• MySQL-5.7密码策略及用户资源限制


    1.密码策略

    在mysql 5.6对密码的强度进行了加强,推出了validate_password 插件。支持密码的强度要求。

    (1)安装插件

    [root@localhost ~]# ll /usr/local/mysql/lib/plugin/validate_password.so 
    -rwxr-xr-x 1 mysql mysql 204359 Sep 14 01:27 /usr/local/mysql/lib/plugin/validate_password.so
    
    mysql> install plugin validate_password soname 'validate_password.so';
    Query OK, 0 rows affected (0.11 sec)
    
    mysql> show plugins;
    +----------------------------+----------+--------------------+----------------------+---------+
    | Name                       | Status   | Type               | Library              | License |
    +----------------------------+----------+--------------------+----------------------+---------+
    | binlog                     | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |
    | mysql_native_password      | ACTIVE   | AUTHENTICATION     | NULL                 | GPL     |
    | sha256_password            | ACTIVE   | AUTHENTICATION     | NULL                 | GPL     |
    .....................省略
    | validate_password          | ACTIVE   | VALIDATE PASSWORD  | validate_password.so | GPL     |
    +----------------------------+----------+--------------------+----------------------+---------+
    45 rows in set (0.00 sec)
    

    (2)添加配置

    [root@localhost ~]# cat /etc/my.cnf
    [mysqld]
    datadir=/data1/mysql/data
    
    plugin-load=validate_password.so
    validate_password_policy=2
    validate-password=FORCE_PLUS_PERMANENT
    

    (3)检测配置

    mysql> SHOW VARIABLES LIKE 'validate_password%';
    +--------------------------------------+--------+
    | Variable_name                        | Value  |
    +--------------------------------------+--------+
    | validate_password_check_user_name    | OFF    |
    | validate_password_dictionary_file    |        |
    | validate_password_length             | 8      |
    | validate_password_mixed_case_count   | 1      |
    | validate_password_number_count       | 1      |
    | validate_password_policy             | STRONG |
    | validate_password_special_char_count | 1      |
    +--------------------------------------+--------+
    7 rows in set (0.02 sec)
    
    mysql> set password=password('abc');
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    mysql> set password=password('mysql2017');
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    mysql> set password=password('mysql@)!&');
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
    mysql> set password=password('MY@)!&sql2017');
    Query OK, 0 rows affected, 1 warning (0.00 sec)
    

    2.策略详解

    mysql> SHOW VARIABLES LIKE 'validate_password%';
    +--------------------------------------+--------+
    | Variable_name                        | Value  |
    +--------------------------------------+--------+
    | validate_password_check_user_name    | OFF    |
    | validate_password_dictionary_file    |        |
    | validate_password_length             | 8      |
    | validate_password_mixed_case_count   | 1      |
    | validate_password_number_count       | 1      |
    | validate_password_policy             | STRONG |
    | validate_password_special_char_count | 1      |
    +--------------------------------------+--------+
    

    说明:
    validate-password=ON/OFF/FORCE/FORCE_PLUS_PERMANENT: 决定是否使用该插件(及强制/永久强制使用)。

    validate_password_dictionary_file:插件用于验证密码强度的字典文件路径。

    validate_password_length:密码最小长度。

    validate_password_mixed_case_count:密码至少要包含的小写字母个数和大写字母个数。

    validate_password_number_count:密码至少要包含的数字个数。

    validate_password_policy:密码强度检查等级,0/LOW、1/MEDIUM、2/STRONG。

    validate_password_special_char_count:密码至少要包含的特殊字符数。

    关于validate_password_policy-密码强度检查等级:

    Policy	        Tests Performed
    0 or LOW   	Length
    1 or MEDIUM	Length; numeric, lowercase/uppercase, and special characters
    2 or STRONG	Length; numeric, lowercase/uppercase, and special characters; dictionary file
    

    3.用户资源限制

    (1)max_user_connections
    该参数作用是设置所有用户在同一时间连接MySQL实例的最大连接数限制。但这个参数无法对每个用户区别对待。

    mysql> show global variables like '%max_user_connect%';
    +----------------------+-------+
    | Variable_name        | Value |
    +----------------------+-------+
    | max_user_connections | 0     |
    +----------------------+-------+
    1 row in set (0.00 sec)
    
    mysql> set global max_user_connections=2;
    Query OK, 0 rows affected (0.00 sec)
    
    mysql> show global variables like '%max_user_connect%';
    +----------------------+-------+
    | Variable_name        | Value |
    +----------------------+-------+
    | max_user_connections | 2     |
    +----------------------+-------+
    1 row in set (0.00 sec)
    

    (2)max_queries_per_hour
    该参数设置一个用户在一小时内可以执行查询的次数(基本包含所有语句)。

    (3)max_updates_per_hour
    该参数设置一个用户在一小时内可以执行修改的次数(仅包含修改数据库或表的语句)。

    (4)max_connections_per_hour
    该参数设置一个用户在一小时内可以连接MySQL的时间。

    从5.0.3版本开始,对用户‘test’@'%.test.com'的资源限制是指所有通过test.com域名主机连接test用户的连接,而不是分别指host1.test.com和host2.test.com主机过来的连接。

    (5)设置用户资源限制

    mysql> create user 'test1'@'localhost' identified by 'MYsql20!&'
        -> with max_queries_per_hour 20
        -> max_updates_per_hour 10
        -> max_user_connections 2;
    Query OK, 0 rows affected (0.00 sec)
    
    mysql> alter user 'test1'@'localhost' with max_queries_per_hour 100;
    Query OK, 0 rows affected (0.00 sec)
    
    取消某项资源限制既把原先的值改成0.
    
    当某个用户的max_user_connections非0时,则忽略全局系统参数对应的配置,反之则使用全局参数。
    

    4.密码过期策略

    mysql> show global variables like '%password%';
    +---------------------------------------+--------+
    | Variable_name                         | Value  |
    +---------------------------------------+--------+
    | default_password_lifetime             | 0      |
    | disconnect_on_expired_password        | ON     |
    | log_builtin_as_identified_by_password | OFF    |
    | mysql_native_password_proxy_users     | OFF    |
    | old_passwords                         | 0      |
    | report_password                       |        |
    | sha256_password_proxy_users           | OFF    |
    | validate_password_check_user_name     | OFF    |
    | validate_password_dictionary_file     |        |
    | validate_password_length              | 8      |
    | validate_password_mixed_case_count    | 1      |
    | validate_password_number_count        | 1      |
    | validate_password_policy              | STRONG |
    | validate_password_special_char_count  | 1      |
    +---------------------------------------+--------+
    14 rows in set (0.01 sec)
    

    说明:
    1)default_password_lifetime
    设置所有用户密码过期时间,0为永不过期;
    若为单独用户设置了密码过期策略,则会覆盖该参数;

    alter user 'test3'@'localhost' password expire interval 90 day;
    alter user 'test3'@'localhost' password expire never; (永不过期)
    alter user 'test3'@'localhost' password expire default; (默认过期策略)
    

    2)手动强制过期

    alter user 'test3'@'localhost' password expire;
    

    5.用户lock机制

    通过执行create user/alter user命令中带account lock/unlock子句设置用户的lock状态;
    默认创建用户是unlock状态;

    mysql> create user abc2@localhost identified by 'MY20sql!&' account lock;
    Query OK, 0 rows affected (0.00 sec)
    
    mysql> quit
    Bye
    [root@localhost ~]# mysql -uabc2 -p
    Enter password: 
    ERROR 3118 (HY000): Access denied for user 'abc2'@'localhost'. Account is locked.
    
    mysql> alter user 'abc2'@'localhost' account unlock;
    Query OK, 0 rows affected (0.00 sec)
    
    mysql> quit
    Bye
    [root@localhost ~]# mysql -uabc2 -p
    Enter password: 
    Welcome to the MySQL monitor.  Commands end with ; or g.
    Your MySQL connection id is 7
    

    6.密码生成技巧

    https://suijimimashengcheng.51240.com/

  • 相关阅读:
    2017 ICPC 广西邀请赛1004 Covering
    2017 ICPC 广西邀请赛1005 CS Course
    2017-8-23 训练日记
    2017-8-22 训练日记
    2017-8-21 训练日记
    1034: [ZJOI2008]泡泡堂BNB
    1041: [HAOI2008]圆上的整点
    2017-8-19训练日记
    2017-8-18训练日记
    code force 424 A
  • 原文地址:https://www.cnblogs.com/tongxiaoda/p/7873478.html
Copyright © 2020-2023  润新知