本文共 14011 字,大约阅读时间需要 46 分钟。
MySQL服务器通过MySQL权限表来控制用户对数据库的访问,MySQL权限表存放在mysql数据库里,由mysql_install_db脚本初始化。这些MySQL权限表分别user,db,table_priv,columns_priv和host。下面分别介绍一下这些表的结构和内容:
user权限表:记录允许连接到服务器的用户帐号信息,里面的权限是全局级的。
db权限表:记录各个帐号在各个数据库上的操作权限。
table_priv权限表:记录数据表级的操作权限。
columns_priv权限表:记录数据列级的操作权限。
host权限表:配合db权限表对给定主机上数据库级操作权限作更细致的控制。这个权限表不受GRANT和REVOKE语句的影响。
一、创建用户并授权(root用户)[root@mysrv ~]# mysql -u root -poracle
mysql> select version()\g| 1 2 3 4 5 6 7 8 9 10 11 | +-------------------------------------------+ | version() | +-------------------------------------------+ | 5.6 . 25 -enterprise-commercial-advanced-log | +-------------------------------------------+ 1 row in set ( 0.00 sec) |
mysql> show databases;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | prod | | test | +--------------------+ 5 rows in set ( 0.01 sec) |
1、建立tom用户并授权(特权管理用户)mysql> grant all on prod.* to 'tom'@'%' identified by 'tom' with grant option;Query OK, 0 rows affected (0.00 sec)查看用户创建是否成功:mysql> select user,host from user ;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | +-------+-----------+ | user | host | +-------+-----------+ | tom | % | | root | 127.0. 0.1 | | root | :: 1 | | | localhost | | root | localhost | | scott | localhost | | | mysrv | | root | mysrv | +-------+-----------+ 8 rows in set ( 0.00 sec) |
查看tom用户的授权:
mysql> show grants for tom;| 1 2 3 4 5 6 7 8 9 10 11 | +----------------------------------------------------------------------------------------------------+ | Grants for tom@% | +----------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'tom' @ '%' IDENTIFIED BY PASSWORD '*71FF744436C7EA1B954F6276121DB5D2BF68FC07' | | GRANT ALL PRIVILEGES ON `prod`.* TO 'tom' @ '%' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------+ |
GRANT 语法:
GRANT privileges (columns) ON what TO user IDENTIFIED BY "password" WITH GRANT OPTION权限列表:| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | ALTER: 修改表和索引。 CREATE: 创建数据库和表。 DELETE: 删除表中已有的记录。 DROP: 抛弃(删除)数据库和表。 INDEX: 创建或抛弃索引。 INSERT: 向表中插入新行。 REFERENCE: 未用。 SELECT: 检索表中的记录。 UPDATE: 修改现存表记录。 FILE: 读或写服务器上的文件。 PROCESS: 查看服务器中执行的线程信息或杀死线程。 RELOAD: 重载授权表或清空日志、主机缓存或表缓存。 SHUTDOWN: 关闭服务器。 ALL: 所有权限,ALL PRIVILEGES同义词。 USAGE: 特殊的 "无权限" 权限。 用 户账户包括 "username" 和 "host" 两部分,后者表示该用户被允许从何地接入。tom@ '%' 表示任何地址,默认可以省略。还可以是 "tom@192.168.1.%" 、 "tom@%.abc.com" 等。数据库格式为 db@table,可以是 "test.*" 或 "*.*" ,前者表示 test 数据库的所有表,后者表示所有数据库的所有表。 子句 "WITH GRANT OPTION" 表示该用户可以为其他用户分配权限。 |
2、我们用 root 再创建几个用户,然后由 test 数据库的管理员tom为他们分配权限。
mysql> create user 'tom1' identified by 'tom1' ,'tom2' identified by 'tom2';Query OK, 0 rows affected (0.00 sec)mysql> select user,host from user ;| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | +-------+-----------+ | user | host | +-------+-----------+ | tom | % | | tom1 | % | | tom2 | % | | root | 127.0. 0.1 | | root | :: 1 | | | localhost | | root | localhost | | scott | localhost | | | mysrv | | root | mysrv | +-------+-----------+ 10 rows in set ( 0.00 sec) |
root用户退出,tom登陆,并授权用户访问prod库
[root@mysrv ~]# mysql -u tom -ptom ERROR 1045 (28000): Access denied for user 'tom'@'localhost' (using password: YES)tom用户竟不能登陆!!!再对tom用户授权:mysql> grant all on prod.* to 'tom'@'localhost' identified by 'tom' with grant option;;Query OK, 0 rows affected (0.00 sec)mysql> show grants for tom;| 1 2 3 4 5 6 7 8 9 10 11 12 13 | +----------------------------------------------------------------------------------------------------+ | Grants for tom@% | +----------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'tom' @ '%' IDENTIFIED BY PASSWORD '*71FF744436C7EA1B954F6276121DB5D2BF68FC07' | | GRANT ALL PRIVILEGES ON `prod`.* TO 'tom' @ '%' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------+ 2 rows in set ( 0.00 sec) |
mysql> use mysql;
Database changedmysql> select user,host from user ;| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | +-------+-----------+ | user | host | +-------+-----------+ | tom | % | | tom1 | % | | tom2 | % | | root | 127.0. 0.1 | | root | :: 1 | | | localhost | | root | localhost | | scott | localhost | | tom | localhost | | | mysrv | | root | mysrv | +-------+-----------+ 11 rows in set ( 0.00 sec) |
tom登陆:
[root@mysrv ~]# mysql -u tom -ptom prodmysql> select database();
+------------+| database() |+------------+| prod |+------------+1 row in set (0.01 sec)mysql> select current_user();+----------------+| current_user() |+----------------+| tom@localhost |+----------------+1 row in set (0.00 sec)创建表:mysql> show tables;+----------------+| Tables_in_prod |+----------------+| t1 |+----------------+1 row in set (0.00 sec)mysql> create table t2 as select * from t1;Query OK, 3 rows affected (0.15 sec)Records: 3 Duplicates: 0 Warnings: 0查看表信息:mysql> desc t2;| 1 2 3 4 5 6 7 8 9 10 11 12 13 | +-------+-------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+-------------+------+-----+---------+-------+ | id | int ( 11 ) | YES | | NULL | | | name | varchar( 10 ) | YES | | NULL | | +-------+-------------+------+-----+---------+-------+ 2 rows in set ( 0.01 sec) |
mysql> show create table t2;
+-------+---------------------------------------------------------------------------------------------------------------------------+| Table | Create Table |+-------+---------------------------------------------------------------------------------------------------------------------------+| t2 | CREATE TABLE `t2` ( `id` int(11) DEFAULT NULL, `name` varchar(10) DEFAULT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin1 |+-------+---------------------------------------------------------------------------------------------------------------------------+1 row in set (0.01 sec)mysql> show create table t2\G;*************************** 1. row *************************** Table: t2Create Table: CREATE TABLE `t2` ( `id` int(11) DEFAULT NULL, `name` varchar(10) DEFAULT NULL) ENGINE=InnoDB DEFAULT CHARSET=latin11 row in set (0.00 sec)mysql> select * from t2;+------+-------+| id | name |+------+-------+| 10 | tom || 20 | jerry || 30 | rose |+------+-------+3 rows in set (0.00 sec)3、tom用户为tom1,tom2授权mysql> grant select on prod.* to tom1;Query OK, 0 rows affected (0.00 sec)mysql> grant select on prod.* to tom2;Query OK, 0 rows affected (0.02 sec)mysql> grant insert,update on prod.* to tom2;Query OK, 0 rows affected (0.00 sec)tom2登陆(从远程登陆):C:\Users\Administrator>mysql -h 192.168.8.240 -utom2 -ptom2mysql> select database();+------------+| database() |+------------+| NULL |+------------+1 row in set (0.00 sec)mysql> use prod;Database changedmysql> select database();+------------+| database() |+------------+| prod |+------------+1 row in set (0.00 sec)mysql> select current_user();+----------------+| current_user() |+----------------+| tom2@% |+----------------+1 row in set (0.00 sec)mysql> show grants for tom2;| 1 2 3 4 5 6 7 8 9 10 11 12 13 | +------------------------------------------------------------------+ | Grants for tom2@% | +------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'tom2' @ '%' IDENTIFIED BY PASSWORD <secret> | | GRANT SELECT, INSERT, UPDATE ON `prod`.* TO 'tom2' @ '%' | +------------------------------------------------------------------+ 2 rows in set ( 0.00 sec) |
mysql> show tables;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 | +----------------+ | Tables_in_prod | +----------------+ | t1 | | t2 | +----------------+ 2 rows in set ( 0.00 sec) |
mysql> select * from t1;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | +------+-------+ | id | name | +------+-------+ | 10 | tom | | 20 | jerry | | 30 | rose | +------+-------+ 3 rows in set ( 0.00 sec) |
mysql> select * from t2;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | +------+-------+ | id | name | +------+-------+ | 10 | tom | | 20 | jerry | | 30 | rose | +------+-------+ 3 rows in set ( 0.00 sec) |
mysql> insert into t1 values (40,'john');Query OK, 1 row affected (0.00 sec)mysql> commit;Query OK, 0 rows affected (0.09 sec)mysql> select * from t1;
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | +------+-------+ | id | name | +------+-------+ | 10 | tom | | 20 | jerry | | 30 | rose | | 40 | john | +------+-------+ 4 rows in set ( 0.00 sec) |
mysql> update t1 set name='ellen' where id=40;
Query OK, 1 row affected (0.01 sec)Rows matched: 1 Changed: 1 Warnings: 0mysql> select * from t1;| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | +------+-------+ | id | name | +------+-------+ | 10 | tom | | 20 | jerry | | 30 | rose | | 40 | ellen | +------+-------+ |
4 rows in set (0.00 sec)
mysql> delete from t1;ERROR 1142 (42000): DELETE command denied to user 'tom2'@'192.168.8.254' for table 't1'mysql> commit;Query OK, 0 rows affected (0.05 sec)mysql> select * from t1;| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | +------+-------+ | id | name | +------+-------+ | 10 | tom | | 20 | jerry | | 30 | rose | | 40 | ellen | +------+-------+ 4 rows in set ( 0.00 sec) |
4、回收tom2的update权限:
mysql> revoke update on prod.* from tom2;Query OK, 0 rows affected (0.00 sec)tom2再重新登陆:C:\Users\Administrator>mysql -h 192.168.8.240 -utom2 -ptom2mysql> use prod;Database changedmysql> update t1 set name='lily' where id=10;ERROR 1142 (42000): UPDATE command denied to user 'tom2'@'192.168.8.254' for table 't1'---update失败!二、修改用户口令:1、root用户修改普通用户口令mysql> set password for tom1=password('oracle');Query OK, 0 rows affected (0.01 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)tom1重新登陆:C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -ptom1Warning: Using a password on the command line interface can be insecure.ERROR 1045 (28000): Access denied for user 'tom1'@'192.168.8.254' (using password: YES)---旧口令登陆失败!C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -poraclemysql>2、普通用户修改自己密码:C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -poraclemysql> set password=password('tom1');Query OK, 0 rows affected (0.00 sec)重新登陆:C:\Users\Administrator>mysql -h 192.168.8.240 -utom1 -ptom1mysql>---新密码登陆成功 !三、删除用户:
1、回收用户所有权限mysql> revoke all on prod.* from tom2;
Query OK, 0 rows affected (0.01 sec)2、删除用户mysql> drop user tom2;Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> select user,host from user;| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | +-------+-----------+ | user | host | +-------+-----------+ | jerry | % | | rose | % | | tom | % | | tom1 | % | | root | 127.0 . 0.1 | | root | :: 1 | | | localhost | | jerry | localhost | | root | localhost | | rose | localhost | | scott | localhost | | tom | localhost | | | mysrv | | root | mysrv | +-------+-----------+ 14 rows in set ( 0.00 sec) |
------- 摘要 -------------------------------------- 创建用户:GRANT insert, update ON testdb.* TO user1@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;CREATE USER user2 IDENTIFIED BY 'password';分配权限:GRANT select ON testdb.* TO user2;查看权限:SHOW GRANTS FOR user1;修改密码:SET PASSWORD FOR user1 = PASSWORD('newpwd');SET PASSWORD = PASSWORD('newpwd');移除权限:REVOKE all ON *.* FROM user1; 删除用户:DROP USER user1;数据库列表:SHOW DATABASES;数据表列表:SHOW TABLES;当前数据库:SELECT DATABASE();当前用户:SELECT USER();数据表结构:DESCRIBE table1;刷新权限:FLUSH PRIVILEGES;grant和revoke可以在几个层次上控制访问权限1,整个服务器,使用 grant ALL 和revoke ALL2,整个数据库,使用on database.*3,特点表,使用on database.table4,特定的列5,特定的存储过程 user表中host列的值的意义% 匹配所有主机localhost localhost不会被解析成IP地址,直接通过UNIXsocket连接127.0.0.1 会通过TCP/IP协议连接,并且只能在本机访问;::1 ::1就是兼容支持ipv6的,表示同ipv4的127.0.0.1 grant 普通数据用户,查询、插入、更新、删除 数据库中所有表数据的权利。grant select on testdb.* to common_user@’%’grant insert on testdb.* to common_user@’%’grant update on testdb.* to common_user@’%’grant delete on testdb.* to common_user@’%’或者,用一条 MySQL 命令来替代:grant select, insert, update, delete on testdb.* to common_user@’%’grant 数据库开发人员,创建表、索引、视图、存储过程、函数。。。等权限。grant 创建、修改、删除 MySQL 数据表结构权限。grant create on testdb.* to developer@’192.168.0.%’;grant alter on testdb.* to developer@’192.168.0.%’;grant drop on testdb.* to developer@’192.168.0.%’;grant 操作 MySQL 外键权限。grant references on testdb.* to developer@’192.168.0.%’;grant 操作 MySQL 临时表权限。grant create temporary tables on testdb.* to developer@’192.168.0.%’;grant 操作 MySQL 索引权限。grant index on testdb.* to developer@’192.168.0.%’;grant 操作 MySQL 视图、查看视图源代码 权限。grant create view on testdb.* to developer@’192.168.0.%’;grant show view on testdb.* to developer@’192.168.0.%’;grant 操作 MySQL 存储过程、函数 权限。grant create routine on testdb.* to developer@’192.168.0.%’; -- now, can show procedure statusgrant alter routine on testdb.* to developer@’192.168.0.%’; -- now, you can drop a proceduregrant execute on testdb.* to developer@’192.168.0.%’;grant 普通 DBA 管理某个 MySQL 数据库的权限。grant all privileges on testdb to dba@’localhost’其中,关键字 “privileges” 可以省略。grant 高级 DBA 管理 MySQL 中所有数据库的权限。grant all on *.* to dba@’localhost’
MySQL grant 权限,分别可以作用在多个层次上。
1. grant 作用在整个 MySQL 服务器上:grant select on *.* to dba@localhost; -- dba 可以查询 MySQL 中所有数据库中的表。grant all on *.* to dba@localhost; -- dba 可以管理 MySQL 中的所有数据库2. grant 作用在单个数据库上:grant select on testdb.* to dba@localhost; -- dba 可以查询 testdb 中的表。3. grant 作用在单个数据表上:grant select, insert, update, delete on testdb.orders to dba@localhost;4. grant 作用在表中的列上:grant select(id, se, rank) on testdb.apache_log to dba@localhost;5. grant 作用在存储过程、函数上:grant execute on procedure testdb.pr_add to ’dba’@’localhost’grant execute on function testdb.fn_add to ’dba’@’localhost’注意:修改完权限以后 一定要刷新服务,或者重启服务,刷新服务用:FLUSH PRIVILEGES。