查看当前用户
SELECT CURRENT_USER();
CREATE USER 语法
CREATE USER [IF NOT EXISTS] user [auth_option] [, user [auth_option]] ... DEFAULT ROLE role [, role ] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ... user: (see Section 6.2.4, “Specifying Account Names”) auth_option: { IDENTIFIED BY 'auth_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' | IDENTIFIED WITH auth_plugin AS 'hash_string' } tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] } lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
user 即账户名称,语法是 'user_name'@'host_name' ,其中主机地址可以写为 '%'表示接受任何地址的连接。
auth_option 即身份验证方式,可以指定密码以及认证插件(mysql_native_password、sha256_password、caching_sha2_password)。
tls_option 即加密连接选项
resource_option 即用户资源限制,比如每小时最大连接数
password_option 即密码额外的控制,比如设定失效时间
lock_option 账户锁定选项,由管理员上锁或者解锁(ACCOUNT LOCK | ACCOUNT UNLOCK)。
最简单的就是指定账户名+密码
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password';
加上认证插件
CREATE USER 'jeffrey'@'localhost' IDENTIFIED WITH sha256_password BY 'password';
指定密码过期,以便用户第一次使用的时候需要修改密码
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE;
也可以指定每隔一段时间修改一次新密码
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE INTERVAL 180 DAY;
可以指定加密连接
-- 不使用加密连接 CREATE USER 'jeffrey'@'localhost' REQUIRE NONE; -- 使用加密连接 CREATE USER 'jeffrey'@'localhost' REQUIRE SSL; -- 使用加密连接,并要求客户端提供有效证书 CREATE USER 'jeffrey'@'localhost' REQUIRE X509; CREATE USER 'jeffrey'@'localhost' REQUIRE ISSUER 'CA颁发的有效X.509证书'; CREATE USER 'jeffrey'@'localhost' REQUIRE SUBJECT '包含主题的有效X.509证书'; CREATE USER 'jeffrey'@'localhost' REQUIRE CIPHER '指定的加密方法';
可以指定资源控制
-- 单位小时内,账户被允许查询500次,更新100次,单位小时内最大连接数不限制。最大并发连接数不限制 CREATE USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
可以锁定账户
-- 锁定 CREATE USER 'jeffrey'@'localhost' ACCOUNT LOCK -- 解锁 ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK
最后完整的命令选项大概这个样子
CREATE USER 'user_name'@'host_name' IDENTIFIED [WITH auth_plugin] BY 'auth_string' [REQUIRE NONE(SSL,X509)] [WITH MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count] [PASSWORD EXPIRE] [ACCOUNT LOCK]
如果你要删除账户
DROP USER 'jeffrey'@'localhost';
如果你要修改名称
RENAME USER 'jeffrey'@'localhost' TO 'jeff'@'127.0.0.1';
ALTER USER语法
ALTER USER [IF EXISTS] user [auth_option] [, user [auth_option]] ... [REQUIRE {NONE | tls_option [[AND] tls_option] ...}] [WITH resource_option [resource_option] ...] [password_option | lock_option] ... ALTER USER [IF EXISTS] USER() user_func_auth_option ALTER USER [IF EXISTS] user DEFAULT ROLE {NONE | ALL | role [, role ] ...} user: (see Section 6.2.4, “Specifying Account Names”) auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITH auth_plugin AS 'auth_string' | DISCARD OLD PASSWORD } user_func_auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | DISCARD OLD PASSWORD } tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count } password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY] | PASSWORD HISTORY {DEFAULT | N} | PASSWORD REUSE INTERVAL {DEFAULT | N DAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] } lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
选项和创建的差不多,这里不做解释了。
修改自己当前的密码
ALTER USER USER() IDENTIFIED BY 'new_password';
修改账户密码
ALTER USER 'jeffrey'@'localhost' IDENTIFIED BY 'new_password';
修改认证插件
ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password;
修改密码和插件
ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';
修改角色
-- 授予自定义角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE your_role_name; -- 无角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE NONE; -- 所有角色 ALTER USER 'jeffrey'@'localhost' DEFAULT ROLE ALL;
修改加密方式
-- 只有账户密码正确,无须加密连接 ALTER USER 'jeffrey'@'localhost' REQUIRE NONE; -- 需要加密连接 ALTER USER 'jeffrey'@'localhost' REQUIRE SSL; ...
修改资源访问
-- 单位小时内,最大查询数量和更新数量 ALTER USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;
指定密码过期
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
修改锁定解锁
ALTER USER 'jeffrey'@'localhost' ACCOUNT LOCK; ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK;
角色相关
-- 名字规范 'role_name'@'host_name' -- 通常仅使用用户名部分指定角色名称,并隐式使用主机名部分 '%',主机名部分没有任何意义 'admin'
创建角色
-- 省略主机名,默认为 '%' CREATE ROLE 'admin', 'dev'; -- 这种也可以,但是没意义 CREATE ROLE 'app'@'localhost';
移除角色
DROP ROLE 'admin', 'dev';
GRANT语法
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_or_role [, user_or_role] ... [WITH GRANT OPTION] [AS user [WITH ROLE DEFAULT | NONE | ALL | ALL EXCEPT role [, role ] ... | role [, role ] ... ] ] } GRANT PROXY ON user_or_role TO user_or_role [, user_or_role] ... [WITH GRANT OPTION] GRANT role [, role] ... TO user_or_role [, user_or_role] ... [WITH ADMIN OPTION] object_type: { TABLE | FUNCTION | PROCEDURE } priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } user_or_role: { user | role } user: (see Section 6.2.4, “Specifying Account Names”) role: (see Section 6.2.5, “Specifying Role Names”)
GRANT语法使得管理员能够授予账户权限或者角色,但是GRANT不能再一个语句中同时授予权限和角色。
- 有ON,是授予权限
- 无ON,是授予角色
-- 授予数据库db1的所有权限给指定账户 GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; -- 授予角色给指定的账户 GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost'; -- 授予数据库world的SELECT权限给指定的角色 GRANT SELECT ON world.* TO 'role3';
基本语法
GRANT [权限] ON [数据库名].[表名] TO 'user_name'@'localhost' ...; -- 授予所有数据库的权限 GRANT [权限] ON *.* TO 'user_name'@'localhost' ...;
注:全局权限是管理或适用于给定服务器上的所有数据库。要分配全局权限,请使用 ON *.*语法
下面是权限列表
权限范围示例
-- 数据库权限 GRANT ALL ON mydb.* TO 'user_name'@'host_name'; -- 表权限 GRANT ALL ON mydb.mytable TO 'user_name'@'host_name'; -- 列权限 GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytable TO 'user_name'@'host_name'; -- 存储过程权限 GRANT CREATE ROUTINE ON mydb.* TO 'user_name'@'host_name'; GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'user_name'@'host_name';
授权之后可以使用flush命令使其立即生效
FLUSH PRIVILEGES
FLUSH语法(可以FLUSH很多东西)
FLUSH [NO_WRITE_TO_BINLOG | LOCAL] { flush_option [, flush_option] ... | tables_option } flush_option: { BINARY LOGS | ENGINE LOGS | ERROR LOGS | GENERAL LOGS | HOSTS | LOGS | PRIVILEGES | OPTIMIZER_COSTS | RELAY LOGS [FOR CHANNEL channel] | SLOW LOGS | STATUS | USER_RESOURCES } tables_option: { TABLES | TABLES tbl_name [, tbl_name] ... | TABLES WITH READ LOCK | TABLES tbl_name [, tbl_name] ... WITH READ LOCK | TABLES tbl_name [, tbl_name] ... FOR EXPORT }
比如:
FLUSH PRIVILEGES 包含了以下操作
1. 重新加载mysql系统数据库中的grant表中的权限信息,并清除caching_sha2_password身份验证插件使用的内存缓存。
2. 服务器读取包含动态特权分配的global_grants表,并注册其中的任何未注册特权。
3. 服务器通过GRANT、CREATE USER、CREATE SERVER和INSTALL PLUGIN语句将信息缓存到内存中。对应的REVOKE、DROP USER、DROP SERVER和UNINSTALL插件语句不会释放这些内存,因此对于执行许多导致缓存的语句实例的服务器,内存使用量将会增加。可以使用刷新特权释放此缓存内存。
FLUSH TABLES 包含以下操作
关闭所有打开的表,强制关闭所有正在使用的表,并刷新准备好的语句缓存。
REVOKE语法
既然可以授权,那么就可以撤销
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user_or_role [, user_or_role] ... REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user_or_role [, user_or_role] ... REVOKE PROXY ON user_or_role FROM user_or_role [, user_or_role] ... REVOKE role [, role ] ... FROM user_or_role [, user_or_role ] ... user_or_role: { user | role } user: (see Section 6.2.4, “Specifying Account Names”) role: (see Section 6.2.5, “Specifying Role Names”.
REVOKE可以实现权限或者角色的撤销(前提:拥有GRANT权限和REVOKE权限)
-- 撤销用户的INSERT权限 REVOKE INSERT ON *.* FROM 'jeffrey'@'localhost'; -- 撤销用户的指定角色 REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost'; -- 撤销角色的INSERT权限 REVOKE SELECT ON world.* FROM 'role3';
撤销所有权限(只能撤销权限,不能撤销角色)
-- 从账户或者角色上撤销所有权限 REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_or_role [, user_or_role] ... -- 撤销账户 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'jeffrey'@'localhost' -- 撤销角色 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'role3'
在全局上撤销权限(*.*)
-- 全局上撤销所有权限 REVOKE ALL ON *.* FROM 'jeffrey'@'localhost';