mysql用户权限
一)用户权限管理
- 先查看用户名密码和IP是否允许连接
- 库级权限 mysql.db
- 表级权限 tables_priv
- 字段权限 columns_priv
- 管理权限 procs_priv
1)用户授权(grant)
mysql> help grant
Name: 'GRANT'
Description:
Syntax:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user [auth_option] [, user [auth_option]] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH {GRANT OPTION | resource_option} ...]
GRANT PROXY ON user
TO user [, user] ...
[WITH GRANT OPTION]
object_type: {
TABLE
| FUNCTION
| PROCEDURE
}
priv_level: {
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}
user:
(see http://dev.mysql.com/doc/refman/5.7/en/account-names.html)
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin BY 'auth_string'
| IDENTIFIED WITH auth_plugin AS 'hash_string'
| IDENTIFIED BY PASSWORD 'hash_string'
}
tls_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: {
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
案例1:
mysql> create database wp;
Query OK, 1 row affected (0.13 sec)
mysql> grant select,insert,update,delete,create view on wp.* to 'dev1'@'10.2.13.%' identified by 'Aa123';
Query OK, 0 rows affected, 1 warning (0.08 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> grant select on wp.report to 'dev2'@'10.2.13.%' identified by 'Aa123 ' with MAX_USER_CONNECTIONS 1; (授权只对某个表有查询权限)
案例2:
创建一个junior组,然后把tom和jim用户加到这各junior组,并对这个junior组进行授权(以下操作只适合5.7版本)
mysql> create user 'junior_dba'@'localhost' identified by '123456';
Query OK, 0 rows affected (5.05 sec)
mysql> create user 'tom'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.01 sec)
mysql> create user 'jim'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.04 sec)
mysql> grant proxy on 'junior_dba'@'localhost' to 'tom'@'localhost';
Query OK, 0 rows affected, 2 warnings (0.02 sec)
mysql> grant proxy on 'junior_dba'@'localhost' to 'jim'@'localhost';
Query OK, 0 rows affected, 2 warnings (0.00 sec)
mysql> grant select on *.* to 'junior_dba'@'localhost';
Query OK, 0 rows affected, 1 warning (0.00 s查看
mysql> show grants for 'tom'@'127.0.0.1';
+--------------------------------------------------------------+
| Grants for tom@127.0.0.1 |
+--------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tom'@'127.0.0.1' |
| GRANT PROXY ON 'junior'@'127.0.0.1' TO 'tom'@'127.0.0.1'
测试:
[root@mysqlmaster01 ~]# mysql -u tom -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.01 sec)
[root@mysqlmaster01 ~]# mysql -u junior_dba -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
(通过以上操作,发现tom和jim只能看到| information_schema 数据库,其他的都看不到,而junior_dba可以看到所有的)
案例3: 查看授权情况
mysql> show grants for 'dev'@'10.2.13.%';
+----------------------------------------------------------------------------------+
| Grants for dev@10.2.13.% |
+----------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'dev'@'10.2.13.%' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE VIEW ON `wp`.* TO 'dev'@'10.2.13.%' |
+----------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
2)回收用户权限(revoke)
revoke回收用户权限,但是不删除用户
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user [, user] ...
REVOKE ALL [PRIVILEGES], GRANT OPTION
FROM user [, user] ...
REVOKE PROXY ON user
FROM user [, user] ...
案例1:
mysql> revoke insert on wp.* from 'dev'@'10.2.13.%';
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'dev'@'10.2.13.%';
+--------------------------------------------------------------------------+
| Grants for dev@10.2.13.% |
+--------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'dev'@'10.2.13.%' |
| GRANT SELECT, UPDATE, DELETE, CREATE VIEW ON `wp`.* TO 'dev'@'10.2.13.%' |
+--------------------------------------------------------------------------+
2 rows in set (0.00 sec)
