用户和权限创建普通用户
30.2 创建普通用户
MySQL支持使用CREATE USER语句创建用户,使用GRANT语句创建用户,也可以通过操作mysql数据库下的user数据表来创建用户。
30.2.1 使用CREATE USER语句创建用户
执行CREATE USER语句时,MySQL会在user数据表中插入一条新创建的用户数据记录,语法格式如下:
CREATE USER [IF NOT EXISTS]
user [auth_option] [, user [auth_option]] ...
DEFAULT ROLE role [, role ] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH resource_option [resource_option] ...]
[password_option | lock_option] ...
user:
(see Section 6.2.4, “Specifying Account Names”)
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY RANDOM PASSWORD
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin BY 'auth_string'
| IDENTIFIED WITH auth_plugin BY RANDOM PASSWORD
| IDENTIFIED WITH auth_plugin AS 'auth_string'
}
tls_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: {
MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
password_option: {
PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
| PASSWORD HISTORY {DEFAULT | N}
| PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
| PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
| FAILED_LOGIN_ATTEMPTS N
| PASSWORD_LOCK_TIME {N | UNBOUNDED}
}
lock_option: {
ACCOUNT LOCK
| ACCOUNT UNLOCK
}
其中,部分参数说明如下:
·user:新建的用户名称。
·IDENTIFIED BY:设置用户的密码。
·IDENTIFIED WITH:为用户指定一个验证插件。
·auth_plugin:验证插件的名称。
注意:在MySQL命令行中使用CREATE USER语句创建用户时,当前登录MySQL的用户必须拥有CREATE USER权限或者mysql数据库的INSERT(插入)权限。
(1)创建用户名为binghe的MySQL用户,其主机名为localhost。
mysql> CREATE USER 'binghe'@'localhost';
Query OK, 0 rows affected (0.00 sec)
SQL语句执行成功,查看用户名为binghe的用户记录。
mysql> SELECT
-> host, user, authentication_string
-> FROM mysql.user
-> WHERE user = 'binghe';
+-----------+--------+-----------------------+
| host | user | authentication_string |
+-----------+--------+-----------------------+
| localhost | binghe | |
+-----------+--------+-----------------------+
1 row in set (0.00 sec)
结果显示,成功创建了用户名为binghe、主机为localhost的用户,此用户只能在MySQL服务所在的本地服务器连接MySQL服务。
使用新创建的binghe用户连接MySQL服务时可以不用输入密码即可连接。
[root@binghe150 ~]# mysql -ubinghe -hlocalhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.18 binghe edition
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
查看当前用户具有的数据库权限。
mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
1 row in set (0.01 sec)
结果显示,当前用户只能访问information_schema数据库。
(2)MySQL在创建用户时,支持此用户在某个IP段内连接MySQL服务。例如,创建用户名为binghe的用户,在192.168.175的IP段内可连接MySQL服务。
mysql> CREATE USER 'binghe'@'192.168.175.%';
Query OK, 0 rows affected (0.00 sec)
SQL语句执行成功,查看用户名为binghe的数据记录。
mysql> SELECT
-> host, user, authentication_string
-> FROM mysql.user
-> WHERE user = 'binghe';
+---------------+--------+-----------------------+
| host | user | authentication_string |
+---------------+--------+-----------------------+
| 192.168.175.% | binghe | |
| localhost | binghe | |
+---------------+--------+-----------------------+
2 rows in set (0.00 sec)
结果显示,此时mysql数据库下的user数据表中存在两条用户名为binghe的数据记录,其中,主机名分别为192.168.175.%和localhost。主机名为192.168.175.%表明可以在192.168.175的IP段内连接MySQL服务。
注意:连接MySQL的方式和具有的数据库权限与在MySQL服务所在的本地服务器上连接MySQL的方式和具有的数据库权限相同,此处不再赘述。
(3)如果在创建MySQL用户时只指定了用户名部分,则主机名部分默认为%,表示所有的主机都可以使用当前用户名连接MySQL服务。
mysql> CREATE USER 'binghe';
Query OK, 0 rows affected (0.00 sec)
SQL语句执行成功,查看创建的用户信息。
mysql> SELECT
-> host, user, authentication_string
-> FROM mysql.user
-> WHERE user = 'binghe';
+---------------+--------+-----------------------+
| host | user | authentication_string |
+---------------+--------+-----------------------+
| % | binghe | |
| 192.168.175.% | binghe | |
| localhost | binghe | |
+---------------+--------+-----------------------+
3 rows in set (0.00 sec)
结果显示,创建的用户名为binghe的数据记录中多了一条主机名为%的数据记录。
(4)创建MySQL用户时,可以指定用户的连接密码。
mysql> CREATE USER 'binghe'@'localhost' IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected (0.10 sec)
SQL语句执行成功,查看创建的用户信息。
mysql> SELECT
-> host, user, authentication_string
-> FROM mysql.user
-> WHERE user = 'binghe';
+---------------+--------+-------------------------------------------+
| host | user | authentication_string |
+---------------+--------+-------------------------------------------+
| % | binghe | |
| 192.168.175.% | binghe | |
| localhost | binghe | *0DEB06AA6E096EB2F26EACEE157143ADB9481B5B |
+---------------+--------+-------------------------------------------+
3 rows in set (0.00 sec)
结果显示,主机名为localhost的用户存在密码。在连接MySQL服务时,MySQL内部使用内建的身份验证机制,需要输入密码@Binghe123456才能正确连接。
[root@binghe150 ~]# mysql -ubinghe -hlocalhost -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 8.0.18 binghe edition
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
(5)如果知道密码的密文,MySQL支持使用密文为用户设置密码。首先,在MySQL命令行中获取密码的密文。
mysql> SELECT password('@Binghe8888');
+-------------------------------------------+
| password('@Binghe8888') |
+-------------------------------------------+
| *8DE3948C60D9A055801212280F3E515FBC972002 |
+-------------------------------------------+
1 row in set, 1 warning (0.00 sec)
接下来,创建MySQL用户。其中,主机名为192.168.175.150,用户名为binghe。
mysql> CREATE USER 'binghe'@'192.168.175.150' IDENTIFIED BY PASSWORD '*8DE3948C60D9A055801212280F3E5
15FBC972002';
Query OK, 0 rows affected (0.10 sec)
SQL语句执行成功,需要输入密码@Binghe123456才能正确连接MySQL服务。
[root@binghe150 ~]# mysql -ubinghe –h192.168.175.150 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 8.0.18 binghe edition
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
(6)MySQL支持在创建用户时为用户设置插件认证方式,此时需要使用IDENTIFIED WITH语句。
mysql> CREATE USER 'binghe'@'localhost'
-> IDENTIFIED WITH mysql_native_password BY '@Binghe123456';
Query OK, 0 rows affected (0.00 sec)
SQL语句执行成功,此时连接MySQL服务,需要输入密码@Binghe123456才能正确连接。
30.2.2 使用GRANT语句创建用户
使用CREATE USER语句创建用户时,只是在mysql数据库下的user数据表中添加了一条记录,并没有为用户授权。使用GRANT语句创建用户,不仅可以添加用户,而且还能为用户赋予相应的权限。语法格式如下:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user [auth_option] [, user [auth_option]] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH {GRANT OPTION | resource_option} ...]
GRANT PROXY ON user
TO user [, user] ...
[WITH GRANT OPTION]
object_type: {
TABLE
| FUNCTION
| PROCEDURE
}
priv_level: {
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}
user:
(see Section 6.2.4, “Specifying Account Names”)
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin BY 'auth_string'
| IDENTIFIED WITH auth_plugin AS 'auth_string'
| IDENTIFIED BY PASSWORD 'auth_string'
}
tls_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: {
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
其中,部分参数说明如下:
·priv_type:表示为用户赋予的权限类型。
·db_name:表示为用户赋予权限所在的数据库。
·tbl_name:表示为用户赋予权限所在的数据表。
·IDENTIFIED BY:表示为用户设置密码。
·WITH {GRANT OPTION | resource_option}:为用户设置GRANT权限或者资源选项。
·MAX_QUERIES_PER_HOUR count:每小时执行count次查询。
·MAX_UPDATES_PER_HOUR count:每小时执行count次更新。
·MAX_CONNECTIONS_PER_HOUR count:每小时执行count次连接。
·MAX_USER_CONNECTIONS count:每个用户可同时建立count个连接。
(1)创建用户名为binghe的用户,密码为@binghe123456,并为用户赋予所有数据表的查询权限。
mysql> GRANT SELECT ON *.* TO 'binghe'@'localhost'
-> IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected, 1 warning (0.12 sec)
SQL语句执行成功,此时,用户名为binghe的用户具有对所有数据表的查询权限。
(2)创建用户名为binghe_database的用户,密码为@binghe123456,并为用户赋予goods数据库的查询和修改权限。
mysql> GRANT SELECT, UPDATE ON goods.* TO 'binghe_database'@'localhost'
-> IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected, 1 warning (0.10 sec)
结果显示,SQL语句执行成功,此时用户名为binghe_database的用户具有对goods数据库的查询和修改权限。
(3)创建用户名为binghe_table的用户,密码为@Binghe123456,并为用户赋予对goods数据库下t_goods数据表的插入、删除、修改和查询权限。
mysql> GRANT INSERT, DELETE, UPDATE, SELECT
-> ON goods.t_goods TO 'binghe_table'@'localhost'
-> IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected, 1 warning (0.02 sec)
结果显示,SQL语句执行成功。此时,用户名为binghe_table的用户具有对goods数据库下的t_goods数据表增、删、改、查的权限。
(4)创建用户名为binghe的用户,并指定IP段为192.168.175的主机能够连接MySQL服务。
mysql> GRANT SELECT ON *.* TO 'binghe'@'192.168.175.%'
-> IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)
(5)创建用户名为binghe的用户,并指定所有主机能够连接MySQL服务。
mysql> GRANT SELECT ON *.* TO 'binghe'@'%'
-> IDENTIFIED BY '@Binghe123456';
Query OK, 0 rows affected, 1 warning (0.00 sec)
30.2.3 操作user数据表创建用户
MySQL将用户信息保存在mysql数据库下的user数据表中,因此可以直接操作user数据表来为MySQL创建新用户。
例如,向mysql数据库下的user数据表中插入一条用户信息,主机名为localhost,用户名为binghe_insert,密码为@Binghe123456。
mysql> INSERT INTO mysql.user
-> (Host, User, authentication_string, ssl_cipher, x509_issuer, x509_subject)
-> VALUES
-> ('localhost', 'binghe_insert', password('@Binghe123456'), '', '', '');
Query OK, 1 row affected, 1 warning (0.00 sec)
结果显示,SQL语句执行成功。接下来,查看用户名为binghe_insert的用户。
mysql> SELECT host, user, authentication_string FROM mysql.user WHERE user = 'binghe_insert';
+-----------+---------------+-------------------------------------------+
| host | user | authentication_string |
+-----------+---------------+-------------------------------------------+
| localhost | binghe_insert | *0DEB06AA6E096EB2F26EACEE157143ADB9481B5B |
+-----------+---------------+-------------------------------------------+
1 row in set (0.00 sec)
结果显示,成功向user数据表中插入了数据。使用binghe_insert用户登录MySQL。
[root@binghe151 ~]# mysql -ubinghe_insert -hlocalhost
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.7.24 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
结果显示,使用binghe_insert用户成功登录了MySQL。
- 点赞
- 收藏
- 关注作者
评论(0)