MySQL--10.创建 MySQL 用户及赋予用户权限
0.1 使用语法:
通过在 mysql 中输入 help grant 得到如下帮助信息
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';GRANT ALL ON db1.* TO 'jeffrey'@'localhost';GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;
10.2 第一种创建用户及授权方法:
创建用户
mysql> create user oldboy@'localhost' identified by 'oldboy';Query OK, 0 rows affected (0.00 sec)
查看用户其权限
mysql> show grants for oldboy@'localhost';+---------------------------------------------------------------------------------------------------------------+| Grants for oldboy@localhost|+---------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD'*7495041D24E489A0096DCFA036B166446FDDD992' |+---------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)
授权用户权限
mysql> grant all on oldboy_gbk.* to oldboy@'localhost';Query OK, 0 rows affected (0.04 sec)mysql> show grants for oldboy@'localhost';+---------------------------------------------------------------------------------------------------------------+| Grants for oldboy@localhost|+---------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD'*7495041D24E489A0096DCFA036B166446FDDD992' || GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldboy'@'localhost'|+---------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)
10.3 第二种创建用户及授权方法:
mysql> grant all on oldboy_gbk.* to oldgirl@'localhost' identified by 'oldgirl';Query OK, 0 rows affected (0.00 sec)列表说明:grant all on dbname.* to username@’lcoalhost’ identified by ‘password’授 权命令对应权限目标:库和表 用户名和客户端主机 用户密码mysql> show grants for oldgirl@'localhost';+----------------------------------------------------------------------------------------------------------------+| Grants for oldgirl@localhost|+----------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'oldgirl'@'localhost' IDENTIFIED BY PASSWORD'*4FD27385BB43242FE02158144D4C211F75A03F76' || GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldgirl'@'localhost'|+----------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)
10.4 创建用户及授权哪个网段的主机可以连接 oldboy_gbk 库
提示:如果是 web 连接数据库的用户,尽量不要授权 all,而是 select,insert,update,delete
10.4.1 第一种方法:
mysql> grant all on oldboy_gbk.* to oldgirl@'172.16.1.%' identified by 'oldgirl';Query OK, 0 rows affected (0.00 sec)%表示 172.16.1.1-255 网段
10.4.2 第二种方法:
mysql> grant all on oldboy_gbk.* to oldgirl@'172.16.1.0/255.255.255.0' identified by 'oldgirl';Query OK, 0 rows affected (0.00 sec)提示:不能这样写 oldgirl@’172.16.1.0/24’
10.5 关于 mysql 回收某个用户权限
语法格式:
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user [, user] ...REVOKE ALL PRIVILEGES, GRANT OPTIONFROM user [, user] ...
实例:查看 oldboy 用户回收权限前的权限
mysql> show grants for oldboy@'localhost';+---------------------------------------------------------------------------------------------------------------+| Grants for oldboy@localhost|+---------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD'*7495041D24E489A0096DCFA036B166446FDDD992' || GRANT ALL PRIVILEGES ON `oldboy_gbk`.* TO 'oldboy'@'localhost'|+---------------------------------------------------------------------------------------------------------------+3 rows in set (0.00 sec)
查看回收 oldboy 用户的 insert 权限之后的权限
mysql> REVOKE INSERT ON oldboy_gbk.* FROM 'oldboy'@'localhost';Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> show grants for 'oldboy'@'localhost';+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Grants for oldboy@localhost|+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'oldboy'@'localhost' IDENTIFIED BY PASSWORD'*7495041D24E489A0096DCFA036B166446FDDD992'|| GRANT SELECT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `oldboy_gbk`.* TO'oldboy'@'localhost' |+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)
10.6 企业生产环境如何授权用户权限(mysql 主库)
博客,CMS 等产品的数据库授权:
对于 web 连接用户授权尽量采用最小化原则,很多开源软件都是 web 界面安装,因此,在安装期间除了 select,insert,update,delete4 个权限外,还需要 create,drop 等比较危险的权限
mysql> grant insert,delete,update,select on blog.* to blog@'172.16.1.%' identified by 'blog';Query OK, 0 rows affected (0.00 sec)mysql> show grants for blog@'172.16.1.%';+--------------------------------------------------------------------------------------------------------------+| Grants for blog@172.16.1.%|+--------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'blog'@'172.16.1.%' IDENTIFIED BY PASSWORD'*A5BA49C964C6DB89302E2EA293048E9224B33F34' || GRANT SELECT, INSERT, UPDATE, DELETE ON `blog`.* TO 'blog'@'172.16.1.%'|+--------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)
常规情况下授权 select,insert,update,delete4 个权限即可,有的开源软件,例如 discuz bbs,
还需要 create,drop 等比较危险的权限,生成数据库表后,要收回 create、drop 权限
mysql> revoke drop,create on blog.* from blog@'172.16.1.%';Query OK, 0 rows affected (0.00 sec)to your MySQL server version for the right syntax to use near 'from blog@'172.16.1.%'' at line 1mysql> show grants for blog@'172.16.1.%';+--------------------------------------------------------------------------------------------------------------+| Grants for blog@172.16.1.%|+--------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'blog'@'172.16.1.%' IDENTIFIED BY PASSWORD'*A5BA49C964C6DB89302E2EA293048E9224B33F34' || GRANT SELECT, INSERT, UPDATE, DELETE ON `blog`.* TO 'blog'@'172.16.1.%'|+--------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)
赞 (0)