MySQL权限和用户管理

Mysql权限系统（由mysql权限表进行控制user和db）通过下面两个方面进行认证：

1）对于连接的用户进行身份验证，合法的通过验证，不合法的拒绝连接。

2）对于通过连接认证的用户，可以在合法的范围内对数据库进行操作。

Mysql的权限表在数据库启动时就被载入内存，当用户通过身份认证后，就可以在内存中进行相应的权限存取，对数据库进行相应的操作。在权限存取的过程中，mysql数据库会用到其内部“mysql”数据库的user、db、host权限表。其中最重要的是user权限表，其内容主要分为：用户列、权限列、安全列和资源控制列。

当用户进行连接时，mysql数据库进行了以下两个过程：

1）先从user表中的host、user、password三个字段中判断连接的ip、用户和密码是否存在于表中，如果存在则通过验证，否则验证失败。

2）对于通过验证的用户，则通过以下权限表获取用户对数据库的操作权限：

user-->db-->tables_priv-->columns_priv。这几个权限表中，权限范围依次递减，全局权限覆盖局部权限。

一、MySQL用户账号管理

1、创建账号：

两种方法，grant语法创建用户账号或直接修改授权表，生产中更倾向于使用第一种方法进行账号创建，这里也只介绍grant语法方式进行账号的创建方法。

例1：

mysql> grant all privileges on *.* to u1@localhost identified by 'mysql' with grant option;

Query OK, 0 rows affected (0.00 sec)

mysql> select * from user where user='u1' and host='localhost'G;

*************************** 1. row ***************************

                  Host: localhost

                  User: u1

              Password: *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA

           Select_priv: Y

           Insert_priv: Y

           Update_priv: Y

           Delete_priv: Y

           Create_priv: Y

             Drop_priv: Y

           Reload_priv: Y

         Shutdown_priv: Y

          Process_priv: Y

             File_priv: Y

            Grant_priv: Y

       References_priv: Y

            Index_priv: Y

            Alter_priv: Y

          Show_db_priv: Y

            Super_priv: Y

Create_tmp_table_priv: Y

      Lock_tables_priv: Y

          Execute_priv: Y

       Repl_slave_priv: Y

      Repl_client_priv: Y

      Create_view_priv: Y

        Show_view_priv: Y

   Create_routine_priv: Y

    Alter_routine_priv: Y

      Create_user_priv: Y

            Event_priv: Y

          Trigger_priv: Y

Create_tablespace_priv: Y

例2：

mysql> grant select,insert,delete,update on test1.* to u2@'%' identified by 'mysql' with grant option;

Query OK, 0 rows affected (0.00 sec)

例3：

mysql> grant usage,super,process,file on *.* to 'u3'@'%';

Query OK, 0 rows affected (0.00 sec)

2、查看账号权限

MySQL查看账号权限使用：show grants for ‘user’@’host’;

mysql> show grants for u2@'%';

+---------------------------------------------------------------------------------------------------+

| Grants for u2@%                                                                                   |

+---------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'u2'@'%' IDENTIFIED BY PASSWORD '*E74858DB86EBA20BC33D0AECAE8A8108C56B17FA' |

| GRANT SELECT, INSERT, UPDATE, DELETE ON `test1`.* TO 'u2'@'%' WITH GRANT OPTION                   |

+---------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

对于MySQL5.0以后的版本，也可以使用information_schema数据库进行查看：

mysql> use information_schema;

Database changed

mysql> select * from schema_privileges where grantee="'u2'@'%'";

+----------+---------------+--------------+----------------+--------------+

| GRANTEE  | TABLE_CATALOG | TABLE_SCHEMA | PRIVILEGE_TYPE | IS_GRANTABLE |

+----------+---------------+--------------+----------------+--------------+

| 'u2'@'%' | def           | test1        | SELECT         | YES          |

| 'u2'@'%' | def           | test1        | INSERT         | YES          |

| 'u2'@'%' | def           | test1        | UPDATE         | YES          |

| 'u2'@'%' | def           | test1        | DELETE         | YES          |

+----------+---------------+--------------+----------------+--------------+

4 rows in set (0.00 sec)

3、更改账号权限

增加和回收账号权限的方法有两种，grant和revoke语句或直接修改权限表。其中grant语句增加权限与创建用户方法一致。这里介绍revoke语法：

增加用户权限：

mysql> grant usage on *.* to 'u5'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'u5'@'%';

+--------------------------------+

| Grants for u5@%                |

+--------------------------------+

| GRANT USAGE ON *.* TO 'u5'@'%' |

+--------------------------------+

1 row in set (0.00 sec)

mysql> grant select on *.* to 'u5'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'u5'@'%';

+---------------------------------+

| Grants for u5@%                 |

+---------------------------------+

| GRANT SELECT ON *.* TO 'u5'@'%' |

+---------------------------------+

1 row in set (0.00 sec)

mysql> grant insert,delete on *.* to 'u5'@'%';

Query OK, 0 rows affected (0.01 sec)

mysql> show grants for 'u5'@'%';

+-------------------------------------------------+

| Grants for u5@%                                 |

+-------------------------------------------------+

| GRANT SELECT, INSERT, DELETE ON *.* TO 'u5'@'%' |

+-------------------------------------------------+

1 row in set (0.00 sec)

回收用户权限：

mysql> revoke delete on *.* from 'u5'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'u5'@'%';

+-----------------------------------------+

| Grants for u5@%                         |

+-----------------------------------------+

| GRANT SELECT, INSERT ON *.* TO 'u5'@'%' |

+-----------------------------------------+

1 row in set (0.00 sec)

mysql> revoke select,insert on *.* from 'u5'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'u5'@'%';

+--------------------------------+

| Grants for u5@%                |

+--------------------------------+

| GRANT USAGE ON *.* TO 'u5'@'%' |

+--------------------------------+

1 row in set (0.00 sec)

mysql> revoke usage on *.* from 'u5'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'u5'@'%';

+--------------------------------+

| Grants for u5@%                |

+--------------------------------+

| GRANT USAGE ON *.* TO 'u5'@'%' |

+--------------------------------+

1 row in set (0.00 sec)

注意：revoke无法回收usage登录权限，也就是说revoke不能删除mysql用户。

4、修改账号密码

1）方法一：mysqladmin在命令行执行密码：用户需要有super权限。

[root@faspdev bin]# ./mysqladmin -uroot -hlocalhost -P3306 password 'mysql'

Warning: Using a password on the command line interface can be insecure.

[root@faspdev bin]# ./mysql -uroot

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

[root@faspdev bin]# ./mysql -uroot -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or g.

Your MySQL connection id is 28

Server version: 5.6.31 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql>

2）方法二：set password语句更改用户密码：

mysql> set password for 'u1'@'localhost'=password('oracle');

Query OK, 0 rows affected (0.00 sec)

[root@faspdev bin]# ./mysql -uu1 -hlocalhost -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or g.

Your MySQL connection id is 42

Server version: 5.6.31 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql>

修改自己密码可以省略for：

mysql> set password=password('mysql');

Query OK, 0 rows affected (0.00 sec)

3）方法三：grant的identified by子句直接指定用户密码：

mysql> grant usage on *.* to 'u1'@'localhost' identified by 'oracle';

Query OK, 0 rows affected (0.00 sec)

4）直接更改mysql数据库的user表，在更改密码时也可以直接使用md5加密后的密文：注意password函数的使用时机。

略

5、删除mysql账户方法

删除mysql用户有两种方法，drop user和直接修改user表：

mysql> drop user 't1'@'localhost';

Query OK, 0 rows affected (0.00 sec)

6、账号资源限制

MySQL的资源限制包括以下内容：

1）单个账户每小时执行查询次数；

2）单个账户每小时执行更新次数；

3）单个账户每小时连接数据库次数；

4）单个账户每小时并发连接数据库次数。

设置资源限制的语法如下：

grant ... with option;

其中option可以是以下几个：

1）max_queries_per_hour count;每小时最大查询次数；

2）Max_updates_per_hour count;每小时最多更新次数；

3）Max_connections_per_hour count;每小时最大连接次数；

4）Max_User_connections count;最大用户并发连接数（mysql系统全局Max_User_connections参数）。

例：

mysql> grant select on test.* to chavin@localhost

    -> with max_queries_per_hour 5

    -> max_user_connections 5;

Query OK, 0 rows affected (0.00 sec)

mysql> select user,max_questions,max_updates,max_connections,max_user_connections from mysql.user where user='chavin';

+--------+---------------+-------------+-----------------+----------------------+

| user   | max_questions | max_updates | max_connections | max_user_connections |

+--------+---------------+-------------+-----------------+----------------------+

| chavin |             5 |           0 |               0 |                    5 |

+--------+---------------+-------------+-----------------+----------------------+

1 row in set (0.00 sec)

[root@faspdev bin]# ./mysql -uchavin -hlocalhost

Welcome to the MySQL monitor.  Commands end with ; or g.

Your MySQL connection id is 66

Server version: 5.6.31 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use test;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select * from t1;

+------+

| id   |

+------+

|    1 |

|    2 |

+------+

2 rows in set (0.00 sec)

mysql> select * from t1;

ERROR 1226 (42000): User 'chavin' has exceeded the 'max_questions' resource (current value: 5)

mysql>

清除账号资源限制方法：root用户执行flush user_resources/flush privileges/mysqladmin reload这三个命令中的任何一个进行清除。

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

修改或删除用户的资源限制可以将相应的资源限制项设置为0。

mysql> grant usage on *.* to chavin@localhost

    -> with max_queries_per_hour 0;

Query OK, 0 rows affected (0.00 sec)