hopeless-dream

导航

MySQL 8.0用户及安全管理

用户的功能

1、登录数据库
2、管理数据库对象
注意:mysql的用户和系统登录的用户没有关系

用户的组成

用户名@'白名单'

白名单:

%
10.0.0.10
10.0.0.%
10.0.0.5%
10.0.0.0/255.255.254.0
oldguo.com
db01
127.0.0.1
localhost   ----> socket

用户的管理

创建用户(密码加密插件的区别)

sha2 : 8.0新的特性
create user test@'localhost' identified by '123456';

native: 兼容老版本
create user test@'10.0.0.%' identified with mysql_native_password by '123456';
mysql> select user,host,authentication_string,plugin from mysql.user where user='test';
+------+-----------+------------------------------------------------------------------------+-----------------------+
| user | host      | authentication_string                                                  | plugin                |
+------+-----------+------------------------------------------------------------------------+-----------------------+
| test | 10.0.0.%  | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9                              | mysql_native_password |
| test | localhost | $A$005$N]i!&l5mc<\]LLWHVU6M3YoRDkeSbKtTpDAary4WGFMtmapVJxyNwnd0 | caching_sha2_password |
+------+-----------+------------------------------------------------------------------------+-----------------------+
2 rows in set (0.01 sec)

删除用户

mysql> drop user test@'10.0.0.%';
Query OK, 0 rows affected (0.00 sec)

修改用户

mysql> alter user test@'localhost' identified with mysql_native_password by '123';
Query OK, 0 rows affected (0.00 sec)

由于加密插件导致无法登录

  1. 主从复制
  2. 高可用
  3. 老版本开发工具
mysql>  create user test1@'%' identified  by '123456';
Query OK, 0 rows affected (0.00 sec)

用户资源管理

密码过期时间

mysql> select @@default_password_lifetime;
+-----------------------------+
| @@default_password_lifetime |
+-----------------------------+
|                           0 |             默认:密码永不过期
+-----------------------------+
1 row in set (0.00 sec)

设置密码时效

# 设置密码有效期为180天
mysql> SET PERSIST default_password_lifetime = 180; Query OK, 0 rows affected (0.00 sec) mysql> select @@default_password_lifetime; +-----------------------------+ | @@default_password_lifetime | +-----------------------------+ | 180 | +-----------------------------+ 1 row in set (0.00 sec)
CREATE USER 'test'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;
ALTER USER test@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;
CREATE USER 'test'@'localhost' PASSWORD EXPIRE NEVER;
ALTER USER 'test'@'localhost' PASSWORD EXPIRE NEVER;

密码重用

 默认随意重复使用

password_history=6             # 6次之内不能重复使用此密码
password_reuse_interval=365     # 365天之内不能重复使用此密码

用户的锁定与解锁

ALTER USER 'app_dev'@'localhost' ACCOUNT LOCK;
ALTER USER 'app_dev'@'localhost' ACCOUNT UNLOCK;

权限管理

权限列表

mysql> show privileges;
常用权限:
Alter                   
Alter routine           
Create                  
Create routine          
Create role             
Create temporary tables 
Create view             
Create user             
Delete                  
Drop                    
Drop role               
Event                   
Execute                 
File                    
Grant option            
Index                   
Insert                  
Lock tables             
Process                 
Proxy                   
References              
Reload                  
Replication client      
Replication slave       
Select                  
Show databases          
Show view               
Shutdown                
Super                   
Trigger                 
Create tablespace       
Update                  

授权

8.0版本不能授权和设置密码一起写,多次授权同一用户是叠加权限而不是覆盖

mysql> grant all on *.* to zh@'localhost';

查看权限

mysql> show grants for zh@'localhost' ;
+----------------------------------------+
| Grants for zh@localhost                |
+----------------------------------------+
| GRANT USAGE ON *.* TO `zh`@`localhost` |         ##Usage表示只有连接库权限
+----------------------------------------+
1 row in set (0.00 sec)

对某一列授权

 回收权限

mysql> revoke delete on *.* from zh@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> revoke select(id) on test.account from user1@'10.0.0.%';
Query OK, 0 rows affected (0.00 sec)

基于role的创建和授权

 查看所有role

生产中的用户类型权限规范

管理员 : ALL
开发   : Create ,Create routine,Create temporary tables,Create view,Delete ,Event ,Execute,Insert ,References,Select,Show databases ,Show view ,Trigger,Update 
监控  : select , replication slave , client  supper
备份  : ALL
主从  : replication slave 
业务  : insert , update , delete ,select 

posted on 2020-05-24 22:05  hopeless-dream  阅读(603)  评论(0编辑  收藏  举报