mysql.user细节三问

时间：2017-12-16 23:12:34 阅读：277 评论：0 收藏：0 [点我收藏+]

标签：必须 span ext closed output current nat warnings interface

一、如何拒绝用户从某个精确ip访问数据库
假如在mysql.user表中存在用户‘mydba‘@‘192.168.85.%‘，现在想拒绝此用户从某个精确ip访问数据库

# 创建精确ip用户，分配不同的密码
mysql> create user ‘mydba‘@‘192.168.85.1‘ identified by ‘otherpwd‘;
# 精确匹配，这个ip进来的密码为otherpwd，由于密码不匹配拒绝登录

mydba@192.168.85.132,3306 [(none)]> select user,host,authentication_string from mysql.user where user=‘mydba‘;
+-------+--------------+-------------------------------------------+
| user  | host         | authentication_string                     |
+-------+--------------+-------------------------------------------+
| mydba | 192.168.85.% | *A7E26519238B6EA2F943D5FAC3CD7812AD8F87E5 |
| mydba | 192.168.85.1 | *33D5FAF1A32909300D21AB5A38FA4F215D9FCB26 |
+-------+--------------+-------------------------------------------+
2 rows in set (0.00 sec)

mydba@192.168.85.132,3306 [(none)]> select password(‘mysql5719‘),password(‘otherpwd‘);
+-------------------------------------------+-------------------------------------------+
| password(‘mysql5719‘)                     | password(‘otherpwd‘)                      |
+-------------------------------------------+-------------------------------------------+
| *A7E26519238B6EA2F943D5FAC3CD7812AD8F87E5 | *33D5FAF1A32909300D21AB5A38FA4F215D9FCB26 |
+-------------------------------------------+-------------------------------------------+
1 row in set, 2 warnings (0.00 sec)

View Code

此时用户‘mydba‘@‘192.168.85.1‘，即用户名mydba从192.168.85.1机器上访问，必须使用otherpwd才能登录
二、使用mysqladmin修改用户密码，当存在同名user(不同host)时，修改的是哪个用户的密码

mydba@192.168.85.132,3306 [(none)]> show master status;
+------------------+----------+--------------+------------------+----------------------------------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set                            |
+------------------+----------+--------------+------------------+----------------------------------------------+
| mysql-bin.000116 |     3175 |              |                  | 8ab82362-9c37-11e7-a858-000c29c1025c:1-69371 |
+------------------+----------+--------------+------------------+----------------------------------------------+
1 row in set (0.00 sec)

mydba@192.168.85.132,3306 [(none)]> exit
Bye
[root@ZST1 ~]# mysqladmin -h192.168.85.132 -P3306 -umydba -p password newpwd
Enter password: 
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.
[root@ZST1 ~]#

View Code

此时修改的是哪个用户密码？‘mydba‘@‘192.168.85.1‘还是‘mydba‘@‘192.168.85.%‘？还是两者都修改了？
先说结论：看你从哪个客户端发起命令，仅修改与其匹配的current_user()对应的密码。mysqladmin中需要提供user+password以登录到MySQL中，在登录验证过程中MySQL已经对其进行精确匹配
2.1、current_user()为mydba@192.168.85.%，对应修改‘mydba‘@‘192.168.85.%‘的密码

# 前面的mysqladmin在ZST1(192.168.85.132)上执行，对应的current_user()为mydba@192.168.85.%
mydba@192.168.85.132,3306 [(none)]> select user,host,authentication_string from mysql.user where user=‘mydba‘;
+-------+--------------+-------------------------------------------+
| user  | host         | authentication_string                     |
+-------+--------------+-------------------------------------------+
| mydba | 192.168.85.% | *1FA85AA204CC12B39B20E8F1E839D11B3F9E6AA4 |
| mydba | 192.168.85.1 | *33D5FAF1A32909300D21AB5A38FA4F215D9FCB26 |
+-------+--------------+-------------------------------------------+
2 rows in set (0.01 sec)

View Code

2.2、current_user()为mydba@192.168.85.1，对应修改‘mydba‘@‘192.168.85.1‘的密码

# 从192.168.85.1上执行mysqladmin，要使用otherpwd密码才能执行
C:\Users\Administrator>mysqladmin -h192.168.85.132 -P3306 -umydba -p password newpwd1
Enter password: newpwd
mysqladmin: connect to server at ‘192.168.85.132‘ failed
error: ‘Access denied for user ‘mydba‘@‘192.168.85.1‘ (using password: YES)‘

C:\Users\Administrator>mysqladmin -h192.168.85.132 -P3306 -umydba -p password newpwd1
Enter password: otherpwd
Warning: Using a password on the command line interface can be insecure.
Warning: Server version is 5.7 or greater. The password will be sent to server in plain text. Upgrade the mysqladmin to a version that matches the server‘‘s version.

C:\Users\Administrator>

View Code

我们查看修改后的密码，以及binlog

# 查看修改后的密码，分别对应是不从客户端修改
mydba@192.168.85.132,3306 [(none)]> select user,host,authentication_string from mysql.user where user=‘mydba‘;
+-------+--------------+-------------------------------------------+
| user  | host         | authentication_string                     |
+-------+--------------+-------------------------------------------+
| mydba | 192.168.85.% | *1FA85AA204CC12B39B20E8F1E839D11B3F9E6AA4 |
| mydba | 192.168.85.1 | *12AB8416B918C0EC1528FD04A686AE12D97A4A5D |
+-------+--------------+-------------------------------------------+
2 rows in set (0.01 sec)

mydba@192.168.85.132,3306 [(none)]> select password(‘newpwd‘),password(‘newpwd1‘);
+-------------------------------------------+-------------------------------------------+
| password(‘newpwd‘)                        | password(‘newpwd1‘)                       |
+-------------------------------------------+-------------------------------------------+
| *1FA85AA204CC12B39B20E8F1E839D11B3F9E6AA4 | *12AB8416B918C0EC1528FD04A686AE12D97A4A5D |
+-------------------------------------------+-------------------------------------------+
1 row in set, 2 warnings (0.00 sec)

# 查看binlog
[root@ZST1 logs]# mysqlbinlog -vv --base64-output=decode-rows mysql-bin.000116 --start-position=3175
/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=1*/;
/*!50003 SET @OLD_COMPLETION_TYPE=@@COMPLETION_TYPE,COMPLETION_TYPE=0*/;
DELIMITER /*!*/;
# at 3175
#171129 17:37:27 server id 1323306  end_log_pos 3240 CRC32 0xf0c57f78   GTID    last_committed=13       sequence_number=14      rbr_only=no
SET @@SESSION.GTID_NEXT= ‘8ab82362-9c37-11e7-a858-000c29c1025c:69372‘/*!*/;
# at 3240
#171129 17:37:27 server id 1323306  end_log_pos 3443 CRC32 0x8a596597   Query   thread_id=33    exec_time=0     error_code=0
SET TIMESTAMP=1511948247/*!*/;
SET @@session.pseudo_thread_id=33/*!*/;
SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;
SET @@session.sql_mode=1436549152/*!*/;
SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;
/*!\C utf8 *//*!*/;
SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=33/*!*/;
SET @@session.lc_time_names=0/*!*/;
SET @@session.collation_database=DEFAULT/*!*/;
======================== 在ZST1上执行mysqladmin修改用户密码 ========================
ALTER USER ‘mydba‘@‘192.168.85.%‘ IDENTIFIED WITH ‘mysql_native_password‘ AS ‘*1FA85AA204CC12B39B20E8F1E839D11B3F9E6AA4‘
/*!*/;
# at 3443
#171129 17:43:44 server id 1323306  end_log_pos 3508 CRC32 0xfdf414d2   GTID    last_committed=14       sequence_number=15      rbr_only=no
SET @@SESSION.GTID_NEXT= ‘8ab82362-9c37-11e7-a858-000c29c1025c:69373‘/*!*/;
# at 3508
#171129 17:43:44 server id 1323306  end_log_pos 3711 CRC32 0xe72ec7fb   Query   thread_id=36    exec_time=0     error_code=0
SET TIMESTAMP=1511948624/*!*/;
======================== 在宿主机上执行mysqladmin修改用户密码 ========================
ALTER USER ‘mydba‘@‘192.168.85.1‘ IDENTIFIED WITH ‘mysql_native_password‘ AS ‘*12AB8416B918C0EC1528FD04A686AE12D97A4A5D‘
/*!*/;
SET @@SESSION.GTID_NEXT= ‘AUTOMATIC‘ /* added by mysqlbinlog */ /*!*/;
DELIMITER ;
# End of log file
/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;
/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;
[root@ZST1 logs]#

View Code

两个ALTER USER对应两次mysqladmin修改用户密码
三、drop user ‘mydba‘，没有指明host，它删除是哪个用户

mydba@192.168.85.132,3306 [(none)]> drop user ‘mydba‘;
ERROR 1396 (HY000): Operation DROP USER failed for ‘mydba‘@‘%‘
mydba@192.168.85.132,3306 [(none)]>

View Code

根据错误信息，它删除的是用户‘mydba‘@‘%‘

mysql.user细节三问

标签：必须 span ext closed output current nat warnings interface

原文地址：http://www.cnblogs.com/Uest/p/7922054.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行