Article directory
- MySQL database - permission control and log management
-
- 1. MySQL user management and authority management
- 2. Mysql log management
MySQL database - permission control and log management
1. MySQL user management and authority management
1. DCL (Data Control Language Database Control Language)
• Operations such as database authorization and role control
• GRANT user authorization, which grants access rights to users
• REVOKE cancels the authorization and reverts the authorization
2. MySQL Privilege Table
Mysql permissions are managed by the permission table, which is divided into:
2.1、mysql.user
• User fields: Host, user, password
• Privilege field: _priv trailing field
• Security field: ssl x509 field
• Resource control fields: fields starting with max_
2.2、mysql.db
• User fields: host, user, password
• Privilege fields: the remaining fields ending in _priv
2.3、mysql.tables_priv、mysql.columns_priv、procs_priv
• Authorization tables for tables, columns, stored procedures
2.4. Arrangement of authorization levels
• mysql.user #Global authorization
• mysql.db #Database level authorization
• Other # Table-level, column-level authorization
2.5, database and table format
| Database and Table Format | meaning |
|---|---|
| data storage name.* | all in the database |
| database_name.table_name | Specify a table in the database |
| database name.stored procedure | Specify the stored procedure in the database |
| *.* | All databases |
2.6. User and IP format
| User and IP format | meaning |
|---|---|
| Username@IPAddress | Users can only access under this IP |
| [email protected].% | Users can only access in this IP network segment (wildcard % means any) |
| Username@%.xxx.com | Users can only log in to hosts with the .xxx.com domain name suffix |
| username@% | Users can access under any IP (the default IP address is %) |
3. MySQL user management
3.1. Create a user
#create user语句创建
create user '用户名'@'IP地址' identified by '密码';
#例:
create user 'test'@'%' identified by '111';
#grant语句创建
grant select on 数据库和表权限 to '用户名'@'IP地址' identified by "密码";
#例:
grant select on *.* to 'test'@'%' identified by "111";
3.2. Delete user
#drop user语句删除
drop user '用户名'@'IP地址'
#例:
drop user 'user1'@'localhost'
#delete语句删除
delete from mysql.user where user='用户名' and host='IP地址';
#例:
delete from mysql.user where user='test' and host='%';
3.3. Modify username and IP address
rename user '旧用户名'@'IP地址' to '新用户名'@'IP地址';
#例:
rename user 'test'@'localhost' to 'demo'@'localhost';
3.4, change password
Note: After modifying the password, you must refresh the permissionsflush privileges
①root user to change his password
方法一:命令行输入
mysqladmin -uroot -p原密码 password '新密码'
方法二:数据库中输入
alter user 'root'@'localhost' identified by '新密码';
方法三:数据库中输入
set PASSWORD=password('新密码');
②The root user modifies the passwords of other users
都在数据库中输入
方法一:
alter user '用户名'@'IP地址' identified by '新密码';
方法二:
grant select on *.* to '' '用户名'@'IP地址' identified by '新密码';
③Ordinary users modify their own passwords
数据库中输入:
set password=password('新密码')
3.5. Retrieve root password
If one day, I forgot the root password, how to retrieve the root password?
♩ Modify Mysql configuration file /etc/my.cnf
#在[mysqld]下面加上skip-grant-tables
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
…………
#设置免密登陆
skip-grant-tables
♪ Restart Mysql
[root@localhost ~]# systemctl restart mysqld
♫ Change password
#终端输入mysql直接登录mysql数据库
[root@localhost ~]# mysql
#切换到mysql系统库
mysql> use mysql;
#设置root密码
mysql> update user set authentication_string=password('新密码') where user='root';
♬ Comment out the password-free login in the first step
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
…………
#skip-grant-tables
Finally, restart the mysqld service.
3.6. Password complexity policy
♪ Install password plugin
MySQL has password complexity settings enabled by default, and the name of the plugin is validate_password
#安装插件
mysql> install plugin validate_password soname 'validate_password.so';
♪ Install and modify configuration files
#修改配置文件
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
…………
plugin-load=validate_password.so #安装插件
validate_password_policy=0(或1或2) #可自行配置规则
validate_password=FORCE_PLUS_PERMANENT
#重启mysql生效
[root@localhost ~]# systemctl restart mysqld
♫ Log in to the database to view the rules
mysql> show variables like 'validate%';
Field meaning:
1.validate_password_policy
Represents the password policy. The configurable values are as follows:
——0 or LOW only needs to match the password length (specified by the parameter validate_password_length).
——1 or MEDIUM meets the LOW policy, and at least 1 number, lowercase letters, uppercase letters and special characters are required.
——2 or STRONG meets the MEDIUM policy, and the password cannot be stored in the dictionary file.
2.validate_password_dictionary_file
The dictionary file used to configure the password. When validate_password_policy is set to STRONG, the password dictionary file can be configured. The passwords in the dictionary file must not be used.
3.validate_password_length
Used to set the minimum length of the password, the default value is 8, the minimum is 0
4.validate_password_mixed_case_count
When validate_password_policy is set to MEDIUM or STRONG, the number of lowercase and uppercase letters in the password at least, the default is 1 and the minimum is 0; the default is at least one lowercase and one uppercase letter.
5.validate_password_number_count
When validate_password_policy is set to MEDIUM or STRONG, the minimum number of digits in the password, the default is 1 and the minimum is 0.
6.validate_password_special_char_count
When validate_password_policy is set to MEDIUM or STRONG, the minimum number of special characters in the password, the default is 1 and the minimum is 0.
4. Rights management
4.1 Recycling permissions
Since you can add permissions to the database, you can reclaim the permissions. The command is:
revoke 权限 on 数据库.数据表 from '用户名'@'IP地址'
• The revoked permission must exist, otherwise an error will occur;
• Entire server - using grant allandevoke all;
• Entire database - useon datebases.*;
• specific tables - useon datebase.table;
4.2 Refresh permissions
mysql> flush privileges;
flush privilegesThe essence of the command is to extract the user information/privilege settings in the current user and privilege tables from the mysql library (the built-in library of the MySQL database) into memory.
After the MySQL user data and permissions are modified, and the search wants to take effect directly without restarting the MySQL service, you need to execute this command.
4.3 View permissions
show grants for '用户名'@'IP地址';
#可以不指定用户,则显示当前用户权限。
show grants;
4.4 Authorization and setting password
#授权及设置密码
grant 权限1[,权限2,权限3...] no 数据库.数据表 to '用户名'@'IP地址';
grant 权限1[,权限2,权限3...] no 数据库.数据表 to '用户名'@'IP地址' identified by '密码';
Multiple authorizations can be simplified and separated by commas. Grant requires explicit information: the authority to be granted; the database or table to which the authority is granted; the user name.
| permission | Permission operational level | Permission description |
|---|---|---|
| create | library, table or index | Create library, table, or index permission |
| drop | library or table | Drop library or table permissions |
| grant option | library, table, or saved program | grant permission option permission |
| references | library or table | Whether to allow create foreign key permission |
| alter | surface | Changes to tables, such as permissions to add fields, indexes, etc. |
| delete | surface | Delete data permission |
| index | surface | Index permissions |
| insert | surface | Insert permission |
| select | surface | Query permissions |
| update | surface | Update permissions |
| create view | view | Create View Permissions |
| show view | view | View View Permissions |
| alter routine | stored procedure | Change stored procedure permissions |
| create routine | stored procedure | Create stored procedure permissions |
| execute | stored procedure | Execute stored procedure permission |
| file | File access on server host | file access permissions |
| create temporary table | Server management | Create temporary table permission |
| lock tables | Server management | Lock table permissions |
| create user | Server management | Create user rights |
| reload | Server management | Permission to execute commands such as flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, and reload |
| process | Server management | View process permissions |
| replication client | Server management | Allows to execute show master status, show slave status, show binary logs commands |
| replication slave | Server management | Allow the slave host to connect to the master through this user in order to establish a master-slave replication relationship |
| show databases | Server management | View database permissions |
| shutdown | Server management | Turn off database permissions |
| super | Server management | execute kill thread permission |
| Authority distribution | possible set permissions |
|---|---|
| table permissions | Select’,‘Insert’,‘Update’,‘Delete’,‘Create’,‘Drop’,‘Grant’,‘References’,‘Index’,‘Alter’ |
| column permissions | ‘Select’,‘Insert’,‘Update’,‘References’ |
| Process permissions | Execute’,‘Alter Routine’,‘Grant’ |
2. Mysql log management
1.Mysql error log
The role of the error log: record the status, error, and warning during the startup and working process of MySQL.
Set up error log :
#配置错误日志,修改配置文件,并重启MySQL
[root@localhost ~]# vim /etc/my.cnf
log_error=/mnt/mysql.log #这里的路径和文件名称可以随便定义
[root@localhost ~]# systemctl restart mysqld
View the error log :
mysql> select @@log_error;
+-----------------+
| @@log_error |
+-----------------+
| /mnt/mysql.log |
+-----------------+
1 row in set (0.00 sec)
Note: Focus on the context of [ERROR] when viewing the error log
2. Mysql binary log
The role of binary log: necessary log for data recovery; log dependent on master-slave replication
Binary log settings :
#修改配置文件
[root@localhost ~]# vim /etc/my.cnf
server_id=1
log_bin=/mnt/binlog/mysql-bin
#server_id是mysql5.7版本之后开二进制日志的必加参数
#log_bin= 打开二进制功能
#/mnt/binlog 为指定存放路径
#mysql-bin 为文件名前缀
#创建目录并授权
[root@localhost ~]# mkdir -p /mnt/binlog/
[root@localhost ~]# chown -R mysql.mysql /mnt/binlog/*
[root@localhost ~]# systemctl restart mysqld
配置说明:
mysql-bin 是在配置文件配置的前缀。
000001 MySQL每次重启,重新生成新的。
二进制日志的内容:
除了查询类的语句,都会记录,即所有数据库变更类的语句。
①记录语句的种类:
• DDL(数据定义语言):create、drop
• DCL(数据控制语言):grant、revoke
• DML(数据操作语言):insert、update、delete
②不同语句的记录格式说明:
• DDL、DCL直接以语句(statement)方式记录
• DML语句有三种模式:SBR、RBR、MBR
模式说明:
• statement——>SBR:做什么记录什么,即SQL语句
• row——>RBR:记录数据行的变化
• mixed——>MBR:自动判断记录模式
• SBR和RBR的区别
| 区别项 | SBR | RBR |
|---|---|---|
| 记录内容 | SQL语句 | 记录数据行的变化 |
| 可读性 | 较强 | 差 |
| 日志量 | 小 | 大 |
| 日志记录准确性 | 数据误差 | 没有误差 |
#修改二进制日志工作模式
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
binlog_format='MIXED'
#查看二进制日志是否开启
mysql> show variables like '%binlog%';
2.1二进制日志三种模式的区别
2.1.1、ROW:基于行的复制
优点:所有的语句都可以复制,不记录执行的sql语句的上下文相关的信息,仅需要记录那一条记录被修改成什么了。
缺点:binlog大了很多,复杂的回滚时binlog中会包含大量的数据;主服务器上执行update语句时,所有发生变化的记录都会写到binlog中;比如有这样一条update语句update product set owner_member_id='d'where owner_member_id-'a'执行之后,日志中记录的不是这条update语句所对应的事件(mysql是以事件的形式来记录bin-log日志),而是这条语句所更新的每一条记录的变化情况,这样就记录成很多条记录被更新的很多事件。自然bin-log日志的量会很大。
2.1.2、Statement:基于sql语句的复制
优点:不需要记录每一行的变化,减少了binlog日志量,节约了IO,提高性能。
缺点:由于它是记录的执行语句,所以为了让这些语句在slave端也能正确执行,那么他还必须记录每条语句在执行的时候的一些相关信息,也就是上下文信息,以保证所有语句在slave端被执行的时候能够得到和在master端执行时候相同的结果。另外就是,由于mysql现在发展比较快,很多的新功能加入,使mysql的复制遇到了不小的挑战,自然复制的时候涉及到越复杂的内容,bug也就越容易出现。在statement level下,目前已经发现的就有不少情况会造成mysql的复制问题,主要是修改数据的时候使用了某些特定的函数或者功能的时候会出现,比如sleep()在有些版本就不能正确复制。
2.1.3、mixed模式:row与statement结合
实际上就是前两种模式的结合,在mixed模式下,mysql会根据执行的每一条具体的sql语句来区分对待记录的日志形式,也就是在statement和row之间选一种。新版本中的statement level还是和以前一样,仅仅记录执行的语句。而新版本的mysql中对row level模式被做了优化,并不是所有的修改都会以row level来记录,像遇到表结构变更的时侯就会以statement模式来记录,如果sgl语句确实就是update或者delete等修改数据的语句,那么还是会记录所有行的变更。
2.2二进制日志事件
2.2.1、二进制日志事件简介
• 二进制日志内容以事件(binlog events)为最小记录单元。
• 对于DDL和DCL,一个语句就是一个事件。
• 对于DML(标准的事务语句),只记录已提交的事务的DML语句
begin ; 事件1
a 事件2
b 事件3
commit ; 事件4
2.2.2、事件的构成(为了截取日志)
[root@localhost data]# mysqlbinlog mysql-bin.000001
#at219 事件开始的位置(position)
end_log_pos 319 事件结束的位置(position)
#220811 14:28:12 事件发生的时间
create database aaaaa 事件内容
2.2.3、二进制日志的基础查看
#查看二进制日志的配置信息
mysql> show variables like '%log_bin%';
字段说明:
• log_bin开启二进制日志的开关
• log_bin_basename位置
• sql_log_bin临时开启或关闭二进制日志的小开关
#查看二进制日志的基本信息
mysql> show binary logs;
#查看当前正在使用的二进制日志
mysql> show master status;(常用)
2.3二进制日志内容的查看和截取
#二进制文件不能用vim查看,要用mysqlbinlog命令查看
[root@localhost data]# mysqlbinlog 路径/mysql-bin.000001
#mysql中查看当前记录事务的二进制文件
mysql> show master status;
#查看该文件中的具体事务
mysql> show binlog events in '二进制文件名'
日志截取语法:
• --start-position 开始截取pod点
• --stop-position 结束截取pod点
#截取日志并另存为一个用来恢复的文件
[root@localhost data]# mysqlbinlog --start-position=xxx --stop-position 路径/mysql-bin.00000x > 路径/自定义名字.sql
#恢复
mysql> source 路径/自定义名字.sql
mysql> begin; #开始事务
mysql> commit; #提交事务
2.4基于gtid的二进制日志管理
gtid(Global Transaction ID)简介
• 全局唯一的事务编号。
• 幂等性。
• Gtid包括两部分:Server_uuid和Tx_id。
gtid配置
#查看gtid
mysql> show variables like '%gtid%';
+----------------------------------+-----------+
| Variable_name | Value |
+----------------------------------+-----------+
| binlog_gtid_simple_recovery | ON |
| enforce_gtid_consistency | OFF |
| gtid_executed_compression_period | 1000 |
| gtid_mode | OFF |
| gtid_next | AUTOMATIC |
| gtid_owned | |
| gtid_purged | |
| session_track_gtids | OFF |
+----------------------------------+-----------+
8 rows in set (0.01 sec)
#修改配置
[root@localhost data]# vim /etc/my.cnf
[msyqld]
gtid_mode=on #开启gtid
enforce_gtid_consistency=true #强制GTID一致性
log_slave_updates=1 #主从复制中从库记求bin1og,并统一GTID信息
#重启数据库生效
[root@localhost data]# systemcat restart mysqld
#此时查看gtid就开启了
mysql> show variables like '%gtid%';
+----------------------------------+-----------+
| Variable_name | Value |
+----------------------------------+-----------+
| binlog_gtid_simple_recovery | ON |
| enforce_gtid_consistency | ON |
| gtid_executed_compression_period | 1000 |
| gtid_mode | ON |
| gtid_next | AUTOMATIC |
| gtid_owned | |
| gtid_purged | |
| session_track_gtids | OFF |
+----------------------------------+-----------+
8 rows in set (0.01 sec)
基于gtid截取日志
• 对于DDL和DCL 一个操作就是一个GTID
• 对于DML 一个完整的事务就是一个GTID
--include-gtids=包含
--exclude-gtids=排除
--skip-gtids=跳过
#如截取1-3号事务
[root@localhost data]# mysqlbinlog --include-gtids='827ddb16-4ec8-11ea-b734-000c293df1f0:1-3'/usr/lcoal/mysql/data/mysql-bin.000003 > /usr/lcoal/mysql/data/gtid.sql
#截取1-10号事务,跳过6号事务
[root@localhost data]# mysqlbinlog --include-gtids='827ddb16-4ec8-1lea-b734-000c293df1f0:1-10 --exc1ude-gtids:='545fd699-be48-11e9-8f0a-000c2980e248:6' /usr/lcoal/mysql/data/mysql-bin.000003>/usr/lcoal/mysql/data/gtid.sql
3.Mysql慢日志
慢日志简介
• 记录运行较慢的语句记录slowlog中。
• 功能是铺助优化的工具日志。
• 应激性的慢可以通过show processlisti进行监控。
• 一段时间的慢可以进行slow记录、统计。
慢日志配置
#查看慢日志是否开启
mysql> show variables like '%slow_query%';
+---------------------+------------------------------------------+
| Variable_name | Value |
+---------------------+------------------------------------------+
| slow_query_log | OFF |
| slow_query_log_file | /usr/local/mysql/data/localhost-slow.log |
+---------------------+------------------------------------------+
2 rows in set (0.01 sec)
#此时慢日志是关闭的
#重连或者新开一个会话才能看到修改值
#查看阈值(达到多长时间才能记录慢日志)
mysql> select @@long_query_time;
+-------------------+
| @@long_query_time |
+-------------------+
| 10.000000 |
+-------------------+
1 row in set (0.00 sec)
#设置阈值为3秒
mysql> set global long_query_time=3;
#修改配置文件,开启慢日志
[root@localhost data]#vim /etc/my.cnf
[mysqld]
slow_query_log=1
slow_query_log_file=/usr/local/mysql/data/qfedu-slow.log
1ong-query_time=3 #默认配置10秒
log_queries_not_using_indexes=1
#重启数据库生效
慢日志分析工具
#得到返回记录集最多的10个SQL
mysqldumpslow -s r -t 10 /usr/local/mysql/data/test-slow.log
#得到访问次数最多的10个SQL
mysqldumpslow -s c -t 10 /usr/local/mysql/data/test-slow.log
#得到按照时间排序的前10条里面含有左连接的查询语句
mysqldumpslow -s t -t 10 -g "LEFT JOIN"
/usr/local/mysql/data/test-s1ow.1og
#结合|more使用,防止爆屏情况
mysqldumpslow -s r -t 10/usr/local/mysql/data/test-slow.log | more
#选项含义
s:表示按何种方式排序
c:访问次数
l:锁定时间
r:返回记录
t:查询时间
al:平均锁定时间
ar:平均返回记录数
at:平均查询时间
t:返回前面多少条的数据
g:后边搭配一个正则匹配模式,大小写不敏感
--help查看帮助
END