乐趣区

关于mariadb:MariaDB账户和权限管理

1、MariaDB 账户治理

MariaDB 提供了许多语句来治理用户账号,这些语句能够用来治理包含登陆和退出 MariaDB 服务器,创立用户,删除用户,明码治理和权限治理等,MariaDB 数据库的安全性,须要通过账户治理来保障。

1.1、查问在线用户

本地查问:当咱们本地登录到数据库时,能够应用本地查问,查问 SQL 语句如下:

MariaDB [(none)]> SHOW processlist;
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+
| Id | User        | Host            | db    | Command | Time | State                    | Info             | Progress |
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+
|  3 | system user |                 | NULL  | Daemon  | NULL | InnoDB purge worker      | NULL             |    0.000 |
|  2 | system user |                 | NULL  | Daemon  | NULL | InnoDB purge coordinator | NULL             |    0.000 |
|  1 | system user |                 | NULL  | Daemon  | NULL | InnoDB purge worker      | NULL             |    0.000 |
|  4 | system user |                 | NULL  | Daemon  | NULL | InnoDB purge worker      | NULL             |    0.000 |
|  5 | system user |                 | NULL  | Daemon  | NULL | InnoDB shutdown handler  | NULL             |    0.000 |
| 41 | admin       | localhost:55902 | mysql | Sleep   |  174 |                          | NULL             |    0.000 |
| 42 | admin       | localhost:55904 | mysql | Sleep   |  174 |                          | NULL             |    0.000 |
| 43 | root        | localhost       | NULL  | Query   |    0 | Init                     | show processlist |    0.000 |
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+
8 rows in set (0.000 sec)

近程查问:如果在近程终端机上查问近程数据库,前提是数据库开启了近程受权咱们能够应用以下 SQL 语句:

$ mysqladmin -u admin -p processlist
Enter password:
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+
| Id | User        | Host            | db    | Command | Time | State                    | Info             | Progress |
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+
| 3  | system user |                 |       | Daemon  |      | InnoDB purge worker      |                  | 0.000    |
| 2  | system user |                 |       | Daemon  |      | InnoDB purge coordinator |                  | 0.000    |
| 1  | system user |                 |       | Daemon  |      | InnoDB purge worker      |                  | 0.000    |
| 4  | system user |                 |       | Daemon  |      | InnoDB purge worker      |                  | 0.000    |
| 5  | system user |                 |       | Daemon  |      | InnoDB shutdown handler  |                  | 0.000    |
| 41 | admin       | localhost:55902 | mysql | Sleep   | 220  |                          |                  | 0.000    |
| 42 | admin       | localhost:55904 | mysql | Sleep   | 220  |                          |                  | 0.000    |
| 44 | admin       | localhost       |       | Query   | 0    | Init                     | show processlist | 0.000    |
+----+-------------+-----------------+-------+---------+------+--------------------------+------------------+----------+

查全副用户:咱们通过构建 SELECT 语句查问指定字段 (host, user, password),查问mysql.user 这个数据表,SQL 语句如下:

$ sudo mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.3.31-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT host, user, password FROM mysql.user;
+-----------+-------+-------------------------------------------+
| host      | user  | password                                  |
+-----------+-------+-------------------------------------------+
| localhost | root  |                                           |
| localhost | admin | *9D59E8AF06195817B4585B0045A6601BBE64259F |
| %         | admin | *9D59E8AF06195817B4585B0045A6601BBE64259F |
+-----------+-------+-------------------------------------------+
3 rows in set (0.000 sec)

去重查问:通过应用 distinct 命令使查问后果不反复,主动过滤反复的记录。

$ sudo mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.3.31-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT distinct host, user, password FROM mysql.user;
+-----------+-------+-------------------------------------------+
| host      | user  | password                                  |
+-----------+-------+-------------------------------------------+
| localhost | root  |                                           |
| localhost | admin | *9D59E8AF06195817B4585B0045A6601BBE64259F |
| %         | admin | *9D59E8AF06195817B4585B0045A6601BBE64259F |
+-----------+-------+-------------------------------------------+
3 rows in set (0.000 sec)

1.2、新建普通用户

创立新用户,必须有相应的权限来执行创立操作。在 MariaDB 数据库中,有两种形式创立新用户:一种是应用 CREATE USERGRANT语句,另一种是间接操作 MariaDB 受权表,最好的办法是应用 GRANT 语句,因为这样更准确,如果应用 CREATE USER 语句创立用户后用户无权限,须要手动增加权限,而间接应用 GRANT 语句能够一步到位。

1.2.1、应用 CREATE USER 语句创立新用户:

1、应用 CREATE USER 创立一个用户,名称为 jeffrey,明码是mypass 指定开启 %近程 权限

MariaDB [(none)]> CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'mypass';
Query OK, 0 rows affected (0.000 sec)

2、接着创立一个新用户 jeffreys,明码是mypass,并指定应用localhost 本地权限。

MariaDB [(none)]> SELECT PASSWORD('mypass');
+-------------------------------------------+
| PASSWORD('mypass')                        |
+-------------------------------------------+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+-------------------------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]> CREATE USER 'jeffreys'@'localhost' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4';
Query OK, 0 rows affected (0.000 sec)

1.2.2、应用 GRANT 语句创立用户

应用 GRANT 语句一个新用户 myuser,明码是123123,并授予用户对所有表的SELECTUPDATE权限,SQL 语句如下:

MariaDB [(none)]> GRANT SELECT, UPDATE ON *.* TO 'myuser'@'localhost' IDENTIFIED BY '123123';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SELECT host, user, select_priv, update_priv FROM mysql.user WHERE user = 'myuser';
+-----------+--------+-------------+-------------+
| host      | user   | select_priv | update_priv |
+-----------+--------+-------------+-------------+
| localhost | myuser | Y           | Y           |
+-----------+--------+-------------+-------------+
1 row in set (0.001 sec)

1.3、删除普通用户

1.3.1、应用 DROP USER 语句删除用户:

MariaDB [(none)]> SELECT DISTINCT user, host FROM mysql.user;
+----------+-----------+
| user     | host      |
+----------+-----------+
| admin    | %         |
| jeffrey  | %         |
| admin    | localhost |
| jeffreys | localhost |
| lyshark  | localhost |
| myuser   | localhost |
| root     | localhost |
+----------+-----------+
7 rows in set (0.000 sec)

MariaDB [(none)]> DROP USER 'lyshark'@'localhost';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SELECT DISTINCT user, host FROM mysql.user;
+----------+-----------+
| user     | host      |
+----------+-----------+
| admin    | %         |
| jeffrey  | %         |
| admin    | localhost |
| jeffreys | localhost |
| myuser   | localhost |
| root     | localhost |
+----------+-----------+
6 rows in set (0.000 sec)

1.3.2、应用 DELETE 语句删除用户:

MariaDB [(none)]> DELETE FROM mysql.user WHERE host = 'localhost' AND user = 'myuser';
Query OK, 1 row affected (0.000 sec)

1.4、批改用户明码

批改本身明码:批改本人用户的用户名和明码。

MariaDB [(none)]> SET PASSWORD=PASSWORD("123123");
Query OK, 0 rows affected (0.00 sec)

批改指定用户的明码:批改 lyshark 用户受权形式为 localhost 的明码为123123

MariaDB [(none)]> SET PASSWORD for "lyshark"@"localhost"=PASSWORD("123123");
Query OK, 0 rows affected (0.00 sec)

1.5、ROOT 密码找回

1.5.1、敞开 MariaDB 数据库

$ sudo service mysql stop
 * Stopping MariaDB database server mysqld                                                                       [OK]
$ sudo service mysql status
 * MariaDB is stopped.

1.5.2、批改 MariaDB 的主配置文件, 在 Mysqld 区域增加 skip-grant-table 语句, 保留退出

$ sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf
[mysqld]

#
# * Basic Settings
#
user                    = mysql
pid-file                = /run/mysqld/mysqld.pid
socket                  = /run/mysqld/mysqld.sock
#port                   = 3306
basedir                 = /usr
datadir                 = /var/lib/mysql
tmpdir                  = /tmp
lc-messages-dir         = /usr/share/mysql
#skip-external-locking
skip-grant-table

1.5.3、重启 MariaDB 数据库

$ sudo service mysql start
 * Starting MariaDB database server mysqld                                                                       [OK]
$ sudo service mysql status
 * /usr/bin/mysqladmin  Ver 9.1 Distrib 10.3.31-MariaDB, for debian-linux-gnu on x86_64
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Server version          10.3.31-MariaDB-0ubuntu0.20.04.1
Protocol version        10
Connection              Localhost via UNIX socket
UNIX socket             /var/run/mysqld/mysqld.sock
Uptime:                 2 sec

Threads: 6  Questions: 61  Slow queries: 0  Opens: 33  Flush tables: 1  Open tables: 26  Queries per second avg: 30.500

1.5.4、免明码登陆数据库,并执行批改数据库的 SQL 语句

$ sudo mysql -u root -p
MariaDB [(none)]> UPDATE mysql.user SET password = password('123') WHERE user = 'root';
MariaDB [(none)]> QUIT;

1.5.5、批改实现后将主配置文件的 skip-grant-table 属性去掉(参考步骤 1.5.2),重启数据库即可,下次应用明码登陆即可

$ sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf
$ sudo service mysql restart
 * Stopping MariaDB database server mysqld                                                                       [OK]
 * Starting MariaDB database server mysqld                                                                       [OK]
$ sudo mysql -u root -p123

2、MariaDB 权限治理

权限治理次要是对登录到 MariaDB 的用户进行权限验证所有用户的权限都存储在 MariaDB 的权限表中,不合理的权限布局会给 MariaDB 服务器带来安全隐患,数据库管理员要对所有用户的权限进行正当布局治理。

2.1、查看权限

查问所有权限:查询数据库中所有用户列表和权限信息.

MariaDB [(none)]> SELECT DISTINCT CONCAT("用户:", user, "权限:", host, ":") AS query FROM mysql.user;
+-------------------------------------+
| query                               |
+-------------------------------------+
| 用户:admin 权限:% :                 |
| 用户:jeffrey 权限:% :               |
| 用户:admin 权限:localhost :         |
| 用户:jeffreys 权限:localhost :      |
| 用户:root 权限:localhost :          |
+-------------------------------------+
5 rows in set (0.000 sec)

查问指定权限:查问对于 lyshark 的所有权限信息

MariaDB [(none)]> SHOW GRANTS FOR lyshark;
+----------------------------------------------+
| Grants for lyshark@%                         |
+----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'lyshark'@'%' |
+----------------------------------------------+
1 row in set (0.00 sec)

查问指定权限:查问 lyshark 用户的 近程 % 权限,和本地localhost 权限

MariaDB [(none)]> SHOW GRANTS FOR 'lyshark'@'%';
+----------------------------------------------+
| Grants for lyshark@%                         |
+----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'lyshark'@'%' |
+----------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'lyshark'@'localhost';
+----------------------------------------------------------------------------------------------------------------+
| Grants for lyshark@localhost                                                                                   |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'lyshark'@'localhost' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.37 sec)

2.2、授予权限

创立用户并受权:创立 wang 用户并给予 % 远程登陆的权限,并对所有数据库全副受权

MariaDB [(none)]> GRANT ALL ON *.* TO 'wang'@'%' IDENTIFIED BY '123';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'wang'@'%';
+--------------------------------------------------------------------------------------------------------------+
| Grants for wang@%                                                                                            |
+--------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO `wang`@`%` IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

创立用户并受权:创立用户名 wang1,并容许localhost 本机拜访,对 mysql 库中的所有表具备 SELECT 查问权限,明码为123

MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'wang1'@'localhost' IDENTIFIED BY '123';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'wang1'@'localhost';
+--------------------------------------------------------------------------------------------------------------+
| Grants for wang1@localhost                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `wang1`@`localhost` IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
| GRANT SELECT ON `mysql`.* TO `wang1`@`localhost`                                                             |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)

创立用户并受权:创立用户名 wang3,且只能在192.168.1.59 上登陆,并对 mysql 数据库有 SELECT 权限,明码为123

MariaDB [(none)]> GRANT SELECT ON mysql.* TO 'wang3'@'192.168.1.59' IDENTIFIED BY '123';
 FOR 'wang3'Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'wang3'@'192.168.1.59';
+-----------------------------------------------------------------------------------------------------------------+
| Grants for wang3@192.168.1.59                                                                                   |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `wang3`@`192.168.1.59` IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
| GRANT SELECT ON `mysql`.* TO `wang3`@`192.168.1.59`                                                             |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)

创立用户并受权:创立一个普通用户 wang4,且仅有 mysql 库的 SELECT 权限,明码为123

MariaDB [(none)]> GRANT USAGE, SELECT ON mysql.* TO 'wang4'@'localhost' IDENTIFIED BY '123';
Query OK, 0 rows affected (0.000 sec)

只受权用户权限:受权用户 wang4,对所有数据库的全副权限,明码123

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'wang4'@'localhost' IDENTIFIED BY '123';
Query OK, 0 rows affected (0.000 sec)

只受权用户权限:受权一个已存在账号容许远程登陆最大权限

MariaDB [(none)]> GRANT ALL ON *.* TO 'root'@'%';
Query OK, 0 rows affected (0.07 sec)

2.3、发出权限

发出用户受权:撤销 lyshark 用户,对所有数据库的近程 % 用户权限

MariaDB [(none)]> SHOW GRANTS FOR lyshark;
+-----------------------------------------------------------------------------------------------------------------+
| Grants for lyshark@%                                                                                            |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, UPDATE ON *.* TO `lyshark`@`%` IDENTIFIED BY PASSWORD '*E56A114692FE0DE073F9A1DD68A00EEB9703F3F1' |
+-----------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

MariaDB [(none)]> REVOKE ALL ON *.* FROM 'lyshark'@'%';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> SHOW GRANTS FOR lyshark;
+--------------------------------------------------------------------------------------------------------+
| Grants for lyshark@%                                                                                   |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `lyshark`@`%` IDENTIFIED BY PASSWORD '*E56A114692FE0DE073F9A1DD68A00EEB9703F3F1' |
+--------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

发出用户受权:撤销 lyshark 用户的远程登陆权限

MariaDB [(none)]> REVOKE CREATE ON *.* FROM 'lyshark'@'%';
Query OK, 0 rows affected (0.000 sec)

2.4、刷新权限

刷新权限:批改权限实现当前,记得执行权限的刷新操作,否则权限会不失效。

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)
退出移动版