MySQL权限管理
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了MySQL权限管理相关的知识,希望对你有一定的参考价值。
数据库的权限管理一直是很麻烦的一件事情,因为权限是很分散的,不容易查看,也不容易修改的完善。但是mysql的权限管理让人眼前一亮的感觉。因为什么都是那么一目了然。
1# 查看权限
比如,我们想要看看MySQL的root用户,拥有什么权限:
([email protected])[(none)]> select user();
+----------------+
| user() |
+----------------+
| [email protected] |
+----------------+
1 row in set (0.00 sec)
([email protected])[(none)]> show grants;
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for [email protected] |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO ‘root‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*A0F874BC7F54EE086FCE60A37CE7887D8B31086B‘ WITH GRANT OPTION |
| GRANT PROXY ON ‘‘@‘‘ TO ‘root‘@‘localhost‘ WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
一条show grants解决了问题,并且连grant语句都给我们了。这样就是说,我们稍微修修改改就可用重造出另一个和root一样的超级用户了。
其中第一条:
GRANT ALL PRIVILEGES ON *.* TO ‘root‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*A0F874BC7F54EE086FCE60A37CE7887D8B31086B‘ WITH GRANT OPTION 不光光grant 了 . 上的ALL PRIVILEGES 给‘root‘@‘localhost‘ ,甚至还有验证密码和 WITH 信息。实际上这条语句是可用拿来创建这个用户的。这也是一个另类的创建用户的方法。
查看他人的权限:
([email protected])[(none)]> show grants for test1
-> ;
+------------------------------------------------------------------------------------------------------+
| Grants for [email protected]% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘test1‘@‘%‘ IDENTIFIED BY PASSWORD ‘*CFA887C680E792C2DCF622D56FB809E3F8BE63CC‘ |
+------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
这里看到用户‘test1‘@‘%‘只有一条权限,这条权限也是默认的创建用户语句。
2# 授予权限:
用户必然是需要使用数据库的。所以如果用户只有usage这个没用的权限的话,这个用户就不需要存在了。
语法:
([email protected])[(none)]> help grant
Name: ‘GRANT‘
Description:
Syntax:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_specification [, user_specification] ...
[REQUIRE {NONE | tsl_option [[AND] tsl_option] ...}]
[WITH {GRANT OPTION | resource_option} ...]
GRANT PROXY ON user_specification #这个代理也是语句也是单独存在
TO user_specification [, user_specification] ...
[WITH GRANT OPTION]
object_type: { #对象类型
TABLE
| FUNCTION
| PROCEDURE
}
priv_level: { #权限的等级分类
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}
user_specification: #用户
user [ auth_option ]
auth_option: { #验证信息
IDENTIFIED BY ‘auth_string‘
| IDENTIFIED BY PASSWORD ‘hash_string‘
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin AS ‘hash_string‘
}
tsl_option: { #SSL类型
SSL
| X509
| CIPHER ‘cipher‘
| ISSUER ‘issuer‘
| SUBJECT ‘subject‘
}
resource_option: { #资源使用定义
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
用户权限列表,见官方文档:https://dev.mysql.com/doc/refman/5.6/en/grant.html
用户test1当前是没有任何权限的。假设我们需要让他访问mysql.user表
([email protected])[(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
([email protected])[mysql]> select count(*) from user;
+----------+
| count(*) |
+----------+
| 4 |
+----------+
1 row in set (0.00 sec)
([email protected])[mysql]>
建立一个新数据库,建立一个新表,对这个表进行访问以及控制:
([email protected])[mysql]> create database sample;
Query OK, 1 row affected (0.00 sec)
([email protected])[mysql]> use sample;
Database changed
([email protected])[sample]> show tables;
Empty set (0.00 sec)
([email protected])[sample]> create table smp (id int,name char(20));
Query OK, 0 rows affected (0.07 sec)
([email protected])[sample]> grant all privileges on sample.smp to test1;
Query OK, 0 rows affected (0.00 sec)
([email protected])[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
([email protected])[sample]>
更多的怎删改和删除表
([email protected])[sample]> insert into smp values (1,‘abc‘);
Query OK, 1 row affected (0.00 sec)
([email protected])[sample]> select * from smp;
+------+------+
| id | name |
+------+------+
| 1 | abc |
+------+------+
1 row in set (0.00 sec)
([email protected])[sample]> delete from smp;
Query OK, 1 row affected (0.00 sec)
([email protected])[sample]> select * from smp;
Empty set (0.00 sec)
([email protected])[sample]> drep table smp;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘drep table smp‘ at line 1
([email protected])[sample]> drop table smp;
Query OK, 0 rows affected (0.00 sec)
drop table 是DDL, 这个时候table已经删除了,再看看权限:
([email protected])[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
权限依然存在。说明删除表是不会删除用户所拥有的对象权限的。
试试看建回来:
([email protected])[sample]> create table smp (id int,name char(20));
Query OK, 0 rows affected (0.00 sec)
([email protected])[sample]> create table smp1 (id int,name char(20));
ERROR 1142 (42000): CREATE command denied to user ‘test1‘@‘localhost‘ for table ‘smp1‘
([email protected])[sample]>
成功建回来。那么是否可用在这个数据库中建立另外一张表呢?不行。
对 sample. 层面授予权限。
([email protected])[sample]> grant create on sample.* to test1;
Query OK, 0 rows affected (0.00 sec)
([email protected])[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
([email protected])[sample]> show grants for test1;
+------------------------------------------------------------------------------------------------------+
| Grants for [email protected]% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘test1‘@‘%‘ IDENTIFIED BY PASSWORD ‘*CFA887C680E792C2DCF622D56FB809E3F8BE63CC‘ |
| GRANT CREATE ON `sample`.* TO ‘test1‘@‘%‘ |
| GRANT ALL PRIVILEGES ON `sample`.`smp` TO ‘test1‘@‘%‘ |
| GRANT SELECT ON `mysql`.`user` TO ‘test1‘@‘%‘ |
+------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)
([email protected])[sample]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
这个时候,test1用户有了CREATE ON sample. 。尝试在数据库中创建表对象。
(test[email protected])[sample]> create table smp1 (id int,name char(20));
ERROR 1142 (42000): CREATE command denied to user ‘test1‘@‘localhost‘ for table ‘smp1‘
失败!很奇怪,已经有了权限,还是失败。尝试重新登陆
([email protected])[sample]> exit
Bye
[[email protected] ~]$ mysql -utest1 -S /data/mysqldata/3306/mysql.sock -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 25
Server version: 5.6.31-log Source distribution
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement.
([email protected])[(none)]>
([email protected])[(none)]>
([email protected])[(none)]> create table smp1 (id int,name char(20));
ERROR 1046 (3D000): No database selected
([email protected])[(none)]> use sample;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
([email protected])[sample]> create table smp1 (id int,name char(20));
Query OK, 0 rows affected (0.01 sec)
重新登陆后建立表对象成功。说明普通用户的权限需要在登陆的时候刷新。
以上是关于MySQL权限管理的主要内容,如果未能解决你的问题,请参考以下文章
Android 逆向Linux 文件权限 ( Linux 权限简介 | 系统权限 | 用户权限 | 匿名用户权限 | 读 | 写 | 执行 | 更改组 | 更改用户 | 粘滞 )(代码片段