1. User Management
1.1 Log in to the MySQL server
The complete login statement is as follows:
mysql –h hostname|hostIP –P port –u username –p DatabaseName –e "SQL语句"
The parameters in the command are described in detail below:
- The -h parameter is followed by the host name or host IP , where hostname is the host and hostIP is the host IP.
- The -P parameter is followed by the port of the MySQL service , which is used to connect to the specified port. The default port of the MySQL service is 3306. If this parameter is not used, it will automatically connect to port 3306, and port is the port number of the connection.
- The -u parameter is followed by the user name , where username is the user name.
- The -p parameter will prompt for a password .
- The DatabaseName parameter indicates which database to log in to . If there is no such parameter, it will directly log in to the MySQL database, and then you can use the USE command to select the database.
- SQL statements can be added directly after the -e parameter . After logging in to the MySQL server, you can execute this SQL statement, and then exit the MySQL server.
Example:
mysql -uroot -p -hlocalhost -P3306 mysql -e "select host,user from user"
1.2 User creation
The basic syntax of the CREATE USER statement is as follows:
CREATE USER 用户名 [IDENTIFIED BY '密码'][,用户名 [IDENTIFIED BY '密码']];
- The username parameter indicates the account of the newly created user, which is composed of user (User) and host name (Host);
- "[ ]" means optional, that is to say, you can specify that password authentication is required for user login, or you can not specify password authentication, so that users can log in directly. However, the method of not specifying a password is not safe and is not recommended. If you specify a password value, you need to use IDENTIFIED BY to specify the plaintext password value .
- The CREATE USER statement can create multiple users at the same time.
Example:
CREATE USER zhang3 IDENTIFIED BY '123123'; # 默认host是 %
CREATE USER 'kangshifu'@'localhost' IDENTIFIED BY '123456';
1.3 Modify user
Modify username: ( deprecated )
UPDATE mysql.user SET USER='li4' WHERE USER='wang5';
FLUSH PRIVILEGES;
1.4 Delete user
There are generally two ways:
- Use the drop method to delete (recommended)
- delete using delete
When using the DROP USER statement to delete a user, the DROP USER authority must be used. The basic syntax of the DROP USER statement is as follows:
DROP USER user[,user]…;
Example:
DROP USER li4 ; # 默认删除host为%的用户
DROP USER 'kangshifu'@'localhost';
Note: It is not recommended to delete via DELETE FROM USER u WHERE USER='li4', the system will retain residual information . The drop user command will delete the user and the corresponding permissions. After executing the command, you will find that the corresponding records in the mysql.user table and the mysql.db table have disappeared.
1.5 Set current user password
# 修改当前用户的密码:(MySQL5.7测试有效)不推荐
SET PASSWORD = PASSWORD('123456');
Recommended way of writing:
- Use the ALTER USER command to modify the current user password. Users can use the ALTER command to modify their own password. The following statement represents modifying the password of the current login user. The basic syntax is as follows:
ALTER USER USER() IDENTIFIED BY 'new_password';
- Use the SET statement to modify the current user password** After logging in to MySQL as the root** user, you can use the SET statement to modify the password. The specific SQL statement is as follows:
SET PASSWORD='new_password';
This statement will automatically encrypt the password and then assign it to the current user.
1.6 Modify other user passwords
- Use the ALTER statement to modify the password of an ordinary user You can use the ALTER USER statement to modify the password of an ordinary user. The basic syntax is as follows:
ALTER USER user [IDENTIFIED BY '新密码'] [,user[IDENTIFIED BY '新密码']]…;
- Use the SET command to modify the password of an ordinary user After logging in to the MySQL server as the root user , you can use the SET statement to modify the password of an ordinary user. The code for the SET statement is as follows:
SET PASSWORD FOR 'username'@'hostname'='new_password';
2. Rights Management
2.1 Permission List
View MySQL permissions
show privileges;
| permission name | explain |
|---|---|
| CREATE and DROP permissions | Can create new databases and tables, or drop (remove) existing databases and tables |
| SELECT, INSERT, UPDATE, and DELETE permissions | Allows operations to be performed on existing tables in a database |
| INDEX permission | Allows to create or drop indexes, INDEX applies to existing tables. If you have CREATE privilege on a table, you can include index definitions in the CREATE TABLE statement |
| ALTER permission | You can use ALTER TABLE to change the structure of the table and rename the table |
| CREATE ROUTINE permission | Used to create saved programs (functions and programs), ALTER ROUTINE permission is used to change and delete saved programs |
| EXECUTE permission | The program used to execute the save |
| GRANT permission | Allows authorization to other users, available for databases, tables, and saved programs |
| FILE permissions | Enable users to use LOAD DATA INFILE and SELECT ... INTO OUTFILE statements to read or write files on the server, and any user granted FILE permission can read or write any file on the MySQL server |
2.2 Principles of Granting Permissions (Important)
- Only grant the minimum permissions that can meet the needs to prevent users from doing bad things. For example, if the user only needs to query, then only the select permission is sufficient, and do not give the user the update, insert or delete permission.
- When creating a user, restrict the user's login host , generally to the specified IP or intranet IP segment.
- Set a password that satisfies the complexity of the password for each user .
- Regularly clean up unnecessary users , reclaim permissions or delete users.
2.3 Granting Permissions
There are two ways to authorize users:
- Roles are assigned to users to authorize users.
- Authorize users directly.
Authorization command: ( directly authorize the user )
GRANT 权限1,权限2,…权限n ON 数据库名称.表名称 TO 用户名@用户地址 [IDENTIFIED BY ‘密码口令’];
- If the user is found to have no such permission, a new user will be created directly.
Example:
- Give the li4 user the permission to insert, delete, modify and check all tables under the atguigudb library by using the local command line:
GRANT SELECT,INSERT,DELETE,UPDATE ON atguigudb.* TO li4@localhost;
- Grant user joe who logs in through the network all permissions to all tables in all databases, and set the password to 123. Note that grant permissions are not included here :
GRANT ALL PRIVILEGES ON *.* TO joe@'%' IDENTIFIED BY '123';
2.4 View permissions
- View current user permissions
SHOW GRANTS;
# 或
SHOW GRANTS FOR CURRENT_USER;
# 或
SHOW GRANTS FOR CURRENT_USER();
- View a user's global permissions
SHOW GRANTS FOR 'user'@'主机地址' ;
2.5 Withdraw authority
-
Withdrawing permissions means canceling certain permissions that have been granted to the user. Taking back unnecessary permissions from users can guarantee the security of the system to a certain extent.
-
Use the REVOKE statement in MySQL to cancel certain permissions of the user .
-
After using REVOKE to withdraw permissions, the user account records will be deleted from the db, host, tables_priv and columns_priv tables, but the user account records are still saved in the user table (delete the user table
account records using the DROP USER statement).
-
Note: Before deleting a user account from the user table, all privileges of the corresponding user should be revoked.
-
revoke authority command
REVOKE 权限1,权限2,…权限n ON 数据库名称.表名称 FROM 用户名@用户地址;
- example
#收回全库全表的所有权限
REVOKE ALL PRIVILEGES ON *.* FROM joe@'%';
#收回mysql库下的所有表的插删改查权限
REVOKE SELECT,INSERT,UPDATE,DELETE ON mysql.* FROM joe@localhost;
- Note: the user must log in again to take effect
Summary
Some programmers like to use the root superuser to access the database, and completely implement the permission control at the application level. This is of course possible. But I suggest you,Try to use the database's own role and user mechanism to control access rights, and don't use the Root account lightly . Because the root account password is not safe to put in the code, once it is leaked, the database will be completely unprotected. Moreover, the permission control function of MySQL is very complete and should be used as much as possible, which can improve efficiency and is safe and reliable.
3. Permission table
3.1 user table
The user table is the most important permission table in MySQL, which records user account and permission information, and is located in the database mysql , as shown in the following figure:
mysql> desc user;
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
| Host | char(255) | NO | PRI | | |
| User | char(32) | NO | PRI | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
| Update_priv | enum('N','Y') | NO | | N | |
| Delete_priv | enum('N','Y') | NO | | N | |
| Create_priv | enum('N','Y') | NO | | N | |
| Drop_priv | enum('N','Y') | NO | | N | |
| Reload_priv | enum('N','Y') | NO | | N | |
| Shutdown_priv | enum('N','Y') | NO | | N | |
| Process_priv | enum('N','Y') | NO | | N | |
| File_priv | enum('N','Y') | NO | | N | |
| Grant_priv | enum('N','Y') | NO | | N | |
| References_priv | enum('N','Y') | NO | | N | |
| Index_priv | enum('N','Y') | NO | | N | |
| Alter_priv | enum('N','Y') | NO | | N | |
| Show_db_priv | enum('N','Y') | NO | | N | |
| Super_priv | enum('N','Y') | NO | | N | |
| Create_tmp_table_priv | enum('N','Y') | NO | | N | |
| Lock_tables_priv | enum('N','Y') | NO | | N | |
| Execute_priv | enum('N','Y') | NO | | N | |
| Repl_slave_priv | enum('N','Y') | NO | | N | |
| Repl_client_priv | enum('N','Y') | NO | | N | |
| Create_view_priv | enum('N','Y') | NO | | N | |
| Show_view_priv | enum('N','Y') | NO | | N | |
| Create_routine_priv | enum('N','Y') | NO | | N | |
| Alter_routine_priv | enum('N','Y') | NO | | N | |
| Create_user_priv | enum('N','Y') | NO | | N | |
| Event_priv | enum('N','Y') | NO | | N | |
| Trigger_priv | enum('N','Y') | NO | | N | |
| Create_tablespace_priv | enum('N','Y') | NO | | N | |
| ssl_type | enum('','ANY','X509','SPECIFIED') | NO | | | |
| ssl_cipher | blob | NO | | NULL | |
| x509_issuer | blob | NO | | NULL | |
| x509_subject | blob | NO | | NULL | |
| max_questions | int unsigned | NO | | 0 | |
| max_updates | int unsigned | NO | | 0 | |
| max_connections | int unsigned | NO | | 0 | |
| max_user_connections | int unsigned | NO | | 0 | |
| plugin | char(64) | NO | | caching_sha2_password | |
| authentication_string | text | YES | | NULL | |
| password_expired | enum('N','Y') | NO | | N | |
| password_last_changed | timestamp | YES | | NULL | |
| password_lifetime | smallint unsigned | YES | | NULL | |
| account_locked | enum('N','Y') | NO | | N | |
| Create_role_priv | enum('N','Y') | NO | | N | |
| Drop_role_priv | enum('N','Y') | NO | | N | |
| Password_reuse_history | smallint unsigned | YES | | NULL | |
| Password_reuse_time | smallint unsigned | YES | | NULL | |
| Password_require_current | enum('N','Y') | YES | | NULL | |
| User_attributes | json | YES | | NULL | |
+--------------------------+-----------------------------------+------+-----+-----------------------+-------+
51 rows in set (0.00 sec)
These fields can be divided into 4 categories, namely scope column (or user column), permission column, security column and resource control column.
1. Range column (or user column)
-
host : Indicates the connection type
- % means all remote connections via TCP
- IP address such as (192.168.1.2, 127.0.0.1) TCP connection through specifying ip address
- Machine name TCP connection by specifying the machine name in the network
- ::1 The local ip address of IPv6, which is equivalent to 127.0.0.1 of IPv4
- localhost The local mode connects through the command line, such as mysql -u xxx -p xxx connection.
-
user : Indicates the user name, and the permissions of the same user linked in different ways are different.
-
password : password
- All password strings are ciphertext strings generated by password (plaintext string). MySQL 8.0 has added role management in user management, and the default password encryption method has also been adjusted from the previous SHA1 to SHA2, which is irreversible. At the same time, with the functions of disabling users and user expiration in MySQL 5.7, the functions and security of MySQL in user management have been greatly enhanced compared with the previous version.
- The password field of mysql 5.7 and later versions is saved in the authentication_string field and the password field is no longer used.
2. Permission column
- Grant_priv field
- Indicates whether you have GRANT authority
- Shutdown_priv field
- Indicates whether you have the permission to stop the MySQL service
- Super_priv field
- Indicates whether you have super authority
- Execute_priv field
- Indicates whether you have EXECUTE permission. With EXECUTE permission, you can execute stored procedures and functions.
- Select_priv , Insert_priv etc
- Permissions owned by this user.
3. Security column
The security column has only 6 fields, two of which are related to ssl (ssl_type, ssl_cipher) for encryption are related to x509 (x509_issuer, x509_subject), used to identify users ; the other two Plugin fields are used to authenticate users Identity plugin, this field cannot be empty. If this field is empty, the server uses the built-in authentication mechanism to authenticate the user.
4. Resource Control column
The fields in the resource control column are used to limit the resources used by users, including 4 fields, which are:
- max_questions, the number of query operations allowed by the user per hour;
- max_updates, the number of update operations the user is allowed to perform per hour;
- max_connections, the number of connection operations the user is allowed to perform per hour;
- max_user_connections, the number of connections allowed by the user at the same time.
3.2 db table
mysql> desc mysql.db;
+-----------------------+---------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+---------------+------+-----+---------+-------+
| Host | char(255) | NO | PRI | | |
| Db | char(64) | NO | PRI | | |
| User | char(32) | NO | PRI | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
| Update_priv | enum('N','Y') | NO | | N | |
| Delete_priv | enum('N','Y') | NO | | N | |
| Create_priv | enum('N','Y') | NO | | N | |
| Drop_priv | enum('N','Y') | NO | | N | |
| Grant_priv | enum('N','Y') | NO | | N | |
| References_priv | enum('N','Y') | NO | | N | |
| Index_priv | enum('N','Y') | NO | | N | |
| Alter_priv | enum('N','Y') | NO | | N | |
| Create_tmp_table_priv | enum('N','Y') | NO | | N | |
| Lock_tables_priv | enum('N','Y') | NO | | N | |
| Create_view_priv | enum('N','Y') | NO | | N | |
| Show_view_priv | enum('N','Y') | NO | | N | |
| Create_routine_priv | enum('N','Y') | NO | | N | |
| Alter_routine_priv | enum('N','Y') | NO | | N | |
| Execute_priv | enum('N','Y') | NO | | N | |
| Event_priv | enum('N','Y') | NO | | N | |
| Trigger_priv | enum('N','Y') | NO | | N | |
+-----------------------+---------------+------+-----+---------+-------+
22 rows in set (0.01 sec)
1. User column
The user column in the db table has 3 fields, namely Host, User, and Db. These 3 fields represent host name, user name and database name respectively . Indicates the operation authority of a user connected to a certain database from a certain host , and the combination of these three fields constitutes the primary key of the db table.
2. Permission column
The two fields Create_routine_priv and Alter_routine_priv determine whether the user has the authority to create and modify stored procedures .
3.3 tables_privx table and columns_priv table
- The tables_priv table is used to set operation permissions on the table
- The columns_priv table is used to set permissions on a
The tables_priv table structure is as follows
mysql> desc mysql.tables_priv;
+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Host | char(255) | NO | PRI | | |
| Db | char(64) | NO | PRI | | |
| User | char(32) | NO | PRI | | |
| Table_name | char(64) | NO | PRI | | |
| Grantor | varchar(288) | NO | MUL | | |
| Timestamp | timestamp | NO | | CURRENT_TIMESTAMP | DEFAULT_GENERATED on update CURRENT_TIMESTAMP |
| Table_priv | set('Select','Insert','Update','Delete','Create','Drop','Grant','References','Index','Alter','Create View','Show view','Trigger') | NO | | | |
| Column_priv | set('Select','Insert','Update','References') | NO | | | |
+-------------+-----------------------------------------------------------------------------------------------------------------------------------+------+-----+-------------------+-----------------------------------------------+
8 rows in set (0.01 sec)
The tables_priv table has 8 fields, namely Host, Db, User, Table_name, Grantor, Timestamp, Table_priv, and Column_priv. Each field is described as follows:
- The four fields Host, Db, User and Table_name represent the host name, database name, user name and table name respectively.
- Grantor represents the user who modified the record.
- Timestamp indicates when the record was modified.
- Table_priv represents the operation authority of the object. Including Select, Insert, Update, Delete, Create, Drop, Grant, References, Index and Alter.
- The Column_priv field represents the operation permission on the columns in the table, including Select, Insert, Update and References.
- The Column_priv table structure is shown in the figure below.
mysql> desc mysql.columns_priv;
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Host | char(255) | NO | PRI | | |
| Db | char(64) | NO | PRI | | |
| User | char(32) | NO | PRI | | |
| Table_name | char(64) | NO | PRI | | |
| Column_name | char(64) | NO | PRI | | |
| Timestamp | timestamp | NO | | CURRENT_TIMESTAMP | DEFAULT_GENERATED on update CURRENT_TIMESTAMP |
| Column_priv | set('Select','Insert','Update','References') | NO | | | |
+-------------+----------------------------------------------+------+-----+-------------------+-----------------------------------------------+
7 rows in set (0.00 sec)
3.4 procs_priv
The procs_priv table can set operation permissions for stored procedures and stored functions . The table structure is shown in the figure:
mysql> desc mysql.procs_priv;
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Field | Type | Null | Key | Default | Extra |
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------------------------+
| Host | char(255) | NO | PRI | | |
| Db | char(64) | NO | PRI | | |
| User | char(32) | NO | PRI | | |
| Routine_name | char(64) | NO | PRI | | |
| Routine_type | enum('FUNCTION','PROCEDURE') | NO | PRI | NULL | |
| Grantor | varchar(288) | NO | MUL | | |
| Proc_priv | set('Execute','Alter Routine','Grant') | NO | | | |
| Timestamp | timestamp | NO | | CURRENT_TIMESTAMP | DEFAULT_GENERATED on update CURRENT_TIMESTAMP |
+--------------+----------------------------------------+------+-----+-------------------+-----------------------------------------------+
8 rows in set (0.00 sec)
4. Access Control
4.1 Connection Verification Phase
When a user tries to connect to the MySQL server, the server accepts or rejects the connection based on the user's identity and whether the user can provide the correct password for authentication. That is, the client user will provide the user name, host address, and user password in the connection request. After receiving the user request, the MySQL server will use the three fields of host, user, and authentication_string in the user table to match the information provided by the client .
The server only accepts the connection if the Host and User fields of the user table record match the client hostname and username, and the correct password is provided. If the connection verification fails, the server completely denies access ; otherwise, the server accepts the connection, and then enters phase 2 to wait for user requests.
4.2 Request Verification Phase
Once the connection is established, the server enters phase 2 of access control, which is the request verification phase. With every request that comes in on this connection, the server checks what the request is going to do and whether it has sufficient permissions to do it, which is where the permissions column in the grant table comes into play. These privileges can come from the user, db, table_priv and column_priv tables.
When confirming permissions, MySQL first checks the user table . If the specified permissions are not granted in the user table, then MySQL will continue to check the db table. The db table is the next security level, and the permissions are limited to the database level. At this level The SELECT privilege allows the user to view the data in all tables of the specified database; if no restricted privilege is found at this level, MySQL continues to check table and columns_priv table , if all privilege tables have been checked, but still no permitted privileges are found operation, MySQL will return an error message , the operation requested by the user cannot be performed, and the operation fails.
hint:MySQL checks the privilege table through the descending order (from the user table to the columns_priv table), but not all privileges need to perform this process. For example, a user only performs management operations on MySQL after logging in to the MySQL server. At this time, only management rights are involved, so MySQL only checks the user table . In addition, if the requested permission operation is not allowed, MySQL will not continue to check the next level of the table.
5. Role Management
5.1 Understanding of roles
The purpose of introducing roles is to facilitate the management of users with the same permissions. Proper permission setting can ensure the security of data, which is very important .
5.2 Create roles
To create a role use the CREATE ROLE statement, the syntax is as follows:
CREATE ROLE 'role_name'[@'host_name'] [,'role_name'[@'host_name']]...
The naming rules for role names are similar to user names. If host_name is omitted, it defaults to %, and role_name cannot be omitted or empty.
Exercise: We now need to create a manager role, we can use the following code:
CREATE ROLE 'manager'@'localhost';
5.3 Grant permissions to roles
After the role is created, the role does not have any permissions by default, and we need to authorize the role. The grammatical structure for granting authorization to a role is
GRANT privileges ON table_name TO 'role_name'[@'host_name'];
5.4 View role permissions
SHOW GRANTS FOR 'host_name'
5.5 Reclaim role permissions
After the role is authorized, the permissions of the role can be maintained, and the permissions can be added or revoked. Adding permissions uses the GRANT statement, which is the same as role authorization. To revoke a role or role permissions use the REVOKE statement.
The SQL syntax for revoking role permissions is as follows:
REVOKE privileges ON tablename FROM 'rolename';
Example:
REVOKE INSERT, UPDATE, DELETE ON school.* FROM 'school_write';
5.6 Delete role
When we need to reintegrate the business, we may need to clean up the previously created roles and delete some roles that will no longer be used.
DROP ROLE role [,role2]...
Note that if you delete a role, the user loses all privileges gained through the role .
5.7 Grant permissions to users
After a role is created and authorized, it must be assigned to a user and be in an active state before it can take effect. You can use the GRANT statement to add roles to users, and the syntax is as follows:
GRANT role [,role2,...] TO user [,user2,...];
Example:
GRANT 'school_read' TO 'kangshifu'@'localhost';
5.8 Activate role
Method 1: Use the set default role command to activate the role
Example:
SET DEFAULT ROLE ALL TO 'kangshifu'@'localhost';
Way 2: Set activate_all_roles_on_login to ON
- default
mysql> show variables like 'activate_all_roles_on_login';
+-----------------------------+-------+
| Variable_name | Value |
+-----------------------------+-------+
| activate_all_roles_on_login | OFF |
+-----------------------------+-------+
1 row in set (0.00 sec)
- set up
SET GLOBAL activate_all_roles_on_login=ON;
This SQL statement means to permanently activate all roles . After running this statement, the user actually has all the permissions granted to the role.
5.9 Revoking user roles
The SQL syntax for revoking a user role is as follows:
REVOKE role FROM user;
Example:
# 撤销kangshifu用户的school_read角色。
REVOKE 'school_read' FROM 'kangshifu'@'localhost';
reference
https://www.bilibili.com/video/BV1iq4y1u7vj/?spm_id_from=333.337.search-card.all.click&vd_source=25b05e9bd8b4bdac16ca2f47bbeb7990