文章目录
一、简介
- DCL(Data Control Language、数据控制语言)
- 用于定义数据库、表、字段、用户的 访问权限和安全级别。
- 主要的语句关键字包括 GRANT 、 REVOKE 、 COMMIT 、 ROLLBACK 、 SAVEPOINT 等。
二、用户管理
2.1 CRUD
- 用户名参数表示新建用户的账户,由 用户(User) 和 主机名(Host) 构成,默认 host 是 ‘%’
- 实例:
CREATE USER 'kangshifu'@'localhost' IDENTIFIED BY '123456'; - 常见的主机名(Host)形式:
| 用户 | 白名单 |
|---|
| user@’%’ | 全开放 |
| user@‘localhost’ | 本地 |
| user@‘127.0.0.1’ | 本地 |
| user@‘10.0.0.%’ | 24位掩码 |
| user@‘10.0.0.5%’ | [50-59] |
| user@‘10.0.0.0/255.255.254.0’ | 23位掩码 |
| user@‘10.0.%’ | 16位掩码 |
mysql> SELECT user, host FROM mysql.user;
+
| user | host |
+
| rayslee | % |
| root | % |
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+
6 rows in set (0.00 sec)
mysql>
UPDATE mysql.user SET USER='li4' WHERE USER='wang5';
FLUSH PRIVILEGES;
DROP USER li4 ;
DROP USER 'kangshifu'@'localhost';
2.2 密码管理
2.2.1 修改密码
ALTER USER USER() IDENTIFIED BY 'new_password';
SET PASSWORD='new_password';
mysqladmin password -u[user] -p
ALTER USER 'user'@'host' IDENTIFIED BY 'new_password' [,'user'@'host' IDENTIFIED BY 'new_password']] …;
# 或
SET PASSWORD FOR 'username'@'hostname'='new_password';
UPDATE MySQL.user SET authentication_string=PASSWORD("123456")
WHERE User = "username" AND Host = "hostname";
2.2.2 忘记密码
[root@mysql01 ~]
[root@mysql01 ~]
[1] 6736
[root@mysql01 ~]
2020-09-20T08:39:41.209970Z mysqld_safe Starting mysqld daemon with databases from /data/mysql/data
[root@mysql01 ~]
....
mysql> update mysql.user set authentication_string='' where user='root' and host='localhost';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1 Changed: 0 Warnings: 0
mysql> quit
Bye
[root@mysql01 ~]
root 6736 6618 0 16:39 pts/2 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --skip-grant-tables --skip-networking
mysql 6919 6736 0 16:39 pts/2 00:00:03 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/data/mysql/data --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --skip-grant-tables --skip-networking --log-error=mysql01.err --pid-file=mysql01.pid --socket=/tmp/mysql.sock --port=3306
root 7215 6618 0 16:48 pts/2 00:00:00 grep --color=auto mysql
[root@mysql01 ~]
[root@mysql01 ~]
[root@mysql01 ~]
Enter password:
New password:
Confirm new password:
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.
[root@mysql01 ~]
2.2.3 过期策略(了解)
- 数据库管理员可以
手动设置账号密码过期,也可以建立一个自动密码过期策略。 - 过期策略可以是
全局的,也可以为每个账号设置单独的过期策略。
SET PERSIST default_password_lifetime = 180;
[mysqld]
default_password_lifetime=180
ALTER USER 'kangshifu'@'localhost' PASSWORD EXPIRE;
CREATE USER 'kangshifu'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;
ALTER USER 'kangshifu'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;
# 设置密码永不过期:
CREATE USER 'kangshifu'@'localhost' PASSWORD EXPIRE NEVER;
ALTER USER 'kangshifu'@'localhost' PASSWORD EXPIRE NEVER;
# 延用全局密码过期策略:
CREATE USER 'kangshifu'@'localhost' PASSWORD EXPIRE DEFAULT;
ALTER USER 'kangshifu'@'localhost' PASSWORD EXPIRE DEFAULT;
2.2.4 重用策略(了解)
SET PERSIST password_history = 6;
SET PERSIST password_reuse_interval = 365;
[mysqld]
password_history=6
password_reuse_interval=365
CREATE USER 'kangshifu'@'localhost' PASSWORD HISTORY 5;
ALTER USER 'kangshifu'@'localhost' PASSWORD HISTORY 5;
# 不能使用最近365天内的密码:
CREATE USER 'kangshifu'@'localhost' PASSWORD REUSE INTERVAL 365 DAY;
ALTER USER 'kangshifu'@'localhost' PASSWORD REUSE INTERVAL 365 DAY;
# 既不能使用最近5个密码,也不能使用365天内的密码
CREATE USER 'kangshifu'@'localhost'
PASSWORD HISTORY 5
PASSWORD REUSE INTERVAL 365 DAY;
ALTER USER 'kangshifu'@'localhost'
PASSWORD HISTORY 5
PASSWORD REUSE INTERVAL 365 DAY;
三、权限管理
| 权限 | 说明 |
|---|
| CREATE和DROP | 可以创建新的数据库和表,或删除(移掉)已有的数据库和表。如果将MySQL数据库中的DROP权限授予某用户,用户就可以删除MySQL访问权限保存的数据库。 |
| SELECT、INSERT、UPDATE和DELETE | 允许在一个数据库现有的表上实施操作。 |
| SELECT | 只有在它们真正从一个表中检索行时才被用到。 |
| INDEX | 允许创建或删除索引,INDEX适用于已有的表。如果具有某个表的CREATE权限,就可以在CREATE TABLE语句中包括索引定义。 |
| ALTER | 可以使用ALTER TABLE来更改表的结构和重新命名表。 |
| CREATE ROUTINE | 用来创建保存的程序(函数和程序),ALTER ROUTINE权限用来更改和删除保存的程序, EXECUTE权限 用来执行保存的程序。 |
| GRANT | 允许授权给其他用户,可用于数据库、表和保存的程序。 |
| FILE | 使用户可以使用LOAD DATA INFILE和SELECT … INTO OUTFILE语句读或写服务器上的文件,任何被授予FILE权限的用户都能读或写MySQL服务器上的任何文件(说明用户可以读任何数据库目录下的文件,因为服务器可以访问这些文件)。 |
mysql> SHOW PRIVILEGES;
+
| Privilege | Context | Comment |
+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create role | Server Admin | To create new roles |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Drop role | Server Admin | To drop roles |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
| SHOW_ROUTINE | Server Admin | |
| RESOURCE_GROUP_USER | Server Admin | |
| REPLICATION_APPLIER | Server Admin | |
| PASSWORDLESS_USER_ADMIN | Server Admin | |
| INNODB_REDO_LOG_ENABLE | Server Admin | |
| XA_RECOVER_ADMIN | Server Admin | |
| GROUP_REPLICATION_STREAM | Server Admin | |
| GROUP_REPLICATION_ADMIN | Server Admin | |
| FLUSH_USER_RESOURCES | Server Admin | |
| FLUSH_TABLES | Server Admin | |
| PERSIST_RO_VARIABLES_ADMIN | Server Admin | |
| ROLE_ADMIN | Server Admin | |
| BACKUP_ADMIN | Server Admin | |
| CONNECTION_ADMIN | Server Admin | |
| SET_USER_ID | Server Admin | |
| SESSION_VARIABLES_ADMIN | Server Admin | |
| RESOURCE_GROUP_ADMIN | Server Admin | |
| INNODB_REDO_LOG_ARCHIVE | Server Admin | |
| BINLOG_ENCRYPTION_ADMIN | Server Admin | |
| REPLICATION_SLAVE_ADMIN | Server Admin | |
| SYSTEM_VARIABLES_ADMIN | Server Admin | |
| SYSTEM_USER | Server Admin | |
| APPLICATION_PASSWORD_ADMIN | Server Admin | |
| TABLE_ENCRYPTION_ADMIN | Server Admin | |
| SERVICE_CONNECTION_ADMIN | Server Admin | |
| AUDIT_ADMIN | Server Admin | |
| AUTHENTICATION_POLICY_ADMIN | Server Admin | |
| BINLOG_ADMIN | Server Admin | |
| ENCRYPTION_KEY_ADMIN | Server Admin | |
| CLONE_ADMIN | Server Admin | |
| FLUSH_OPTIMIZER_COSTS | Server Admin | |
| FLUSH_STATUS | Server Admin | |
+
65 rows in set (0.00 sec)
mysql>
3.1 授予权限
- 只授予能
满足需要的最小权限。 - 创建用户的时候
限制用户的登录主机,一般是限制成指定IP或者内网IP段。 - 为每个用户
设置满足密码复杂度的密码。 定期清理不需要的用户,回收权限或者删除用户。
GRANT SELECT,INSERT,DELETE,UPDATE ON atguigudb.* TO li4@localhost;
GRANT ALL PRIVILEGES ON *.* TO joe@'%'
3.2 查看权限
SHOW GRANTS;
SHOW GRANTS FOR CURRENT_USER;
SHOW GRANTS FOR CURRENT_USER();
SHOW GRANTS FOR 'user'@'主机地址' ;
mysql.user:记录用户账号和权限信息mysql.db:某个主机连接某个用户对某个数据库的操作权限mysql.tables_priv:对表设置操作权限mysql.columns_priv:对表的某一列设置权限mysql.procs_priv:对存储过程和存储函数设置操作权限
3.3 收回权限
REVOKE ALL PRIVILEGES ON *.* FROM joe@'%';
REVOKE SELECT,INSERT,UPDATE,DELETE ON mysql.* FROM joe@localhost;
四、角色管理
4.1 使用角色
- 语法:CREATE ROLE ‘role_name’[@‘host_name’] [,‘role_name’[@‘host_name’]]…
- 说明:角色名称的命名规则和用户名类似。如果 host_name省略,默认为% ,role_name不可省略 ,不可为空。
- 创建角色之后,默认这个角色是没有任何权限的
- 语法:
GRANT privileges ON db_name.table_name TO 'role_name'[@'host_name']; - 实例:
GRANT SELECT ON demo.settlement TO 'manager';
- 角色创建并授权后,要赋给用户并处于
激活状态才能发挥作用。 - 语法:
GRANT role [,role2,...] TO user1@host [, user2@host, ...]; - 实例:
GRANT 'school_read' TO 'kangshifu'@'localhost';
mysql> SELECT CURRENT_ROLE();
+
| CURRENT_ROLE() |
+
| NONE |
+
1 row in set (0.00 sec)
mysql>
- 方式一:使用
set default role命令激活角色
SET DEFAULT ROLE ALL TO 'kangshifu'@'localhost';
# SET DEFAULT ROLE ALL TO 'kangshifu'@'localhost';
SET DEFAULT ROLE ALL TO
'dev1'@'localhost',
'read_user1'@'localhost',
'read_user2'@'localhost',
'rw_user1'@'localhost';
- 方式2:将
activate_all_roles_on_login设置为 ON
mysql> show variables like 'activate_all_roles_on_login';
+
| Variable_name | Value |
+
| activate_all_roles_on_login | OFF |
+
1 row in set (0.08 sec)
mysql> SET GLOBAL activate_all_roles_on_login=ON;
4.2 操纵角色
mysql> SHOW GRANTS FOR 'manager';
+
| Grants for manager@% |
+
| GRANT USAGE ON *.* TO `manager`@`%` |
| GRANT SELECT ON `demo`.`goodsmaster` TO `manager`@`%` |
| GRANT SELECT ON `demo`.`invcount` TO `manager`@`%` |
| GRANT SELECT ON `demo`.`settlement` TO `manager`@`%` |
+
- 语法:
REVOKE privileges ON tablename FROM 'rolename'; - 实例:
REVOKE INSERT, UPDATE, DELETE ON school.* FROM 'school_write';
- 如果你删除了角色,那么用户也就失去了通过这个角色所获得的所有权限 。
- 语法:
DROP ROLE role [,role2] ...
- 语法:
REVOKE role FROM user; - 实例:
REVOKE 'school_read' FROM 'kangshifu'@'localhost';
4.3 强制角色
- Roles the server should treat as mandatory.
- In effect, these roles are automatically granted to every user.
- Setting mandatory_roles does not actually change any user accounts.
- The granted roles are not visible in the mysql.role_edges system table.
[mysqld]
mandatory_roles='role1,role2@localhost,r3@%.atguigu.com'
SET PERSIST mandatory_roles = 'role1,role2@localhost,r3@%.example.com';
SET GLOBAL mandatory_roles = 'role1,role2@localhost,r3@%.example.com';
