Straight to the point
Similar to other service software, MySQL's user management is used to control the different permissions of different users, to achieve different data access requirements of different users, and to ensure data security.
MySQL uses a double-layer authentication mode to respond to user connection and query requests, namely Authentication Authentication and Authorization Authorization. The specific authentication process is as follows:
Authentication Authentication: that is, to verify the identity of the user. The MySQL client needs to be authenticated every time it connects to the server, unless the server opens the authentication-free mode.
Authorization: that is, to verify the user's authority. MySQL performs permission verification for each user's request, and only when the user's relevant permission verification is successful, is it allowed to perform related operations.
This article will describe in detail the authentication of MySQL.
MySQL certified groceries
- User information view
The user table in the MySQL database that comes with MySQL is used to store user information. Including user name user, user host host (client host), user permissions, resource restrictions, etc. View the table creation statement of the user table as follows:
mysql> show create table mysql.user \G;
*************************** 1. row ***************************
Table: user
Create Table: CREATE TABLE `user` (
`Host` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
`User` char(32) COLLATE utf8_bin NOT NULL DEFAULT '',
`Select_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Insert_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Update_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Delete_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Drop_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Reload_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Shutdown_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Process_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`File_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Grant_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`References_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Index_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Alter_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Show_db_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Super_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_tmp_table_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Lock_tables_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Execute_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Repl_slave_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Repl_client_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_view_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Show_view_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_routine_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Alter_routine_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_user_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Event_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Trigger_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`Create_tablespace_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`ssl_type` enum('','ANY','X509','SPECIFIED') CHARACTER SET utf8 NOT NULL DEFAULT '',
`ssl_cipher` blob NOT NULL,
`x509_issuer` blob NOT NULL,
`x509_subject` blob NOT NULL,
`max_questions` int(11) unsigned NOT NULL DEFAULT '0',
`max_updates` int(11) unsigned NOT NULL DEFAULT '0',
`max_connections` int(11) unsigned NOT NULL DEFAULT '0',
`max_user_connections` int(11) unsigned NOT NULL DEFAULT '0',
`plugin` char(64) COLLATE utf8_bin NOT NULL DEFAULT 'mysql_native_password',
`authentication_string` text COLLATE utf8_bin,
`password_expired` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
`password_last_changed` timestamp NULL DEFAULT NULL,
`password_lifetime` smallint(5) unsigned DEFAULT NULL,
`account_locked` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
PRIMARY KEY (`Host`,`User`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Users and global privileges'
1 row in set (0.00 sec)
- View all user information
mysql> select user,host from mysql.user;
+------------------+-----------+
| user | host |
+------------------+-----------+
| common | % |
| root | % |
| debian-sys-maint | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
+------------------+-----------+
5 rows in set (0.00 sec)
note:
1. The host column in the user table is the client host name (not the server host name), it can be localhost (the machine), it can be a wildcard such as %, or it can be an IP address;
2. If the client and server are the same host, you can use mysql connection without specifying the server host name; if the client and server are not the same host, you need to specify the server host name or IP address when mysql connects, as follows :
mysql -u<username> -p<password> -h<server_host>
- Creating a User Account
MySQL uses the CREATE USER...IDENTIFIED BY statement to create relevant account information, as follows:
MySQL [192.168.124.12] SQL> create user 'common'@'%' identified by 'common';
Query OK, 0 rows affected (0.0523 sec)note:
- The account name contains two parts: the user name and the user host, which are surrounded by single quotes ;
- Starting from MySQL 8.0.4, the default password authentication plug-in when creating a user is changed from the previous mysql_native_password to caching_sha2_password, so if you need to use the original password authentication as above, you need to modify the creation statement as follows:
create USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '新密码';- Host Name Patterns
MySQL supports rich host name formats, including hostname (such as localhost), Qualified host name (such as localhost.example.com), IP address/mask, wildcard characters ('%','_'), etc. The wildcard character'%' matches a string of any length, and the wildcard character'_' matches a single character ;
In addition, anonymous MySQL users can be created as follows:
mysql> CREATE USER ''@'localhost';Note: After creating anonymous users in version 5.7.24-0ubuntu0.16.04.1-log , famous users cannot be used. The specific reason is unknown.
- Set/modify user password
The official recommendation is to use the alter user XXX statement to change the user password, as follows:
alter user 'root'@'localhost' IDENTIFIED BY 'root';If you use the skip-grant-tables option to start the mysqld daemon because you forget your password, you may get an error when you execute this command directly, as follows:
You need to flush privileges first; refresh the privilege system related table.
- Force password to expire
The DBA can force the application user password to expire in certain situations, as follows:
ALTER USER 'common'@'%' PASSWORD EXPIRE;After the expiration, the user can still log in to mysql, but cannot perform any operations, as follows:
- other
MySQL also supports other plug-in modules for authentication and authorization, such as the PAM (Pluggable Authentication Modules) authentication of the Linux system . In this authentication mode, MySQL itself does not store user password information, but uses the OS authentication mechanism to authenticate the password . At the same time, the client also uses mysql_clear_password to send the user password in plain text, such as:
jwlLinux jwllinux # cat /etc/mysql/conf.d/mysql.cnf
[client]
enable-cleartext-plugin
# add by zavier 20190720
user=root
password=root
show-warnings
to sum up
All user authentication/authorization of MySQL are recorded in the mysql.user table. Reasonable configuration of user authentication methods and permissions is one of the main responsibilities of the DBA. Reasonable user authentication/authorization can prevent unintentional sabotage operations by application users, as well as illegal sabotage by malicious users.