MySQL 数据库用户和权限管理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了MySQL 数据库用户和权限管理相关的知识,希望对你有一定的参考价值。

mysql 数据库用户和权限管理

技能目标

  • 掌握MySQL 用户管理
  • 添加管理用户
  • 修改密码及忘记密码修改

用户授权

数据库是信息系统中非常重要的环节,合理高效的对它进行管理是很重要的工作。通常是由拥有最高权限的管理员创建不同的管理账户,然后分配不同的操作权限,把这些账户交给相应的管理人员使用

用户管理

1: 新建用户

新建用户的命令格式如下
CREATE USER ‘username‘@‘host‘ [IDENTIFIED BY [PASSWORD]‘password‘] #大写是固定格式大括弧是一个整体再写命令的时候没有
  • username 将创建的用户名
  • host 指定用户允许那些主机终端可以登录,可以是IP地址、网段、指定本地用户localhost、如果让该用户可以从任意远程主机登录可以用通配符%
  • password 设置登录的密码
下面是MySQL安装之后创建的用户密码,在数据库中显示的密码是以密文的形式保存的大大的增强了安全性
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
+-----------+-------------------------------------------+-----------+
2 rows in set (0.01 sec)
创建新用户
mysql> create user ‘accp‘@‘localhost‘ identified by ‘123123‘;
Query OK, 0 rows affected (0.01 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
删除用户命令格式如下
DROP USER ‘username‘@‘host‘
mysql> drop user ‘accp‘@‘localhost‘; #删除accp
Query OK, 0 rows affected (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

用户重命名,格式如下

RENAME USER ‘old_user‘@‘host‘ TO ‘new_user‘ @ ‘host‘
mysql> select User,authentication_string,Host from user;  #这边我们把bent重命名为accp
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> rename user ‘bent‘@‘localhost‘ to ‘accp‘@‘localhost‘ ;
Query OK, 0 rows affected (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

给用户设置密码

1:给当前用户设置密码
SET PASSWORD=PASSWORD(‘password‘)
mysql> select User,authentication_string,Host from user; 
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

mysql> set password=password(‘123123‘); #当前用户是root我把root用户密码改为了"123123"与上面的root密码对比一下秘闻的区别
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
2:使用超级管理员root修改其他用户密码,格式如下
SET PASSWORD FOR ‘username‘@‘host‘=PASSWORD(‘password‘);
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> set password for ‘accp‘@‘localhost‘=password(‘951116‘); #同样对比一下密文密码的区别
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
忘记root密码解决方法
[[email protected] ~] systemctl stop mysqld.service  #关闭服务
[[email protected] ~] netstat -ntap | grep 3306 #查看端口有没有关闭
[[email protected] ~] mysql --skip-grant-tables #会出现以下代码不要去动它重新开一个终端
2018-06-28T02:16:16.399381Z 0 [Note]   - ‘::‘ resolves to ‘::‘;
2018-06-28T02:16:16.399402Z 0 [Note] Server socket created on IP: ‘::‘.
2018-06-28T02:16:16.400217Z 0 [Note] InnoDB: Loading buffer pool(s) from /usr/local/mysql/data/ib_buffer_pool
2018-06-28T02:16:16.401959Z 0 [Note] InnoDB: Buffer pool(s) load completed at 180628 10:16:16
2018-06-28T02:16:16.410638Z 0 [Note] Executing ‘SELECT * FROM INFORMATION_SCHEMA.TABLES;‘ to get a list of tables using the deprecated partition engine. You may use the startup option ‘--disable-partition-engine-check‘ to skip this check. 
2018-06-28T02:16:16.410661Z 0 [Note] Beginning of list of non-natively partitioned tables
2018-06-28T02:16:16.423678Z 0 [Note] End of list of non-natively partitioned tables
2018-06-28T02:16:16.423748Z 0 [Note] mysqld: ready for connections.
Version: ‘5.7.17‘  socket: ‘/usr/local/mysql/mysql.sock‘  port: 3306  Source distribution
[[email protected] ~] mysql -u root #直接这样登录跳过密码选项
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 3
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement.

mysql> 
登入进去后改用户密码
mysql> update mysql.user set authentication_string=password(‘123123‘)where user=‘root‘; #修改root密码
Query OK, 1 row affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 1
mysql> flush privileges; #刷新数据库
Query OK, 0 rows affected (0.01 sec) 
[[email protected] ~]# mysql -u root -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 5
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement.

授权控制

再MySQL中,权限设置非常重要,分配权限可以清晰的划分责任。管理人员只需要关注完成自己的任务即可,最重要的是保证系统数据的安全

1:授予权限

(1):权限控制主要出于安全因素,需要遵循以下原则
1):只授予能满足需要的最小权限,防止误操作和做坏事
2):创建用户的时候限制用户的登录主机,一般限制指定IP或者内网IP网段
3):初始化数据库时删除没有密码的用户,MySQL安装完成是会自动创建没有密码的用户
4):为每个用户设置满足要求的密码
5):定期清理不需要的用户
(2):授予权限使用GRANT命令,命令格式如下
GRANT 权限列表 ON 库名.表明 TO 用户@主机地址[IDENTIFIED BY‘密码‘]
命令个是很明确,是指定用户允许它操作某些表,对这些表拥有相应的操作权限
下面演示GRANT的使用方法
mysql> grant select on ×××表.×××信息 to ‘accp‘@‘localhost‘ identified by ‘123123‘; 
Query OK, 0 rows affected, 1 warning (0.00 sec)
上面命令的意思是使用户accp可以在主机localhost登录,连接密码是123123,它拥有对数据库(×××表.×××信息)的select权限
登录accp用户验证以下
[[email protected] ~]# mysql -u accp -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement.

mysql> insert into imployee_英航客户表.×××信息 values (2,‘张三‘,‘广州珠海‘,‘18888888‘);
ERROR 1142 (42000): INSERT command denied to user ‘accp‘@‘localhost‘ for table ‘×××信息‘
上图显示select语句可以正常使用,但执行insert语句是没有足够权限
当当用户和主机名在列表中不存在时,用户和主机名会被自动创建,如果限制用户密码与原用密码不同时会自动覆盖原密码
mysql> select User,authentication_string,Host from user; 
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
#用户列表中只有三个用户此时,做一个用户列表中不存在用户权限
mysql> grant select on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘1223123‘;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| benet     | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
4 rows in set (0.00 sec)
#上面自动创建了benet用户登陆密码为‘123123’
下面设置benet用户限制原密码为123123,我把限制密码改以新密码‘321321’然后看一下用原密码能不能登录
mysql> grant insert on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘3221321‘;
Query OK, 0 rows affected, 1 warning (0.00 sec)
[[email protected] ~]# mysql -u benet -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user ‘benet‘@‘localhost‘ (using password: YES)
#提示你输入正确的登陆密码
查看用户权限
SHOW GRANTS FOR ‘username‘@‘主机地址‘
mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------------------------------------------+
| Grants for [email protected]                                                    |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘                                     |
| GRANT SELECT ON "×××表"."×××信息" TO ‘accp‘@‘localhost‘            |
+------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
撤销用户权限
REVOKE 权限列表 ON 数据库名.表名 FROM 用户@主机地址
mysql> revoke select on ×××表.×××信息 from ‘accp‘@‘localhost‘;
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------+
| Grants for [email protected]                |
+------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘ |
+------------------------------------------+
1 row in set (0.00 sec)
撤销用户所有权限
REVOKE ALL ON 数据库名.表名 FROM 用户@主机地址

以上是关于MySQL 数据库用户和权限管理的主要内容,如果未能解决你的问题,请参考以下文章

MySQL 数据库用户和权限管理

MySQL的用户管理与权限管理

MySQL的用户管理与权限管理

mysql用户和权限管理

mysql中怎样设置用户和管理员的权限?

MySQL之用户和权限管理