The unit's system performance problem requires upgrading Mysql5 to Mysql8, and some features of Mysql8 need to be used to improve system performance.
I found some problems in the process of configure the user's permissions, learn and record.
Table of contents
2.1 Account management permissions
2.1.2 Account permission configuration
2.3 Lock account configuration (including examples)
3. MySQL8 user resource limitations
1. Environment
- Windows11;
- Docker (Chinese download:Docker Chinese official website, English download:Get Started | Docker< /span>, installation: just go to the next step);
- Mysql5、Mysql8.0.28。
# 下载镜像
$ docker pull mysql:8.0.28
# 创建容器并运行
$ docker run -itd --name mysql8 -p 3307:3306 -e MYSQL_ROOT_PASSWORD=root -e MYSQL_ROOT_HOST='%' mysql2. MySQL8 user permissions
Before MySQL8, the authorization table used MyISAM and was non-transactional, while in MySQL8, the authorization table used the InnoDB storage engine and was transactional. Check the storage engine of the table by viewing the statement that creates the table (command: show create table user;), as shown below:
The server reads the contents of the authorization table into memory when it starts. When modifying permissions, you need to reload through the command FLUSH PRIVILEGES to make the permissions effective. .
There are the following permission related tables in mysql8:
user:用户帐户、静态全局权限表;
global_grants:动态全局权限表;
db:数据库级的权限表;
tables_priv:存储表级权限;
columns_priv: 存储列级权限;
procs_priv: 存储过程和函数权限表;
proxies_priv: 代理用户权限表;
default_roles:默认用户角色表;
role_edges:记录角色与用户的授权关系表;
password_history: 密码更改历史表。This article is only for general developers to configure user permission information to meet the needs of developing and deploying general systems. It basically only involves the user table.
2.1 Account management permissions
2.1.1 Connect to database
- short command
docker exec -it mysql3307 bash // 回车
mysql -uroot -p //回车再输入密码
As shown below:
- long command
docker exec -it mysql3307 bash // 回车
mysql --user=root --password // 回车,再输入密码As shown below:
2.1.2 Account permission configuration
- Create and delete accounts
CREATE USER 和 DROP USER 创建和删除帐户;- Assign permissions and revoke permissions
GRANT 和 REVOKE 分配权限和撤销权限;Example:
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password'; // 创建局域网络账号
GRANT ALL ON *.* TO 'username'@'localhost' WITH GRANT OPTION; // 分配权限
REVOKE ALL ON *.* FROM 'username'@'localhost'; // 撤销权限
SHOW GRANTS FOR 'username'@'localhost'; // 查看权限
DROP USER 'username'@'localhost'; // 删除账号Note: The user permission configuration for access by other machine users only needs to modify the localhost. For example, changing localhost to % means any machine network, and changing localhost to 192.168.2.% means the user permissions assigned to the IP connection database of 192.168.2.
2.2 Password management
- change Password
ALTER USER 'username'@'%' IDENTIFIED BY 'password';//修改密码- Set password expiration time
ALTER USER 'username'@'%' PASSWORD EXPIRE; //设置立即过期
ALTER USER 'username'@'%' PASSWORD EXPIRE INTERVAL 30 DAY; //设置30天过期
ALTER USER 'username'@'%' PASSWORD EXPIRE NEVER; //禁用密码过期- Do not reuse passwords from the last 3 or older than 30 days
Modify the file my.cnf, mysql8.0.28 is /etc/my.cnf:
[mysqld]
password_history=3
password_reuse_interval=302.3 Lock account configuration (including examples)
# 连续登录失败3次则锁定1天,天数可取值:0-32767,设置 0 则代表解锁
CREATE USER 'test'@'localhost' IDENTIFIED BY 'test123' FAILED_LOGIN_ATTEMPTS 7 PASSWORD_LOCK_TIME 1;
# 连续登录失败3次则永久锁定
ALTER USER 'try8'@'localhost' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME UNBOUNDED;Example:
# 登陆MYSQL
PS C:\Users\Administrator> docker exec -it mysql8 bash
bash-4.4# mysql -uroot -p
Enter password: # 此外输入密码完成登陆
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.2.0 MySQL Community Server - GPL
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
# 登陆连续登陆失败3次锁一天的用户test
mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test123' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1;
Query OK, 0 rows affected (0.01 sec)
mysql> FLUSH PRIVILEGES;# 打开另一终端,用正确密码测试是否登陆成功
PS C:\Users\Administrator> docker exec -it mysql8 bash
bash-4.4# mysql -utest -ptest123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.2.0 MySQL Community Server - GPL
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> # 进到这里说明登陆成功
mysql> exit
Bye# 测试登陆3次失败
bash-4.4# mysql -utest -ptest12345
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
bash-4.4# mysql -utest -ptest12345
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
bash-4.4# mysql -utest -ptest12345
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3955 (HY000): Access denied for user 'test'@'localhost'. Account is blocked for 1 day(s) (1 day(s) remaining) due to 3 consecutive failed logins.
bash-4.4#After the third failed input, the message "Account is blocked for 1 day(s) (1 day(s) remaining)" is displayed. The account has been locked for 1 day.
# 输入正确的用户名密码登陆看是否成功
bash-4.4# mysql -utest -ptest123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3955 (HY000): Access denied for user 'test'@'localhost'. Account is blocked for 1 day(s) (1 day(s) remaining) due to 3 consecutive failed logins.
Important.
- Unlock
ALTER USER 'test'@'localhost' IDENTIFIED BY 'test123' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 0;Setting 0: represents unlocking.
3. MySQL8 user resource limitations
Set the global system variable max_user_connections to a non-zero value to limit the number of connections established at the same time, but there is no limit on the query and update operations that can be performed after the client is connected. Any statement a client can issue counts toward the query limit, and only modifications to database tables count toward the update limit.
- MAX_QUERIES_PER_HOUR: The number of queries the client can issue per hour;
- MAX_UPDATES_PER_HOUR: The number of updates the client can issue per hour;
- MAX_CONNECTIONS_PER_HOUR: The number of times the client can connect to the server per hour;
- MAX_USER_CONNECTIONS: The number of servers that the client can connect to at the same time, etc.
Example of restrictions by creating user accounts:
CREATE USER 'test'@'localhost' IDENTIFIED BY 'test123'
WITH MAX_QUERIES_PER_HOUR 10000
MAX_UPDATES_PER_HOUR 10000
MAX_CONNECTIONS_PER_HOUR 10000
MAX_USER_CONNECTIONS 10000 ; # 客户端每小时的查询数、更新数、连接服务器的次数和数量为10000 。Example of restrictions by modifying and deleting accounts:
ALTER USER 'test'@'localhost' WITH MAX_QUERIES_PER_HOUR 10000; //修改限制
ALTER USER 'test'@'localhost' WITH MAX_CONNECTIONS_PER_HOUR 0; //设置0,为删除限制