用户权限和访问控制

Posted 爱热闹的杨小厨

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了用户权限和访问控制相关的知识,希望对你有一定的参考价值。

创建用户并设置密码
create user zorro identified by ‘123‘; 除了本机不能登录,任何一个都可以 (默认%)
create user [email protected] identified by ‘123‘;// 本机zorro用户登录
create user [email protected]‘%‘ identified by ‘123‘;
create user [email protected]‘172.16.20.9’ identified by ‘123’;//指定ip号
查询
select user from mysql.user;
修改用户名
rename user zorro to robin;
select user from mysql.user;
删除
drop user robin;
drop user [email protected]‘localhost’;//指定来源
mysql> select password(123);
+-------------------------------------------+
| password(123) |
+-------------------------------------------+
| *23AE809DDACAF96AF0FD78ED04B6A265E05AA257 |
+-------------------------------------------+
1 row in set (0.00 sec)


修改用户密码(登录之后改)
set password for ‘zorro‘@‘%‘= password(‘123‘); //password()函数加密
set password = password(‘123‘);修改当前用户
mysqladmin -uroot -p123 password=‘123456’;登录之前改
root密码丢失
重置root口令
1.
shell> mysqld_safe --skip-grant-tables --skip-networking &
shell>mysql -S /var/lib/mysql/mysql.sock (-u root -p)
2.
mysql>update mysql.user set password=password(‘123‘) where host=‘localhost‘ and user=‘root‘ host=‘localhost’;

查询用户权限
show grants for zorro \G
*************************** 1. row ***************************
Grants for [email protected]%: GRANT USAGE ON *.* TO ‘zorro‘@‘%‘ IDENTIFIED BY PASSWORD ‘*23AE809DDACAF96AF0FD78ED04B6A265E05AA257‘

USAGE表示没有任何权限
连接测试
mysql -u zorro -p123
ERROR 1045 (28000): Access denied for user ‘zorro‘@‘localhost‘ (using password: YES)
失败

权限
MySQL存取控制包含2个阶段:
阶段1:服务器检查是否允许你连接。
阶段2:假定你能连接,服务器检查你发出的每个请求。看你是否有足够的权限实施它。例如,如果你从数据库表中选择(select)行或从数据库删除表,服务器确定你对表有SELECT权限或对数据库有DROP权限。


授权grant
命令格式
grant 权限 on 库.表 to 用户@主机 [密码]
grant select on hr.* to [email protected]‘localhost‘;
show grants for zorro \G
*************************** 1. row ***************************
Grants for [email protected]%: GRANT USAGE ON *.* TO ‘zorro‘@‘%‘ IDENTIFIED BY PASSWORD ‘*23AE809DDACAF96AF0FD78ED04B6A265E05AA257‘
*************************** 2. row ***************************
Grants for [email protected]%: GRANT SELECT ON `hr`.* TO ‘zorro‘@‘%‘
grant select,insert,desc,drop,delect on *.* to [email protected]‘localhost‘;
权限范围:select,insert,desc,drop,update,alter...

移除权限revoke
命令格式
revoke 权限 on 库.表 from 用户@主机;
revoke select on hr.* from zorro‘localhost‘;

远程主机授权
grant all on hr.* to [email protected]‘192.168.1.129‘ identified by ‘123‘;
grant all on hr.* to [email protected]‘%‘ identified by ‘123‘;


grant和revoke可在几个层次上控制访问权限
整个服务器 grant all 和 revoke all
整个数据库 on databases.*
grant select,insert on hr.* to [email protected]‘localhost‘ identified by ‘123‘;
特定的表 on database.table;
grant select,insert on hr.tt to [email protected]‘localhost‘ identified by ‘123‘;

 

其他方法:
mysql> INSERT INTO user (Host,User,Password) VALUES(‘localhost‘,‘dummy‘,password());
mysql> FLUSH PRIVILEGES;

 

练习:
1.创建帐号zorro 允许从本机和任意位置登录
create user [email protected]‘%‘;
create user [email protected]‘%‘ identified by ‘123‘;
create user [email protected]‘localhost‘ identified by ‘123‘;
2.修改zorro名字为king
rename user [email protected]‘%‘ to [email protected]‘%‘;
rename user [email protected]‘localhost‘ to [email protected]‘localhost‘;
3.设置king用户的密码位123
set password for [email protected]‘localhost‘=password(‘123‘);
set password for [email protected]‘%‘=password(‘123‘);
4.以king帐号登录到mysql数据库 设置密码位abc
set password=password(‘123‘);


重置root密码
1.停止mysql(pkill mysql)
2./usr/local/mysql/bin/mysqld_safe --user=mysql --skip-grant-tables &
3.update mysql.user set password=password(‘123‘) where user=‘root‘ and host=‘localhost‘;
4.停止mysql (pkill mysql)
5./usr/local/mysql/bin/mysqld_safe --user=mysql &
6.正常登录

跳过授权
vim /etc/my.cnf
[mysqld]
skip-grant-tables

----------------------------------------------------------------------

create user robin; 添加帐号
set password for robin=password(‘123‘); 设置密码
create user zorro identified by ‘123‘; 创建帐号同时设置密码
rename user zorro to newzorro; 修改帐号名字
drop user newzorro; 删除帐号

set password=password(‘123‘); 设置当前帐号密码

root密码丢失
实验环境
删除数据目录
重新初始化
管理密码为空(直接登录)

重置root密码
shell>/usr/local/mysql/bin/mysqld_safe --user=mysql --skip-grant-tables &
--skip-grant-tables 跳过授权表不进行验证.
shell>mysql 进去就行了
mysql> update mysql.user set password=password(‘123‘) where user=‘root‘ and host=‘localhost‘; 更新密码

pkill mysql
service mysqldd restart

授权
1.是否能连接数据库 localhost %
2.验证帐号密码

1.能否连接数据库
第一部分 本地来源
第二部分 远程来源
create user [email protected]‘%‘ identified by ‘123‘;
select user,password,host from mysql.user;

create user [email protected]‘localhost‘ identified by ‘123‘;

2,授权
grant all on db.* to [email protected]‘localhost‘; db库所有表具有所有权限
grant select,insert on db.t5 to [email protected]‘localhost‘ identified by ‘123‘; 授权同时创建帐号

回收权限revoke all on db.* from [email protected]‘localhost‘;

*.* mysql.user
db.* mysql.db
db.t5 mysql.tables_priv
db.t5(id) mysql.columns_priv

用户信息mysql.user存储所有用户信息,权限信息分布不同的表中
grant all on *.* to [email protected] identified by ‘123‘;
abc1 权限保存在 mysql.user

grant all on db.* to [email protected] identified by ‘123‘;
abc2 权限保存在 mysql.db

grant all on db.test20 to [email protected] identified by ‘123‘;
abc3 权限保存在 mysql.tables_priv

grant select(name) on db.test20 to [email protected] identified by ‘123‘;
abc4 权限保存在 mysql.columns_priv

select * from mysql.tables_priv;
能不能update更新权限?
更新授权表,获取对所有库所有表的权限
mysql> create user [email protected]‘localhost‘;
mysql> set password for ‘tom‘@‘localhost‘ =password(‘123‘);
mysql> update mysql.user set Select_priv=‘Y‘ where user=‘tom‘;
mysql> select * from mysql.user where user=‘tom‘;
mysql> flush privileges;
更新授权表,获取对kkk库所有表的权限
mysql> insert into mysql.db(Host,Db,User,Insert_priv) values(‘localhost‘,‘kkk‘,‘tom‘,‘Y‘);
mysql> flush privileges;
更新授权表,获取对kkk库t1表的权限
mysql> insert into mysql.tables_priv(Host,Db,User,Table_name,Table_priv) values(‘localhost‘,‘kkk‘,‘tom‘,‘t1‘,‘Update‘);
mysql> flush privileges;

更新授权表,获取对kkk库t2表的id列update权限
mysql> insert into mysql.columns_priv(Host,Db,User,Table_name,Column_name,Column_priv) values(‘localhost‘,‘kkk‘,‘tom‘,‘t2‘,‘did‘,‘Update‘); ----------列权限

mysql> insert into mysql.tables_priv(Host,Db,User,Table_name,Column_priv) values(‘localhost‘,‘kkk‘,‘tom‘,‘t2‘,‘Update‘); ----------表权限

mysql> flush privileges;

以上是关于用户权限和访问控制的主要内容,如果未能解决你的问题,请参考以下文章

用户和组管理权限及文件访问控制

mysql 访问控制和用户管理

api访问权限控制

JAVA WEB 中登录的session的判断 如何控制用户权限可以访问那些东西

Linux 访问控制列表(access control list)

基于角色的权限访问控制初步