MySQL series: 12 user management 2 authorization

Straight to the point

         The previous article talked about the authentication of MySQL user management . When a client is successfully authenticated, permission verification is required for the next operation, such as verifying the user's select, insert, update and other operation permissions, and shutdown, process, file and other management permissions.

MySQL authorized groceries

Authorization level

MySQL supports different levels of authorization such as global, database, table, and column. At the same time, you can also control the user's routines (procedures & functions) and other permissions. For specific control items, you can view the column information of the mysql.user table. as follows:

Management authority

         The main management options of MySQL are: FILE, PROCESS:, SUPER, ALL, etc.

FILE：允许用户读写服务器上的文件；
PROCESS：允许用户执行show PROCESSLIST命令查看所有连接的客户端；
SUPER: 允许用户kill掉其他客户端的连接；
ALL：允许所有权限, 除了给其他用户授权；

note:

      To grant permissions to other users, the WITH GRANT OPTION clause needs to be added to the user's own authorization . As follows, the author uses the debian-sys-maint user to log in (the password is in the /etc/mysql/debian.cnf file, and the root user itself does not have grant permissions), and create a super user, and give the WITH GRANT OPTION option. You can use super to authorize other users later.

• The root user authorizes the test1 user, and it fails --- because the root user does not have grant permissions;

• debian-sys-maint authorizes the super user, and it succeeds;

• Authorize the test1 user again with the super user-success.

GRANT authorization

         MySQL uses the grant statement to authorize users in the following format:

GRANT XXX1 ON database.XXX2 TO 'user'@'hostname' [ with grant option ]

among them:

• XXX1 identifies specific permissions, such as select, insert, all privileges, etc., multiple permission items are used and divided, as follows:

mysql> grant all privileges on  *.* TO 'test1'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.16 sec)

• with grant option means to pass grant authorization. With this clause, the authorized user can further authorize related permissions for other users;

Show user's grant permissions

• Display the grant permissions of the current user

mysql> show grants;
+----------------------------------------------------------------------+
| Grants for super@localhost                                           |
+----------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'super'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> show grants for current_user();
+----------------------------------------------------------------------+
| Grants for super@localhost                                           |
+----------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'super'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------+
1 row in set (0.00 sec)

• Display the specified user permissions

mysql> show grants for 'common'@'%';
+---------------------------------------------------------------+
| Grants for common@%                                           |
+---------------------------------------------------------------+
| GRANT SELECT, INSERT ON *.* TO 'common'@'%' WITH GRANT OPTION |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

Grant Tables permission metadata table

MySQL uses a specific table to store information related to permissions, that is, metadata. In addition to the well-known mysql.user table, there are: db, tables_priv, columns_priv, procs_priv, etc.; such as

• The mysql.sys user has permissions to the sys database;

       

• The tables_priv table records the user's authority to the table;

FLUSH PRIVILEGES statement

         We already know in the MySQL series: 9 storage engine that tables are stored in tablespaces (files). mysqld reads the permission-related tables into the memory when it starts to avoid frequent disk access overhead. When we use similar update and insert to directly modify the table, its memory copy does not take effect. Therefore, the FLUSH PRIVILEGES statement is required to instruct mysqld to reload the privilege table.

• A detailed explanation about the skip-grant-tables option:

As mentioned in the previous blog post, if you forget the mysql login password, you can use the skip-grant-tables option to restart the service process, and then log in without password to modify the specified user password. But before modification, FLUSH PRIVILEGES needs to reload the permission table. The reason is that when the skip-grant-tables option starts the mysqld process, there is no option table data in the memory, so it cannot be changed.

• Automatic refresh condition for memory copy of permission table

When using the create user, grant, revoke and other clauses to modify the relevant user permissions, MySQL automatically refreshes the memory copy (the specific MySQL version is slightly different), because when the alter command is used to modify the permissions, flush is required to take effect.

Reclaim account permissions

         You can use the revoke XXX from command to recover account permissions, as follows:

mysql> show grants for 'common'@'%' ;
+---------------------------------------------------------------+
| Grants for common@%                                           |
+---------------------------------------------------------------+
| GRANT SELECT, INSERT ON *.* TO 'common'@'%' WITH GRANT OPTION |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> revoke INSERT ON *.* from 'common'@'%';
Query OK, 0 rows affected (0.03 sec)

mysql> show grants for 'common'@'%' ;
+-------------------------------------------------------+
| Grants for common@%                                   |
+-------------------------------------------------------+
| GRANT SELECT ON *.* TO 'common'@'%' WITH GRANT OPTION |
+-------------------------------------------------------+
1 row in set (0.00 sec)

SHOW PROCESSLIST

         This command displays all connected client thread IDs (not all threads of the entire mysqld daemon) and the commands being executed . MySQL creates a thread for each connection (thread_handling option, one-thread-per-connection). as follows:

mysql> SHOW PROCESSLIST;
+----+-------+-----------+------+---------+------+----------+------------------+
| Id | User  | Host      | db   | Command | Time | State    | Info             |
+----+-------+-----------+------+---------+------+----------+------------------+
| 11 | super | localhost | NULL | Query   |    0 | starting | SHOW PROCESSLIST |
| 12 | root  | localhost | NULL | Sleep   |    6 |          | NULL             |
+----+-------+-----------+------+---------+------+----------+------------------+
2 rows in set (0.00 sec)

Set account resource limits

         The last record of the mysql.user table is information about resource restrictions, such as the number of simultaneous connections for the same user. as follows:

Description:

1. First use alter user'common'@'%' with MAX_USER_CONNECTIONS 1; set the maximum number of user connections to 1;
2. Open two windows at the same time to link, the second link will report that the connection exceeds the limit. The first link is successful (show processlist).

to sum up

         The above two blog posts detailed the authentication/authorization mechanism of MySQL. For different MySQL versions, the control details are slightly different. In actual applications, readers should reasonably set the permissions of application users according to specific scenarios and specific versions to achieve safe and stable operation of the MySQL database.