MySQL user management

 

1. Permission table

When installing MySQL, a MySQL database is automatically created, and the MySQL database stores all permission tables.

1. user table

The user table is the most important permission table in MySQL, which records the account information that is allowed to connect to the server, and the permissions in it are at the global level . The user table has 39 fields, which can be divided into 4 categories:

1. User column: including Host, User, and Password, which represent the host name, user name and password respectively. Where User and Host are the combined primary keys of the User table. Username to enter when establishing a connection between the user and the server. The login succeeds only when the hostname and password match.

2. Permission column: The permission column of the user table includes fields ending with priv, such as Select_priv and Insert_priv. The values ​​for these fields are only Y and N. Y indicates that the authority can be used on all databases; N indicates that the authority cannot be used on all databases; you can use the GRANT statement or the UPDATE statement to change these fields to modify the authority corresponding to the user.

3. Security column: ssl_type; ssl_cipher; x509_issuer; x509_subject; ssl is used for encryption; x509 standard can be used to identify users. Normal distributions do not have encryption. You can use the SHOW VARIABLES LIKE 'have_openssl' statement to see if ssl is available. If the value is DISABLED, there is no ssl encryption function.

4. Resource control column: The four resource control columns of the user table are:

• max_questions: how many queries can be executed per hour;
• max_updates: how many updates per hour can be allowed to perform;
• max_connections: how many connections can be established per hour;
• max_user_connections: The number of simultaneous connections a single user can have.

The default value is 0, which means unlimited.

2. db table

The permissions column in the user table sets global permissions, and the db table stores the permissions of a user on a database.

The db table is divided into user columns and permission columns:

2.1. User column

The user column of the db table has 3 fields:

• Host: host name;
• Db: database name;
• User: username;

2.2. Permission column

The remaining *_priv are all permission columns.

Notice:

The permissions in the user table are for all databases . If the value of the Select_priv field in the user table is Y, the user can query tables in all databases;

The db table stores the permissions of a user on a database.

Users first obtain permissions based on the contents of the user table, and then obtain permissions based on the contents of the db table. That is to say, the db table can override the permissions in the user table.

3, tables_priv table and columns_priv table

tables_priv: Permissions can be set for a single table:

• The tables_priv table contains 8 fields:
• Host: host name;
• DB: database name;
• User: username;
• Table_name: table name
• Table_priv: Permission to operate on the table (Select, Insert, Update, Delete, Create, Drop, Grant, References, Index, Alter)
• Column_priv: Permission to operate data columns in the table (Select, Insert, Update, Rederences);
• Timestamp: The time when the permission was modified
• Grantor: the setter of the permission

columns_priv: You can set permissions for a single data column, there are 7 columns, the same as above:

• Host、Db、User、Table_name、Column_name、Column_priv、Timestamp

    MySQL privileges are assigned in the order of user table -> db table -> table_priv table -> columns_priv table. In the database system, first determine whether the value in the user table is 'Y', if the value in the user table is 'Y', there is no need to check the following table. If the user table is N, the following tables are checked one at a time.

4 、 process_priv 表

• The procs_priv table can set permissions on stored procedures and stored functions.
• The procs_priv table contains 8 fields, namely:
• Host: host name;
• Db: database name;
• User: username;
• Routine_name: stored procedure or function name;
• Routine_type: type (value: FUNCTION or PROCEDURE);
• Proc_priv: Privileges (Execute: Execute; Alter Routine: Modify; Grant: Permission Granted);
• Timestamp: The time the field stores the update;
• Grantor: field setter;

2. Account Management

Account management is the most basic content of MySQL user management. Include the following

• Log in to the MySQL server
• Exit the MySQL server
• create user
• delete users
• password management
• authority management

1. Log in to the MySQL server

To log in to MySQL just use the following command

mysql -h localhost -u root -p  [database]

-h: followed by host hostname

-u: followed by the user name

-p: Substitute password, you can enter the password directly after -p, there is no space between -p and the password, but the password is displayed on the screen at this time, so it is not safe.

databases: directly specify the open database, optional

If an error is reported: mysql is not a valid command, the solution:

1. The environment variable configuration PATH, the value is the MySQL bin directory

2. Use MySQL Command Line Client

3. cd to the MySQL installation directory to execute

2. Exit the MySQL server

exit and ctrl+c

3. Create a common user

There are three ways to create a user in a MySQL database

3.1. Use the create user statement to create a new user

To create a user with the create user statement, you must have the global create user permission. Its format is as follows

CREATE USER user[IDENTIFIED BY [PASSWORD] 'password'],
[user[IDENTIFIED BY [PASSWORD] 'password']]...

The user parameter indicates the account of the newly created user. The user is composed of the user name (user) and the host name (host). The format is user @host . The IDENTIFIED BY keyword is used to set the user's password; the password parameter indicates the user's password: if the password is an ordinary string, you do not need to use the PASSWORD keyword, you can use the initial password.

Example:

create user 'guolin'@'%' IDENTIFIED BY 'admin'

After execution, a row of records will be added to the user table, but the permissions are all N temporarily.

3.2. Use the insert statement to create a new ordinary user

A user's information can be added directly to the mysql.user table using the INSERT statement. But you must have the INSERT privilege on the mysql.user table. In addition, ssl_cipher, x509_issuer, and x509_subject have no value, and the value must be set, otherwise the INSERT statement cannot be executed.

Example:

INSERT INTO mysql.user(Host,User,Password,ssl_cipher,x509_issuer,x509_subject) VALUES('%','newuser1',PASSWORD('123456'),'','','')

After executing the INSERT, use the following command to validate the user:

FLUSH PRIVILEGES

3.3. Use the grant statement to create a new user

Using the grant statement can not only create a new user, but also authorize the user at the same time. When using the grant statement to create a new user, you must have the grant permission. The grant statement is the preferred method for adding new users and authorizing them to access MySQL objects. The grant statement's The basic format is as follows:

GRANT priv_type ON database.table
TO user[IDENTIFIED BY [PASSWORD] 'password']
[,user [IDENTIFIED BY [PASSWORD] 'password']...]

• priv_type: The parameter indicates the permissions of the new user;
• databse.table: The parameter indicates the permission scope of the new user;
• user: parameter for the account of the new user, which consists of a username and a host;
• The IDENTIFIED BY keyword is used to set the password;
• password: new user password;

4. Delete ordinary users

4.1, DROP USER statement to delete ordinary users

To use drop user, you must have the global create user privilege of the mysql database.

drop user username1[,username2]...

user 是需要删除的用户，由用户名user和主机名host构成
例如：drop user 'username'@'localhost'

4.2, delete statement to delete ordinary users

You can use the delete statement to directly delete user information from the mysql.user table, but you must have the delete permission on the mysql.user table.

DELETE FROM mysql.user WHERE Host = '%' AND User = 'admin'

After the deletion is completed, FLUSH PRIVILEGES is required to take effect.

5. Password management

root user change his password

1. Modify the root password through the MySQLadmin command

The basic syntax format of the MySQLadmin command is as follows:

mysqladmin -u -username -h localhost -p password "new_password"

5.2. Modify the password by modifying the user table

Updating the value of the password field in the user table can also achieve the purpose of modification. It also requires permission to succeed.

UPDATE user SET Password = PASSWORD('123') WHERE USER = 'myuser'

Effective after FLUSH PRIVILEGES.

5.3. Use the SET statement to modify the password

After logging in to the MySQL server as the root user, you can use the SET statement to change the password:

root to change its own password, no user name is required

SET PASSWORD = PASSWORD("123");

For the changes to take effect, you need to restart mysql or use the FLUSH PRIVILEGES statement to refresh the privileges and reload the privilege table.

Change the password of ordinary user as root user

1. Use the SET statement to modify the password of ordinary users

The format is: set password for 'user'@'host' = PASSWORD('newpwd');

Only root can change the passwords of other users by updating the user who updates the MySQL database, and at the same time use ordinary users to change their own passwords, you can omit the FOR clause to change your own password:

set password = password('newpwd')

2. Modify the password of ordinary users through the update statement

After logging in as the root user, execute the following statement:

update mysql.user set password =password("newpwd")
where user = "username" and host="hostname"

Execute FLUSH PRIVILEGES to refresh the privilege table

Ordinary users change their own passwords

Set your own password with the set statement

set password = password('newpwd')

3. Authority management

Account privilege information is stored in the user, db, host, tables_priv, columns_priv, and procs_priv tables of the MySQL database. At MySQL startup, the server reads the contents of the permission information in these database tables into memory.

The names of the permissions involved in the GRANT and REVOKE statements are as follows:

1. Authorization

There are several levels of permissions granted:

• Global level: Global permissions apply to all databases in a given server, and these permissions are stored in the mysql.user table. grant all on *.* and revoke all on *.* grant and revoke global permissions only.
• Database level: Database privileges apply to all targets in a given database, these privileges are stored in the mysql.db table, grant all on db_name. and revoke all on db_name. Only grant and revoke database privileges.
• Table level: Table privileges apply to all columns in a given table, and these privileges are stored in the mysql.tables_priv table. grant all db_name.tbl_name. and revoke all on db_name.tbl_name. only grant and revoke table permissions.
• Column level: Column permissions apply to a single column in a given table. These privileges are stored in the mysql.columns_priv table.

The grant syntax is as follows:

GRANT priv_type [(column_list)] ON database.table
TO user [IDENTIFIED BY [PASSWORD] 'password']
[,user [IDENTIFIED BY [PASSWORD] 'password']]...
WITH with_option[with_option]

• The priv_type parameter indicates the type of permission;
• column_list: The parameter indicates which columns the permission acts on, if not set, it is located on the entire table;
• The user parameter consists of a username and a hostname; the form is "'username'@'hostname'";
• The IDENTIFIED BY parameter is used to set the password for the user;
• password: the user's new password;

　　The WITH keyword is followed by one or more with_option parameters. There are 5 options:

• GRANT OPTION: Authorized users can grant these permissions to other users;
• MAX_QUERIES_PER_HOUR count: The setting does not disappear to allow the execution of count queries;
• MAX_UPDATES_PER_HOUR count: Set each disappearance to allow count updates;
• MAX_CONNECTIONS_PER_HOUR count: Set the number of connections that can be established per hour;
• MAX_USER_CONNECTIONS count: Set the count number of connections that a single user can have at the same time;

Example:

GRANT SELECT,UPDATE ON *.*
    TO 'myuser'@'%'
WITH GRANT OPTION;

2. Withdraw permission

Revocation of permissions is to revoke certain permissions of a user. MySQL uses the REVOKE keyword to set permissions for users.

The Revoke statement has two syntax formats. The first syntax is to revoke all the permissions of the specified user. The syntax is as follows:

revoke all privileges,grant option
from 'user'@'host'[,'user'@'host' ...]

The other is to cancel some permissions for some users

REVOKE priv_type[(column_list)]
ON database.table
FROM user[,user]

column_list: The parameter indicates which columns the permission acts on, if not set, it is located on the entire table;

Example: Reclaim SELECT privilege for user myuser

REVOKE SELECT ON *.*FROM 'myuser'@'%'

Take back all privileges from myuser:

REVOKE ALL PRIVILEGES,GRANT OPTION FROM 'myuser'@'%'

3. View permissions

The SHOW GRANTS statement is used to view permissions. At the same time, the user table under the mysql database stores the basic permissions of the user.

SELECT * FROM mysql.user

SHOW GRANTS