MySQL的账户设置
应用 docker 装置 MySQL 并疾速启动,当初咱们进入docker容器。
➜ ~ docker exec -it mysql8 /bin/bashroot@dedd71769326:/#MySQL数据库连贯
MySQL命令语法
用户名是你登录的用户,主机名或者IP地址为可选项,如果是本地连接则不须要设置,近程连贯服务端则须要填写,明码是对应用户的明码。
mysql –u用户名 [–h主机名或者IP地址,-P端口号] –p明码-u:登录的用户名。-h:近程主机名或IP地址,不填写则默认本地地址。-P:MySQL端口号,默认为3306。-p:该登录用户对应的登录明码。
root@dedd71769326:/# mysql -u root -pEnter password:Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 9Server version: 8.0.21 MySQL Community Server - GPLCopyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL账户查看
因为 root 权限很高,所以个别我的项目上会调配不同的账户和权限供程序员操作。
查看已有账户
mysql> select user from mysql.user;+------------------+| user |+------------------+| root || mysql.infoschema || mysql.session || mysql.sys || root |+------------------+5 rows in set (0.03 sec)为什么有两条 root 信息?咱们来具体看一下。
mysql> select user, host from mysql.user;+------------------+-----------+| user | host |+------------------+-----------+| root | % || mysql.infoschema | localhost || mysql.session | localhost || mysql.sys | localhost || root | localhost |+------------------+-----------+5 rows in set (0.00 sec)这里host字段代表容许任意ip地址登录MySQL。目前root账户容许近程和本地登录。
查看以后账户
mysql> select current_user;+----------------+| current_user |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)如果咱们应用内部电脑连贯
mysql> select current_user;+----------------+| current_user |+----------------+| root@% |+----------------+1 row in set (0.00 sec)则示意以后登陆root账户容许近程和本地登录。
MySQL账户创立
MySQL命令语法
CREATE USER [IF NOT EXISTS] user [auth_option] [, user [auth_option]] ... DEFAULT ROLE role [, role ] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ...user: (see Section 6.2.4, “Specifying Account Names”)auth_option: { IDENTIFIED BY 'auth_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' | IDENTIFIED WITH auth_plugin AS 'hash_string'}tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject'}resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count}password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]}lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK}user:账户名称,语法是'user_name'@'host_name',其中主机地址能够写为%示意承受任何地址的连贯。auth_option:身份验证形式,能够指定明码以及认证插件(mysql_native_password、sha256_password、caching_sha2_password)。tls_option: 加密连贯选项。resource_option: 用户资源限度,比方每小时最大连接数。password_option: 明码额定的管制,比方设定生效工夫。lock_option: 账户锁定选项,由管理员上锁或者解锁(ACCOUNT LOCK | ACCOUNT UNLOCK)。
最简略的就是指定账户名+明码
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'password';加上认证插件
CREATE USER 'tian'@'localhost' IDENTIFIED WITH sha256_password BY 'password';指定明码过期,以便用户第一次应用的时候须要批改明码
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE;也能够指定每隔一段时间批改一次新密码
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE INTERVAL 180 DAY;能够指定加密连贯
-- 不应用加密连贯CREATE USER 'tian'@'localhost' REQUIRE NONE;-- 应用加密连贯CREATE USER 'tian'@'localhost' REQUIRE SSL;-- 应用加密连贯,并要求客户端提供无效证书CREATE USER 'tian'@'localhost' REQUIRE X509;CREATE USER 'tian'@'localhost' REQUIRE ISSUER 'CA颁发的无效X.509证书';CREATE USER 'tian'@'localhost' REQUIRE SUBJECT '蕴含主题的无效X.509证书';CREATE USER 'tian'@'localhost' REQUIRE CIPHER '指定的加密办法';能够指定资源管制
-- 单位小时内,账户被容许查问500次,更新100次,单位小时内最大连接数不限度。最大并发连接数不限度CREATE USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;能够锁定账户
-- 锁定CREATE USER 'tian'@'localhost' ACCOUNT LOCK-- 解锁ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK最初残缺的命令选项大略这个样子
CREATE USER 'user_name'@'host_name' IDENTIFIED [WITH auth_plugin] BY 'auth_string' [REQUIRE NONE(SSL,X509)] [WITH MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count] [PASSWORD EXPIRE] [ACCOUNT LOCK]如果你要删除账户
DROP USER 'tian'@'localhost';如果你要批改名称
RENAME USER 'tian'@'localhost' TO 'tina'@'127.0.0.1';MySQL角色创立
MySQL8里新退出了对于角色的治理,上面就简略的说一下如何应用:
角色能够了解为一组权限的汇合,而后将角色赋给某个帐户,该帐户就领有了角色对应的权限,每个帐户能够领有多个角色,就像游戏里,你能够有很多名称一样。
-- 名字标准'role_name'@'host_name'-- 通常仅应用用户名局部指定角色名称,并隐式应用主机名局部 '%',主机名局部没有任何意义'admin'创立角色
-- 省略主机名,默认为 '%'CREATE ROLE 'admin', 'dev';-- 这种也能够,然而没意义CREATE ROLE 'app'@'localhost';移除角色
DROP ROLE 'admin', 'dev';MySQL账户更新
MySQL命令语法
ALTER USER [IF EXISTS] user [auth_option] [, user [auth_option]] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ...ALTER USER [IF EXISTS] USER() user_func_auth_optionALTER USER [IF EXISTS] user DEFAULT ROLE {NONE | ALL | role [, role ] ...}user: (see Section 6.2.4, “Specifying Account Names”)auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin AS 'auth_string' | DISCARD OLD PASSWORD}user_func_auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | DISCARD OLD PASSWORD}tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject'}resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count}password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]}lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK}参数选项参考创立账户。
批改本人以后的明码
ALTER USER USER() IDENTIFIED BY 'new_password';批改账户明码
ALTER USER 'tian'@'localhost' IDENTIFIED BY 'new_password';批改认证插件
ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password;批改明码和插件
ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';批改角色
-- 授予自定义角色ALTER USER 'tian'@'localhost' DEFAULT ROLE your_role_name;-- 无角色ALTER USER 'tian'@'localhost' DEFAULT ROLE NONE;-- 所有角色ALTER USER 'tian'@'localhost' DEFAULT ROLE ALL;批改加密形式
-- 只有账户明码正确,毋庸加密连贯ALTER USER 'tian'@'localhost' REQUIRE NONE;-- 须要加密连贯ALTER USER 'tian'@'localhost' REQUIRE SSL;...批改资源拜访
-- 单位小时内,最大查问数量和更新数量ALTER USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;指定明码过期
ALTER USER 'tian'@'localhost' PASSWORD EXPIRE;批改锁定解锁
ALTER USER 'tian'@'localhost' ACCOUNT LOCK;ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK;MySQL账户受权
MySQL命令语法
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_or_role [, user_or_role] ... [WITH GRANT OPTION] [AS user [WITH ROLE DEFAULT | NONE | ALL | ALL EXCEPT role [, role ] ... | role [, role ] ... ] ]}GRANT PROXY ON user_or_role TO user_or_role [, user_or_role] ... [WITH GRANT OPTION]GRANT role [, role] ... TO user_or_role [, user_or_role] ... [WITH ADMIN OPTION]object_type: { TABLE | FUNCTION | PROCEDURE}priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name}user_or_role: { user | role}user: (see Section 6.2.4, “Specifying Account Names”)role: (see Section 6.2.5, “Specifying Role Names”)GRANT语法使得管理员可能授予账户权限或者角色,然而GRANT不能再一个语句中同时授予权限和角色。
- 有ON,是授予权限
- 无ON,是授予角色
-- 授予数据库db1的所有权限给指定账户GRANT ALL ON db1.* TO 'tian'@'localhost';-- 授予角色给指定的账户GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost';-- 授予数据库world的SELECT权限给指定的角色GRANT SELECT ON world.* TO 'role3';根本语法
GRANT [权限] ON [数据库名].[表名] TO 'user_name'@'localhost' ...;-- 授予所有数据库的权限GRANT [权限] ON *.* TO 'user_name'@'localhost' ...;注:全局权限是治理或实用于给定服务器上的所有数据库。要调配全局权限,请应用 ON *.*语法
上面是权限列表
mysql> show privileges;+----------------------------+---------------------------------------+-------------------------------------------------------+| Privilege | Context | Comment |+----------------------------+---------------------------------------+-------------------------------------------------------+| Alter | Tables | To alter the table || Alter routine | Functions,Procedures | To alter or drop stored functions/procedures || Create | Databases,Tables,Indexes | To create new databases and tables || Create routine | Databases | To use CREATE FUNCTION/PROCEDURE || Create role | Server Admin | To create new roles || Create temporary tables | Databases | To use CREATE TEMPORARY TABLE || Create view | Tables | To create new views || Create user | Server Admin | To create new users || Delete | Tables | To delete existing rows || Drop | Databases,Tables | To drop databases, tables, and views || Drop role | Server Admin | To drop roles || Event | Server Admin | To create, alter, drop and execute events || Execute | Functions,Procedures | To execute stored routines || File | File access on server | To read and write files on the server || Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess || Index | Tables | To create or drop indexes || Insert | Tables | To insert data into tables || Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) || Process | Server Admin | To view the plain text of currently executing queries || Proxy | Server Admin | To make proxy user possible || References | Databases,Tables | To have references on tables || Reload | Server Admin | To reload or refresh tables, logs and privileges || Replication client | Server Admin | To ask where the slave or master servers are || Replication slave | Server Admin | To read binary log events from the master || Select | Tables | To retrieve rows from table || Show databases | Server Admin | To see all databases with SHOW DATABASES || Show view | Tables | To see views with SHOW CREATE VIEW || Shutdown | Server Admin | To shut down the server || Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. || Trigger | Tables | To use triggers || Create tablespace | Server Admin | To create/alter/drop tablespaces || Update | Tables | To update existing rows || Usage | Server Admin | No privileges - allow connect only || XA_RECOVER_ADMIN | Server Admin | || SHOW_ROUTINE | Server Admin | || RESOURCE_GROUP_USER | Server Admin | || SET_USER_ID | Server Admin | || SESSION_VARIABLES_ADMIN | Server Admin | || CLONE_ADMIN | Server Admin | || PERSIST_RO_VARIABLES_ADMIN | Server Admin | || ROLE_ADMIN | Server Admin | || BACKUP_ADMIN | Server Admin | || CONNECTION_ADMIN | Server Admin | || RESOURCE_GROUP_ADMIN | Server Admin | || INNODB_REDO_LOG_ARCHIVE | Server Admin | || BINLOG_ENCRYPTION_ADMIN | Server Admin | || REPLICATION_SLAVE_ADMIN | Server Admin | || SYSTEM_VARIABLES_ADMIN | Server Admin | || GROUP_REPLICATION_ADMIN | Server Admin | || SYSTEM_USER | Server Admin | || APPLICATION_PASSWORD_ADMIN | Server Admin | || TABLE_ENCRYPTION_ADMIN | Server Admin | || SERVICE_CONNECTION_ADMIN | Server Admin | || AUDIT_ADMIN | Server Admin | || BINLOG_ADMIN | Server Admin | || ENCRYPTION_KEY_ADMIN | Server Admin | || INNODB_REDO_LOG_ENABLE | Server Admin | || REPLICATION_APPLIER | Server Admin | |+----------------------------+---------------------------------------+-------------------------------------------------------+58 rows in set (0.00 sec)权限范畴示例
-- 数据库权限GRANT ALL ON mydb.* TO 'user_name'@'host_name';-- 表权限GRANT ALL ON mydb.mytable TO 'user_name'@'host_name';-- 列权限GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytable TO 'user_name'@'host_name';-- 存储过程权限GRANT CREATE ROUTINE ON mydb.* TO 'user_name'@'host_name';GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'user_name'@'host_name';受权之后能够应用flush命令使其立刻失效
FLUSH PRIVILEGESFLUSH语法
FLUSH [NO_WRITE_TO_BINLOG | LOCAL] { flush_option [, flush_option] ... | tables_option}flush_option: { BINARY LOGS | ENGINE LOGS | ERROR LOGS | GENERAL LOGS | HOSTS | LOGS | PRIVILEGES | OPTIMIZER_COSTS | RELAY LOGS [FOR CHANNEL channel] | SLOW LOGS | STATUS | USER_RESOURCES}tables_option: { TABLES | TABLES tbl_name [, tbl_name] ... | TABLES WITH READ LOCK | TABLES tbl_name [, tbl_name] ... WITH READ LOCK | TABLES tbl_name [, tbl_name] ... FOR EXPORT}FLUSH PRIVILEGES 蕴含以下操作
- 从新加载
mysql零碎数据库中的grant表中的权限信息,并革除caching_sha2_password身份验证插件应用的内存缓存。 - 服务器读取蕴含动静特权调配的
global_grants表,并注册其中的任何未注册特权。 - 服务器通过
GRANT、CREATE USER、CREATE SERVER和INSTALL PLUGIN语句将信息缓存到内存中。对应的REVOKE、DROP USER、DROP SERVER和UNINSTALL插件语句不会开释这些内存,因而对于执行许多导致缓存的语句实例的服务器,内存使用量将会减少。能够应用刷新特权开释此缓存内存。
FLUSH TABLES 蕴含以下操作
敞开所有关上的表,强制敞开所有正在应用的表,并刷新筹备好的语句缓存。
REVOKE语法
既然能够受权,那么就能够撤销
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user_or_role [, user_or_role] ...REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user_or_role [, user_or_role] ...REVOKE PROXY ON user_or_role FROM user_or_role [, user_or_role] ...REVOKE role [, role ] ... FROM user_or_role [, user_or_role ] ...user_or_role: { user | role}user: (see Section 6.2.4, “Specifying Account Names”)role: (see Section 6.2.5, “Specifying Role Names”.REVOKE能够实现权限或者角色的撤销(前提:领有GRANT权限和REVOKE权限)
-- 撤销用户的INSERT权限REVOKE INSERT ON *.* FROM 'tian'@'localhost';-- 撤销用户的指定角色REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost';-- 撤销角色的INSERT权限REVOKE SELECT ON world.* FROM 'role3';撤销所有权限(只能撤销权限,不能撤销角色)
-- 从账户或者角色上撤销所有权限REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_or_role [, user_or_role] ...-- 撤销账户REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'tian'@'localhost'-- 撤销角色REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'role3'在全局上撤销权限(.)
-- 全局上撤销所有权限REVOKE ALL ON *.* FROM 'tian'@'localhost';