您好,欢迎访问一九零五行业门户网

MySQLStudy之--MySQL用户及权限管理_MySQL

mysql study之--mysql用户及权限管理
mysql服务器通过mysql权限表来控制用户对数据库的访问,mysql权限表存放在mysql数据库里,由mysql_install_db脚本初始化。这些mysql权限表分别user,db,table_priv,columns_priv和host。下面分别介绍一下这些表的结构和内容:
user权限表:记录允许连接到服务器的用户帐号信息,里面的权限是全局级的。
db权限表:记录各个帐号在各个数据库上的操作权限。
table_priv权限表:记录数据表级的操作权限。
columns_priv权限表:记录数据列级的操作权限。
host权限表:配合db权限表对给定主机上数据库级操作权限作更细致的控制。这个权限表不受grant和revoke语句的影响。
案例分析:
一、创建用户并授权(root用户)
[root@mysrv ~]# mysql -u root -poracle
mysql> select version()\g
+-------------------------------------------+
| version() |
+-------------------------------------------+
| 5.6.25-enterprise-commercial-advanced-log |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql> show databases;
+--------------------+
| database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| prod |
| test |
+--------------------+
5 rows in set (0.01 sec)
1、建立tom用户并授权(特权管理用户)
mysql> grant all on prod.* to 'tom'@'%' identified by 'tom' with grant option;
query ok, 0 rows affected (0.00 sec)
查看用户创建是否成功:
mysql> select user,host from user ;
+-------+-----------+| user | host |+-------+-----------+| tom | % || root | 127.0.0.1 || root | ::1 || | localhost || root | localhost || scott | localhost || | mysrv || root | mysrv |+-------+-----------+8 rows in set (0.00 sec)
查看tom用户的授权:
mysql> show grants for tom;
+----------------------------------------------------------------------------------------------------+
| grants for tom@% |
+----------------------------------------------------------------------------------------------------+
| grant usage on *.* to 'tom'@'%' identified by password '*71ff744436c7ea1b954f6276121db5d2bf68fc07' |
| grant all privileges on `prod`.* to 'tom'@'%' with grant option |
+----------------------------------------------------------------------------------------------------+
grant 语法:
grant privileges (columns)
on what
to user identified by password
with grant option
权限列表:
alter: 修改表和索引。
create: 创建数据库和表。
delete: 删除表中已有的记录。
drop: 抛弃(删除)数据库和表。
index: 创建或抛弃索引。
insert: 向表中插入新行。
reference: 未用。
select: 检索表中的记录。
update: 修改现存表记录。
file: 读或写服务器上的文件。
process: 查看服务器中执行的线程信息或杀死线程。
reload: 重载授权表或清空日志、主机缓存或表缓存。
shutdown: 关闭服务器。
all: 所有权限,all privileges同义词。
usage: 特殊的 无权限 权限。
用 户账户包括 username 和 host 两部分,后者表示该用户被允许从何地接入。tom@'%' 表示任何地址,默认可以省略。还可以是 tom@192.168.1.%、tom@%.abc.com 等。数据库格式为 db@table,可以是 test.* 或 *.*,前者表示 test 数据库的所有表,后者表示所有数据库的所有表。
子句 with grant option 表示该用户可以为其他用户分配权限。
2、我们用 root 再创建几个用户,然后由 test 数据库的管理员tom为他们分配权限。
mysql> create user 'tom1' identified by 'tom1' ,'tom2' identified by 'tom2';
query ok, 0 rows affected (0.00 sec)
mysql> select user,host from user ;
+-------+-----------+| user | host |+-------+-----------+| tom | % || tom1 | % || tom2 | % || root | 127.0.0.1 || root | ::1 || | localhost || root | localhost || scott | localhost || | mysrv || root | mysrv |+-------+-----------+10 rows in set (0.00 sec)
root用户退出,tom登陆,并授权用户访问prod库
[root@mysrv ~]# mysql -u tom -ptom
error 1045 (28000): access denied for user 'tom'@'localhost' (using password: yes)
tom用户竟不能登陆!!!
再对tom用户授权:
mysql> grant all on prod.* to 'tom'@'localhost' identified by 'tom' with grant option;;
query ok, 0 rows affected (0.00 sec)
mysql> show grants for tom;
+----------------------------------------------------------------------------------------------------+
| grants for tom@% |
+----------------------------------------------------------------------------------------------------+
| grant usage on *.* to 'tom'@'%' identified by password '*71ff744436c7ea1b954f6276121db5d2bf68fc07' |
| grant all privileges on `prod`.* to 'tom'@'%' with grant option |
+----------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> use mysql;
database changed
mysql> select user,host from user ;
+-------+-----------+| user | host |+-------+-----------+| tom | % || tom1 | % || tom2 | % || root | 127.0.0.1 || root | ::1 || | localhost || root | localhost || scott | localhost || tom | localhost || | mysrv || root | mysrv |+-------+-----------+11 rows in set (0.00 sec)
tom登陆:
[root@mysrv ~]# mysql -u tom -ptom prod
mysql> select database();
+------------+
| database() |
+------------+
| prod |
+------------+
1 row in set (0.01 sec)
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| tom@localhost |
+----------------+
1 row in set (0.00 sec)
创建表:
mysql> show tables;
+----------------+
| tables_in_prod |
+----------------+
| t1 |
+----------------+
1 row in set (0.00 sec)
mysql> create table t2 as select * from t1;
query ok, 3 rows affected (0.15 sec)
records: 3 duplicates: 0 warnings: 0
查看表信息:
mysql> desc t2;
+-------+-------------+------+-----+---------+-------+
| field | type | null | key | default | extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | yes | | null | |
| name | varchar(10) | yes | | null | |
+-------+-------------+------+-----+---------+-------+
2 rows in set (0.01 sec)
mysql> show create table t2;
+-------+---------------------------------------------------------------------------------------------------------------------------+
| table | create table |
+-------+---------------------------------------------------------------------------------------------------------------------------+
| t2 | create table `t2` (
`id` int(11) default null,
`name` varchar(10) default null
) engine=innodb default charset=latin1 |
+-------+---------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.01 sec)
mysql> show create table t2\g;
*************************** 1. row ***************************
table: t2
create table: create table `t2` (
`id` int(11) default null,
`name` varchar(10) default null
) engine=innodb default charset=latin1
1 row in set (0.00 sec)
mysql> select * from t2;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
3、tom用户为tom1,tom2授权
mysql> grant select on prod.* to tom1;
query ok, 0 rows affected (0.00 sec)
mysql> grant select on prod.* to tom2;
query ok, 0 rows affected (0.02 sec)
mysql> grant insert,update on prod.* to tom2;
query ok, 0 rows affected (0.00 sec)
tom2登陆(从远程登陆):
c:\users\administrator>mysql -h 192.168.8.240 -utom2 -ptom2
mysql> select database();
+------------+
| database() |
+------------+
| null |
+------------+
1 row in set (0.00 sec)
mysql> use prod;
database changed
mysql> select database();
+------------+
| database() |
+------------+
| prod |
+------------+
1 row in set (0.00 sec)
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| tom2@% |
+----------------+
1 row in set (0.00 sec)
mysql> show grants for tom2;
+------------------------------------------------------------------+
| grants for tom2@% |
+------------------------------------------------------------------+
| grant usage on *.* to 'tom2'@'%' identified by password |
| grant select, insert, update on `prod`.* to 'tom2'@'%' |
+------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show tables;
+----------------+
| tables_in_prod |
+----------------+
| t1 |
| t2 |
+----------------+
2 rows in set (0.00 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
mysql> select * from t2;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
+------+-------+
3 rows in set (0.00 sec)
mysql> insert into t1 values (40,'john');
query ok, 1 row affected (0.00 sec)
mysql> commit;
query ok, 0 rows affected (0.09 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | john |
+------+-------+
4 rows in set (0.00 sec)
mysql> update t1 set name='ellen' where id=40;
query ok, 1 row affected (0.01 sec)
rows matched: 1 changed: 1 warnings: 0
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | ellen |
+------+-------+
4 rows in set (0.00 sec)
mysql> delete from t1;
error 1142 (42000): delete command denied to user 'tom2'@'192.168.8.254' for tab
le 't1'
mysql> commit;
query ok, 0 rows affected (0.05 sec)
mysql> select * from t1;
+------+-------+
| id | name |
+------+-------+
| 10 | tom |
| 20 | jerry |
| 30 | rose |
| 40 | ellen |
+------+-------+
4 rows in set (0.00 sec)
4、回收tom2的update权限:
mysql> revoke update on prod.* from tom2;
query ok, 0 rows affected (0.00 sec)
tom2再重新登陆:
c:\users\administrator>mysql -h 192.168.8.240 -utom2 -ptom2
mysql> use prod;
database changed
mysql> update t1 set name='lily' where id=10;
error 1142 (42000): update command denied to user 'tom2'@'192.168.8.254' for tab
le 't1'
---update失败!
二、修改用户口令:
1、root用户修改普通用户口令
mysql> set password for tom1=password('oracle');
query ok, 0 rows affected (0.01 sec)
mysql> flush privileges;
query ok, 0 rows affected (0.00 sec)
tom1重新登陆:
c:\users\administrator>mysql -h 192.168.8.240 -utom1 -ptom1
warning: using a password on the command line interface can be insecure.
error 1045 (28000): access denied for user 'tom1'@'192.168.8.254' (using passwor
d: yes)
---旧口令登陆失败!
c:\users\administrator>mysql -h 192.168.8.240 -utom1 -poracle
mysql>
2、普通用户修改自己密码:
c:\users\administrator>mysql -h 192.168.8.240 -utom1 -poracle
mysql> set password=password('tom1');
query ok, 0 rows affected (0.00 sec)
重新登陆:
c:\users\administrator>mysql -h 192.168.8.240 -utom1 -ptom1
mysql>
---新密码登陆成功 !
三、删除用户:
1、回收用户所有权限
mysql> revoke all on prod.* from tom2;
query ok, 0 rows affected (0.01 sec)
2、删除用户
mysql> drop user tom2;
query ok, 0 rows affected (0.00 sec)
mysql> flush privileges;
query ok, 0 rows affected (0.00 sec)
mysql> select user,host from user;
+-------+-----------+| user | host |+-------+-----------+| jerry | % || rose | % || tom | % || tom1 | % || root | 127.0.0.1 || root | ::1 || | localhost || jerry | localhost || root | localhost || rose | localhost || scott | localhost || tom | localhost || | mysrv || root | mysrv |+-------+-----------+14 rows in set (0.00 sec)
------- 摘要 --------------------------------------
创建用户:
grant insert, update on testdb.* to user1@'%' identified by 'password' with grant option;
create user user2 identified by 'password';
分配权限:
grant select on testdb.* to user2;
查看权限:
show grants for user1;
修改密码:
set password for user1 = password('newpwd');
set password = password('newpwd');
移除权限:
revoke all on *.* from user1;
删除用户:
drop user user1;
数据库列表:
show databases;
数据表列表:
show tables;
当前数据库:
select database();
当前用户:
select user();
数据表结构:
describe table1;
刷新权限:
flush privileges;
grant和revoke可以在几个层次上控制访问权限
1,整个服务器,使用 grant all 和revoke all
2,整个数据库,使用on database.*
3,特点表,使用on database.table
4,特定的列
5,特定的存储过程
user表中host列的值的意义
% 匹配所有主机
localhost localhost不会被解析成ip地址,直接通过unixsocket连接
127.0.0.1 会通过tcp/ip协议连接,并且只能在本机访问;
::1 ::1就是兼容支持ipv6的,表示同ipv4的127.0.0.1
grant 普通数据用户,查询、插入、更新、删除 数据库中所有表数据的权利。
grant select on testdb.* to common_user@’%’
grant insert on testdb.* to common_user@’%’
grant update on testdb.* to common_user@’%’
grant delete on testdb.* to common_user@’%’
或者,用一条 mysql 命令来替代:
grant select, insert, update, delete on testdb.* to common_user@’%’
grant 数据库开发人员,创建表、索引、视图、存储过程、函数。。。等权限。
grant 创建、修改、删除 mysql 数据表结构权限。
grant create on testdb.* to developer@’192.168.0.%’;
grant alter on testdb.* to developer@’192.168.0.%’;
grant drop on testdb.* to developer@’192.168.0.%’;
grant 操作 mysql 外键权限。
grant references on testdb.* to developer@’192.168.0.%’;
grant 操作 mysql 临时表权限。
grant create temporary tables on testdb.* to developer@’192.168.0.%’;
grant 操作 mysql 索引权限。
grant index on testdb.* to developer@’192.168.0.%’;
grant 操作 mysql 视图、查看视图源代码 权限。
grant create view on testdb.* to developer@’192.168.0.%’;
grant show view on testdb.* to developer@’192.168.0.%’;
grant 操作 mysql 存储过程、函数 权限。
grant create routine on testdb.* to developer@’192.168.0.%’; -- now, can show procedure status
grant alter routine on testdb.* to developer@’192.168.0.%’; -- now, you can drop a procedure
grant execute on testdb.* to developer@’192.168.0.%’;
grant 普通 dba 管理某个 mysql 数据库的权限。
grant all privileges on testdb to dba@’localhost’
其中,关键字 “privileges” 可以省略。
grant 高级 dba 管理 mysql 中所有数据库的权限。
grant all on *.* to dba@’localhost’
mysql grant 权限,分别可以作用在多个层次上。
1. grant 作用在整个 mysql 服务器上:
grant select on *.* to dba@localhost; -- dba 可以查询 mysql 中所有数据库中的表。
grant all on *.* to dba@localhost; -- dba 可以管理 mysql 中的所有数据库
2. grant 作用在单个数据库上:
grant select on testdb.* to dba@localhost; -- dba 可以查询 testdb 中的表。
3. grant 作用在单个数据表上:
grant select, insert, update, delete on testdb.orders to dba@localhost;
4. grant 作用在表中的列上:
grant select(id, se, rank) on testdb.apache_log to dba@localhost;
5. grant 作用在存储过程、函数上:
grant execute on procedure testdb.pr_add to ’dba’@’localhost’
grant execute on function testdb.fn_add to ’dba’@’localhost’
注意:修改完权限以后 一定要刷新服务,或者重启服务,刷新服务用:flush privileges。
其它类似信息

推荐信息