MySQL 数据库用户和权限管理

标签：mysq   要求   password   权限   AC   控制   inf   数据库   tca   

技能目标

• 掌握MySQL 用户管理
• 添加管理用户
• 修改密码及忘记密码修改

用户授权

数据库是信息系统中非常重要的环节，合理高效的对它进行管理是很重要的工作。通常是由拥有最高权限的管理员创建不同的管理账户，然后分配不同的操作权限，把这些账户交给相应的管理人员使用

用户管理

1: 新建用户

新建用户的命令格式如下

CREATE USER ‘username‘@‘host‘ [IDENTIFIED BY [PASSWORD]‘password‘] #大写是固定格式大括弧是一个整体再写命令的时候没有

• username 将创建的用户名
• host 指定用户允许那些主机终端可以登录，可以是IP地址、网段、指定本地用户localhost、如果让该用户可以从任意远程主机登录可以用通配符%
• password 设置登录的密码

下面是MySQL安装之后创建的用户密码,在数据库中显示的密码是以密文的形式保存的大大的增强了安全性

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
+-----------+-------------------------------------------+-----------+
2 rows in set (0.01 sec)

创建新用户

mysql> create user ‘accp‘@‘localhost‘ identified by ‘123123‘;
Query OK, 0 rows affected (0.01 sec)
mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

删除用户命令格式如下

DROP USER ‘username‘@‘host‘

mysql> drop user ‘accp‘@‘localhost‘; #删除accp
Query OK, 0 rows affected (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

用户重命名，格式如下

RENAME USER ‘old_user‘@‘host‘ TO ‘new_user‘ @ ‘host‘

mysql> select User,authentication_string,Host from user;  #这边我们把bent重命名为accp
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| bent      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> rename user ‘bent‘@‘localhost‘ to ‘accp‘@‘localhost‘ ;
Query OK, 0 rows affected (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

给用户设置密码

1：给当前用户设置密码

SET PASSWORD=PASSWORD(‘password‘)

mysql> select User,authentication_string,Host from user; 
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

mysql> set password=password(‘123123‘); #当前用户是root我把root用户密码改为了"123123"与上面的root密码对比一下秘闻的区别
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

2：使用超级管理员root修改其他用户密码，格式如下

SET PASSWORD FOR ‘username‘@‘host‘=PASSWORD(‘password‘);

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *437F1809645E0A92DAB553503D2FE21DB91270FD | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
mysql> set password for ‘accp‘@‘localhost‘=password(‘951116‘); #同样对比一下密文密码的区别
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)

忘记root密码解决方法

[root@localhost ~] systemctl stop mysqld.service  #关闭服务
[root@localhost ~] netstat -ntap | grep 3306 #查看端口有没有关闭
[root@localhost ~] mysql --skip-grant-tables #会出现以下代码不要去动它重新开一个终端
2018-06-28T02:16:16.399381Z 0 [Note]   - ‘::‘ resolves to ‘::‘;
2018-06-28T02:16:16.399402Z 0 [Note] Server socket created on IP: ‘::‘.
2018-06-28T02:16:16.400217Z 0 [Note] InnoDB: Loading buffer pool(s) from /usr/local/mysql/data/ib_buffer_pool
2018-06-28T02:16:16.401959Z 0 [Note] InnoDB: Buffer pool(s) load completed at 180628 10:16:16
2018-06-28T02:16:16.410638Z 0 [Note] Executing ‘SELECT * FROM INFORMATION_SCHEMA.TABLES;‘ to get a list of tables using the deprecated partition engine. You may use the startup option ‘--disable-partition-engine-check‘ to skip this check. 
2018-06-28T02:16:16.410661Z 0 [Note] Beginning of list of non-natively partitioned tables
2018-06-28T02:16:16.423678Z 0 [Note] End of list of non-natively partitioned tables
2018-06-28T02:16:16.423748Z 0 [Note] mysqld: ready for connections.
Version: ‘5.7.17‘  socket: ‘/usr/local/mysql/mysql.sock‘  port: 3306  Source distribution

[root@localhost ~] mysql -u root #直接这样登录跳过密码选项
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

mysql> 

登入进去后改用户密码

mysql> update mysql.user set authentication_string=password(‘123123‘)where user=‘root‘; #修改root密码
Query OK, 1 row affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 1
mysql> flush privileges; #刷新数据库
Query OK, 0 rows affected (0.01 sec) 
[root@localhost ~]# mysql -u root -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

授权控制

再MySQL中，权限设置非常重要，分配权限可以清晰的划分责任。管理人员只需要关注完成自己的任务即可，最重要的是保证系统数据的安全

1：授予权限

（1）:权限控制主要出于安全因素，需要遵循以下原则

1）：只授予能满足需要的最小权限，防止误操作和做坏事

2）：创建用户的时候限制用户的登录主机，一般限制指定IP或者内网IP网段

3）：初始化数据库时删除没有密码的用户，MySQL安装完成是会自动创建没有密码的用户

4）：为每个用户设置满足要求的密码

5）：定期清理不需要的用户

（2）：授予权限使用GRANT命令，命令格式如下

GRANT 权限列表 ON 库名.表明 TO 用户@主机地址[IDENTIFIED BY‘密码‘]

命令个是很明确，是指定用户允许它操作某些表，对这些表拥有相应的操作权限

下面演示GRANT的使用方法

mysql> grant select on ×××表.×××信息 to ‘accp‘@‘localhost‘ identified by ‘123123‘; 
Query OK, 0 rows affected, 1 warning (0.00 sec)

上面命令的意思是使用户accp可以在主机localhost登录，连接密码是123123，它拥有对数据库（×××表.×××信息）的select权限

登录accp用户验证以下

[root@localhost ~]# mysql -u accp -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.7.17 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

mysql> insert into imployee_英航客户表.×××信息 values (2,‘张三‘,‘广州珠海‘,‘18888888‘);
ERROR 1142 (42000): INSERT command denied to user ‘accp‘@‘localhost‘ for table ‘×××信息‘

上图显示select语句可以正常使用，但执行insert语句是没有足够权限

当当用户和主机名在列表中不存在时，用户和主机名会被自动创建，如果限制用户密码与原用密码不同时会自动覆盖原密码

mysql> select User,authentication_string,Host from user; 
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
3 rows in set (0.00 sec)
#用户列表中只有三个用户此时，做一个用户列表中不存在用户权限
mysql> grant select on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘1223123‘;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> select User,authentication_string,Host from user;
+-----------+-------------------------------------------+-----------+
| User      | authentication_string                     | Host      |
+-----------+-------------------------------------------+-----------+
| root      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |
| benet     | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 | localhost |
| accp      | *0DB339632B48910F8F0BEF61BD7EAD4441267E6E | localhost |
+-----------+-------------------------------------------+-----------+
4 rows in set (0.00 sec)
#上面自动创建了benet用户登陆密码为‘123123’

下面设置benet用户限制原密码为123123，我把限制密码改以新密码‘321321’然后看一下用原密码能不能登录

mysql> grant insert on ×××表.×××信息 to ‘benet‘@‘localhost‘ identified by ‘3221321‘;
Query OK, 0 rows affected, 1 warning (0.00 sec)
[root@localhost ~]# mysql -u benet -p123123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user ‘benet‘@‘localhost‘ (using password: YES)
#提示你输入正确的登陆密码

查看用户权限

SHOW GRANTS FOR ‘username‘@‘主机地址‘

mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------------------------------------------+
| Grants for accp@localhost                                                    |
+------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘                                     |
| GRANT SELECT ON "×××表"."×××信息" TO ‘accp‘@‘localhost‘            |
+------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

撤销用户权限

REVOKE 权限列表 ON 数据库名.表名 FROM 用户@主机地址

mysql> revoke select on ×××表.×××信息 from ‘accp‘@‘localhost‘;
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for ‘accp‘@‘localhost‘;
+------------------------------------------+
| Grants for accp@localhost                |
+------------------------------------------+
| GRANT USAGE ON *.* TO ‘accp‘@‘localhost‘ |
+------------------------------------------+
1 row in set (0.00 sec)

撤销用户所有权限

REVOKE ALL ON 数据库名.表名 FROM 用户@主机地址

MySQL 数据库用户和权限管理

标签：mysq   要求   password   权限   AC   控制   inf   数据库   tca   

原文地址：http://blog.51cto.com/13645280/2133603