Chapter 03 User and Permission Management

Chapter 03 User and Permission Management

1.User management

1.1 Log in to the MySQL server

After starting the MySQL service, you can log in to the MySQL server through the mysql command. The command is as follows:

mysql –h hostname|hostIP –P port –u username –p DatabaseName –e "SQL语句"

• -h参数Followed by the host name or host IP, hostname is the host, and hostIP is the host IP.
• -P参数Followed by the port of the MySQL service, connect to the specified port through this parameter. The default port of the MySQL service is 3306. When this parameter is not used, it will automatically connect to port 3306, and port is the port number of the connection.
• -u参数Followed by the username, username is the username.
• -p参数You will be prompted to enter a password.
• DatabaseName参数Indicate which database to log into. Without this parameter, you will log in directly to the MySQL database, and then you can use the USE command to select the database.
• -e参数You can add SQL statements directly later. After logging in to the MySQL server, you can execute this SQL statement and then exit the MySQL server.

mysql -uroot -p -hlocalhost -P3306 mysql -e "select host,user from user"

1.2Create user

CREATE USER 用户名 [IDENTIFIED BY '密码'][,用户名 [IDENTIFIED BY '密码']];

Example:

CREATE USER zhang3 IDENTIFIED BY '123123'; # 默认host是 %
CREATE USER 'kangshifu'@'localhost' IDENTIFIED BY '123456';

1.3 Modify user

UPDATE mysql.user SET USER='li4' WHERE USER='wang5'; 
FLUSH PRIVILEGES;

1.4 Delete users

Method 1: Use DROP to delete (recommended)

DROP USER user[,user]…;

Example:

DROP USER li4 ; # 默认删除host为%的用户
DROP USER 'kangshifu'@'localhost';

Method 2: Use DELETE method to delete (not recommended, there is residual information)

DELETE FROM mysql.user WHERE Host=’hostname’ AND User=’username’;
FLUSH PRIVILEGES;

1.5Set the current user password

1. Use the ALTER USER command to modify the current user password

ALTER USER USER() IDENTIFIED BY 'new_password';

2. Use the SET statement to modify the current user password

SET PASSWORD='new_password';

1.6 Change other users’ passwords

1. Use the ALTER statement to change the password of an ordinary user

ALTER USER user [IDENTIFIED BY '新密码'] 
[,user[IDENTIFIED BY '新密码']]…;

2. Use the SET command to change the password of an ordinary user

SET PASSWORD FOR 'username'@'hostname'='new_password';

2.Permission management

2.1 Permission list

show privileges;

• CREATE和DROP权限, you can create new databases and tables, or delete (remove) existing databases and tables. If the DROP permission in the MySQL database is granted to a user, the user can delete the database saved by MySQL access permission.
• SELECT、INSERT、UPDATE和DELETE权限Allows operations to be performed on existing tables in a database.
• SELECT权限They are only used when they actually retrieve rows from a table.
• INDEX权限Allows creation or deletion of indexes, INDEX applies to existing tables. If you have CREATE permission on a table, you can include index definitions in the CREATE TABLE statement.
• ALTER权限You can use ALTER TABLE to change the structure of a table and to rename the table.
• CREATE ROUTINE权限Used to create saved programs (functions and procedures), ALTER ROUTINE权限used to change and delete saved programs, and EXECUTE权限used to execute saved programs.
• GRANT权限Allows authorization to other users for databases, tables, and saved programs.
• FILE权限Allows users to use the LOAD DATA INFILE and SELECT... INTO OUTFILE statements to read or write files on the server. Any user granted FILE permissions can read or write any file on the MySQL server (indicating that users can read files in any database directory) , because the server can access these files).

2.2 Principles for granting permissions

Permission control is mainly for security reasons, so the following needs to be followed 经验原则:

1. Only grant capabilities 满足需要的最小权限to prevent users from doing bad things. For example, if the user only needs to query, then only give the select permission. Do not give the user update, insert or delete permissions.

2. When creating a user 限制用户的登录主机, it is usually restricted to a specified IP or intranet IP segment.

3. For each user 设置满足密码复杂度的密码.

4. 定期清理不需要的用户, Recover permissions or delete users.

2.3 Grant permissions

GRANT 权限1,权限2,…权限n ON 数据库名称.表名称 TO 用户名@用户地址 [IDENTIFIED BY ‘密码口令’];

• If this authority finds that the user does not exist, a new user will be created directly.
• Use the local command line for the li4 user to grant the atguigudb permission to insert, delete, modify, and query all tables in the library.

GRANT SELECT,INSERT,DELETE,UPDATE ON atguigudb.* TO li4@localhost;

• Grant user joe, who logs in through the network, full permissions on all tables in all libraries, and set the password to 123. Note that this does not include grant permissions.

GRANT ALL PRIVILEGES ON *.* TO joe@'%' IDENTIFIED BY '123';

2.4View permissions

• View current user permissions

SHOW GRANTS; 
# 或 
SHOW GRANTS FOR CURRENT_USER; 
# 或 
SHOW GRANTS FOR CURRENT_USER();

• View a user's global permissions

SHOW GRANTS FOR 'user'@'主机地址';

2.5 Withdraw permission

Note: Before deleting a user account from the user table, all permissions of the corresponding user should be revoked.

• withdraw permission command

REVOKE 权限1,权限2,…权限n ON 数据库名称.表名称 FROM 用户名@用户地址;

• Example

#收回全库全表的所有权限 
REVOKE ALL PRIVILEGES ON *.* FROM joe@'%'; 
#收回mysql库下的所有表的插删改查权限 
REVOKE SELECT,INSERT,UPDATE,DELETE ON mysql.* FROM joe@localhost;

• Notice:须用户重新登录后才能生效

3. Role management

3.1 Create a role

CREATE ROLE 'role_name'[@'host_name'] [,'role_name'[@'host_name']]...

The naming rules for role names are similar to user names. If host_name省略，默认为%, role_name不可省略, cannot be empty.

3.2 Grant permissions to roles

GRANT privileges ON table_name TO 'role_name'[@'host_name'];

In the above statement, privileges represents the name of the permission, and multiple permissions are separated by commas. You can use the SHOW statement to query the permission name

SHOW PRIVILEGES\G

3.3 View permissions of roles

SHOW GRANTS FOR 'role_name';

As long as you create a role, the system will automatically give you a " USAGE" permission, meaning 连接登录数据库的权限.

3.4 Reclaim role permissions

REVOKE privileges ON tablename FROM 'rolename';

3.5 Delete role

DROP ROLE role [,role2]...

Notice, 如果你删除了角色，那么用户也就失去了通过这个角色所获得的所有权限.

3.6 Assign roles to users

After the role is created and authorized, it must be assigned to the user and in 激活状态order to be effective.

GRANT role [,role2,...] TO user [,user2,...];

Query currently activated roles

SELECT CURRENT_ROLE();

3.7 Activate roles

Method 1: Use the set default role command to activate the role

SET DEFAULT ROLE ALL TO 'kangshifu'@'localhost';

Method 2: Set activate_all_roles_on_login to ON

SET GLOBAL activate_all_roles_on_login=ON;

What this SQL statement means is, yes 所有角色永久激活.

3.8 Revoking a user’s role

REVOKE role FROM user;

3.9 Set mandatory role (mandatory role)

Method 1: Set before starting the service

[mysqld] 
mandatory_roles='role1,role2@localhost,r3@%.atguigu.com'

Method 2: Runtime settings

SET PERSIST mandatory_roles = 'role1,role2@localhost,r3@%.example.com'; #系统重启后仍然有效
SET GLOBAL mandatory_roles = 'role1,role2@localhost,r3@%.example.com'; #系统重启后失效