Example of mysql authority management
This article does not introduce the authorization of specific objects in detail, but simply limits the large authority.
1. Current status:
R&D has been operating with the root user. The code is unchanged, so we use a new super user and reclaim some of the permissions of root to limit the research and development users
mysql> select user,host from user;
+----------+--- ------------+
| user | host |
+------------+---------------+
| mydba | % | --- My newly created super user
| root | % | --- The installation comes with
| server | % | --- Useless user
| repli | 192.168.1.3 | --- I created the master-slave replication user
| root | 192.168.1.9 | ---Useless user
| mysql.sys | localhost |
| root | localhost | ---Installation comes with
+------------+------ ---------+
7 rows in set (0.00 sec)
Before recycling, use root to enter and create a super user:
grant all privileges on *.* to mydba@'%' identified by 'tina' with grant option;
grant all privileges on mysql.* to mydba@'%' identified by 'tina' with grant option;
2. Delete useless users : (Recover all permissions when you go to work, and delete them after work)
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show grants for server ;
+------------------------------------------------ -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------+
| Grants for server@% |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'server'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION
mysql> revoke all privileges on *.* from 'server'@'%';
Query OK, 0 rows affected (0.07 sec)
mysql> show grants for server;
+---------------------------------------------------------------------+
| Grants for server@% |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION |
+ ------- -------------------------------------------------- -----------+
2 rows in set (0.00 sec)
mysql> revoke all privileges on mysql.* from 'server'@'%'; ---The operation will be synchronized to the slave library, so it is not It needs to be executed from the slave library, because the master-slave synchronization library includes the mysql library
Query OK, 0 rows affected (0.10 sec)
mysql> show grants for server;
+----------------- -------------------------------------------+
| Grants for server@% |
+------------------------------------------------ ------------+
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION |
| GRANT USAGE ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION |
+------------------------------------------------------------+
2 rows in set (0.00 sec)
删除:delete from mysql.user where user='server' and host='%';
delete from mysql.user where user='root' and host='192.168.1.9';
3.主从复制用户权限
mysql> show grants for repli@'192.168.1.3';
+--------------------------------------------------------------------------------+
| Grants for [email protected] |
+--------------------------------------------------------------------------------+
| GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'repli'@'192.168.1.3'| --repli Because it is used for master-slave replication, these two permissions are required.
+------------------------------------------------- -------------------------------+
1 row in set (0.01 sec)
4. Recycle root user's file, process, super, drop, create permissions, you can still create and delete temporary tables
Original permissions:
--------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------+
| Grants for root@% |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
| Grants for root@localhost |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
reclaims some permissions of the root remote host: (process permissions are reserved, because they are used to monitor the master-slave synchronization status)
revoke file, process, super, drop, create, create view, reload, shutdown, index, alter, replication slave, replication client, create view, create routine,
alter routine, create user, create tablespace on *.* from 'root'@'%';
Recover all permissions of the local root to the mysql library:
revoke all privileges on mysql.* from 'root'@'localhost';
测试一下:
mysql> select * from t1 into outfile '/tmp/a.txt' fields terminated by ',';
ERROR 1045 (28000): Access denied for user 'root'@'%' (using password: YES) --load的权限被禁用了
mysql> create view v_2 as select id from t2 where id<5;
ERROR 1142 (42000): CREATE VIEW command denied to user 'root'@'192.168.1.4' for table 'v_2'; ---不能创建视图
mysql> create index i_2 on t2(id);
ERROR 1142 (42000): INDEX command denied to user 'root'@'192.168.1.4' for table 't2' --不能创建索引
mysql> show index from t1;--You can view the index
+-------+------------+----------+------------ --+-------------+-------------+-------------+------- ---+--------+------+------------+---------+------- --------+
| Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | Index_comment |
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+
| t1 | 1 | i_1 | 1 | id | A | 0 | NULL | NULL | YES | BTREE | | |
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+
1 row in set (0.03 sec)
6.刷新权限
flush privileges;
7.回收后:
mysql> select user,host from user;
+-----------+---------------+
| user | host |
+-----------+---------------+
| mydba | % |
| root | % |
| repli | 192.168.1.4 |
| mysql.sys | localhost |
| root | localhost |
+-----------+---------------+
5 rows in set (0.00 sec)
mysql> show grants for root;
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process ,SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'%' WITH GRANT OPTION |
| GRANT USAGE ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for root@'localhost';
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for mydba; --超级用户:
+--------------------------------------------------------------------+
| Grants for mydba@% |
+------------------------------------------------------ --------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'mydba'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'mydba'@'%' WITH GRANT OPTION |
+---------------------------------------- --------------------------------------+
2 rows in set (0.00 sec)
Additional instructions:
1.usage permission: you can connect to db, you can show databases and tables, but without other permissions, select is not
possible 2.mysql permissions will be superimposed. Permissions, when you recover all permissions, you will find that there are still select permissions, which must be recovered one by one
mysql permission management (example)
Guess you like
Origin http://10.200.1.11:23101/article/api/json?id=326921519&siteId=291194637
Recommended
Ranking