *.* to xiaoming@'%' with GRANT option;Query OK, 0 rows affected (0.00 sec)
(2)使用xiaoming用户为xiaohei 用户授权
mysql8.0.30 [(none)]>grant all privileges on *.* to xiaohei@'%';Query OK, 0 rows affected (0.01 sec)
(3)此时xiaohei用户拥有访问所有数据库的权利
mysql8.0.30 [(none)]>select user(); (查看当前的用户)+-------------------+| user() |+-------------------+| xiaohei@localhost |+-------------------+1 row in set (0.00 sec)mysql8.0.30 [(none)]>show databases; (此用户可以访问以下数据库的权利)+--------------------+| Database |+--------------------+| chap03 || information_schema || mysql || performance_schema || sys |+--------------------+5 rows in set (0.00 sec)
收回权限
收回权限(不包含赋权权限)
REVOKE ALL PRIVILEGES ON *.* FROM username;
收回赋权权限
REVOKE GRANT OPTION ON *.* FROM username;
收回赋权权限
(1)收回xiaoming用户授予其他用户权限的权利
mysql8.0.30 [(none)]>revoke grant option on *.* from xiaoming;Query OK, 0 rows affected (0.00 sec)
(2)此时,xiaoming用户不在拥有授予其他用户的权限
mysql8.0.30 [(none)]>grant all privileges on *.* to xiaohei@'%';ERROR 1045 (28000): Access denied for user 'xiaoming'@'%' (using password: YES)mysql8.0.30 [(none)]>
收回权限(不包含赋权权限)
(1)收回xiaoming用户的所有权限
mysql8.0.30 [(none)]>revoke all privileges on *.* from xiaoming@'%';Query OK, 0 rows affected (0.00 sec)
(2)此时xiaoming用户不在拥有访问其它数据库的权限
mysql8.0.30 [(none)]>show databases;+--------------------+| Database |+--------------------+| information_schema || performance_schema |+--------------------+2 rows in set (0.00 sec)