Getting MySQL-- users and permissions

Preface:

Previous articles, I will introduce the use of various SQL syntax, this article will focus on MySQL users and privileges related knowledge, if you are not DBA words may usually is not much use, but also to understand under a lot of advantages.

1. Create a user

Official recommended creation syntax is:

CREATE USER [IF NOT EXISTS]
    user [auth_option] [, user [auth_option]] ...
    [REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
    [WITH resource_option [resource_option] ...]
    [password_option | lock_option] ...

user:
    (see Section 6.2.4, “Specifying Account Names”)

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED WITH auth_plugin
  | IDENTIFIED WITH auth_plugin BY 'auth_string'
  | IDENTIFIED WITH auth_plugin AS 'auth_string'
  | IDENTIFIED BY PASSWORD 'auth_string'
}

tls_option: {
   SSL
 | X509
 | CIPHER 'cipher'
 | ISSUER 'issuer'
 | SUBJECT 'subject'
}

resource_option: {
    MAX_QUERIES_PER_HOUR count
  | MAX_UPDATES_PER_HOUR count
  | MAX_CONNECTIONS_PER_HOUR count
  | MAX_USER_CONNECTIONS count
}

password_option: {
    PASSWORD EXPIRE
  | PASSWORD EXPIRE DEFAULT
  | PASSWORD EXPIRE NEVER
  | PASSWORD EXPIRE INTERVAL N DAY
}

lock_option: {
    ACCOUNT LOCK
  | ACCOUNT UNLOCK
}

Usually we create a common syntax is:

CREATE USER <用户名> [ IDENTIFIED ] BY [ PASSWORD ] <口令>

Syntax is as follows:
1) <user name>
Specifies to create a user account in the format 'user_name' @ 'host_name'. Here user_nameis a user name, host_namethe host name, that is where the name of the host when users connect MySQL. If in the process of creation, only the given name of the user account, but did not specify a host name, the host name defaults to "%", said a group of hosts.
2) PASSWORD
option to specify the hashed password, that is, if plain text password is set, you need to ignore PASSWORDkeyword; if do not want to set a password in clear text, and know the PASSWORD () function returns the hash value to the password, you can set this password hash value specified in the statement, but need to add keywords PASSWORD.
3) IDENTIFIED BY clause
specifies a user corresponding to the account's password, if the user account without a password, this clause can be omitted.
4) <password>
specified user account password, the IDENTIFIED BYkeyword or PASSWOEDafter the keyword. Given plaintext password value may be only letters and numbers, or may be a hash value by PASSWORD () function is obtained.

Use CREATE USER statement should note the following:

If you do not specify a CREATE USER statement using the user's password, then MySQL can not allow the user to log in with a password, but from a security point of view, this is not recommended.
Use CREATE USER statement must have the mysql MySQL database INSERT permissions or global CREATE USER privilege.
After you create a user account using the CREATE USER statement adds a new record in the user table system itself MySQL database. If you created an account already exists, the statement error occurs when executed.
Users with permission of newly created small. They can log on MySQL, allowing only operation does not require permissions, such as using the SHOW statement to query a list of all the storage engine and character set and so on.
If two users have the same user name and a different host name, MySQL will see them as a different user, and allows the assignment of a different set of permissions for both users.

Example:

#注意：test_user@'%' 和 test_user@'localhost' 是两个不同的用户
CREATE USER 'test_user'@'%' identified by '123456';
CREATE USER 'test_user'@'localhost' identified by '123456789';

2. Change the user

Changing user information including rename, change passwords, lock or unlock user. The following will demonstrate the use of these by the case for everyone:

#重命名用户
RENAME USER 'test_user'@'%' to 'test'@'%';

#修改密码
ALTER USER 'test'@'%' identified by '123456789';

#锁定或解锁用户
ALTER USER 'test'@'%' ACCOUNT LOCK;
ALTER USER 'test'@'%' ACCOUNT UNLOCK;

3. Delete user

MySQL database can use the DROP USER statement to remove one or more user accounts and associated permissions.
Official recommended syntax:

DROP USER [IF EXISTS] user [, user] ...

Use DROP USER statement should note the following:

DROP USER statement can be used to delete one or more MySQL accounts and to withdraw its original permissions.
Use DROP USER statement must have the mysql database in MySQL DELETE permission or global CREATE USER privilege.
Using DROP USER statement, if not explicitly give the host name of the account, the host name defaults to "%."

4. User Authorization

When the user is successfully created, it can not do anything, you need to assign the appropriate access permissions for that user. You can use SHOW GRANT FOR statement to query the user's permission.

Note: Only the newly created user login privileges MySQL server, no other permissions, can not perform other operations.
ON USAGE . Indicates that the user of any database and any tables do not have permission.

For new MySQL user, you must give it authorization, you can use GRANT statement to implement the authorization for new users. Official recommended syntax:

GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    TO user [auth_option] [, user [auth_option]] ...
    [REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
    [WITH {GRANT OPTION | resource_option} ...]

GRANT PROXY ON user
    TO user [, user] ...
    [WITH GRANT OPTION]

object_type: {
    TABLE
  | FUNCTION
  | PROCEDURE
}

priv_level: {
    *
  | *.*
  | db_name.*
  | db_name.tbl_name
  | tbl_name
  | db_name.routine_name
}

user:
    (see Section 6.2.4, “Specifying Account Names”)

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED WITH auth_plugin
  | IDENTIFIED WITH auth_plugin BY 'auth_string'
  | IDENTIFIED WITH auth_plugin AS 'auth_string'
  | IDENTIFIED BY PASSWORD 'auth_string'
}

tls_option: {
    SSL
  | X509
  | CIPHER 'cipher'
  | ISSUER 'issuer'
  | SUBJECT 'subject'
}

resource_option: {
  | MAX_QUERIES_PER_HOUR count
  | MAX_UPDATES_PER_HOUR count
  | MAX_CONNECTIONS_PER_HOUR count
  | MAX_USER_CONNECTIONS count
}

First of all we need to know, is sub-level of authority. Permissions can be granted the following groups:

Column-level, and a specific column in the table related. For example, you can use the UPDATE statement to update the table permissions students in student_name column values.
Table level, and all data related to a specific table. For example, you can use the SELECT statement to query permission table students of all data.
Database level, and all the tables in a specific database-related. For example, you can create a new table of authority in the existing database in mytest.
Global, and all MySQL database-related. For example, you can delete an existing database or create a new privilege for the database.

The following table is all that can be granted permission to its significance:

Competence	Significance and grant levels
`ALL [PRIVILEGES]`	All permissions granted to the specified level of access, in addition to `GRANT OPTION`and `PROXY`.
`ALTER`	Enabled `ALTER TABLE`. Levels: global, database, table.
`ALTER ROUTINE`	It allows you to change or delete a stored procedure. Level: Global database.
`CREATE`	Enable database and table creation. Levels: global, database, table.
`CREATE ROUTINE`	Enable stored procedure created. Level: Global database.
`CREATE TABLESPACE`	Enable To create, change, or delete table space and log file group. Grade: Global.
`CREATE TEMPORARY TABLES`	Enabled `CREATE TEMPORARY TABLE`. Level: Global database.
`CREATE USER`	Allow the use of `CREATE USER`, `DROP USER`, `RENAME USER`, and `REVOKE ALL PRIVILEGES`. Rating: global.
`CREATE VIEW`	Enable to create or change views. Levels: global, database, table.
`DELETE`	Enabled `DELETE`. Levels: global, database, table.
`DROP`	To enable the delete databases, tables and views. Levels: global, database, table.
`EVENT`	Enable event use. Level: Global database.
`EXECUTE`	It enables the user to execute stored procedures. Level: Global database.
`FILE`	The server enables users to read or write files. Grade: Global.
`GRANT OPTION`	Enable permissions to another account or delete from other accounts. Levels: global, database, table, agent.
`INDEX`	Enable To create or delete indexes. Levels: global, database, table.
`INSERT`	Enabled `INSERT`. Levels: global, database, table, column.
`LOCK TABLES`	Allowed `LOCK TABLES`you to have the `SELECT` table privileges. Level: Global database.
`PROCESS`	It enables users to view all the processes `SHOW PROCESSLIST`. Grade: Global.
`PROXY`	Enable the user agent. Level: from user to user.
`REFERENCES`	Enable foreign key creation. Levels: global, database, table, column.
`RELOAD`	Enabling `FLUSH`operation. Grade: Global.
`REPLICATION CLIENT`	So that the user can ask the master or from a server location. Grade: Global.
`REPLICATION SLAVE`	Enabling replication slave to read binary logs from the primary server. Grade: Global.
`SELECT`	Enabled `SELECT`. Levels: global, database, table, column.
`SHOW DATABASES`	Enable `SHOW DATABASES`to display all databases. Grade: Global.
`SHOW VIEW`	Enabled `SHOW CREATE VIEW`. Levels: global, database, table.
`SHUTDOWN`	Enable mysqladmin the shutdown . Grade: Global.
`SUPER`	Be able to use other commands such as `CHANGE MASTER TO`, `KILL`, `PURGE BINARY LOGS`, `SET GLOBAL`, and the mysqladmin debug command. Grade: Global.
`TRIGGER`	Enable trigger operation. Levels: global, database, table.
`UPDATE`	Enabled `UPDATE`. Levels: global, database, table, column.
`USAGE`	"No privileges" a synonym

In fact, the grant statement and authorized users can directly create, here suggest that you re-authorize individual user created after the first use create user statement. Now I will show you how to use the authorization Example:

#全局权限
GRANT super,select on *.* to 'test_user'@'%';

#库权限
GRANT select,insert,update,delete,create,alter,execute on `testdb`.* to 'test_user'@'%';

#表权限
GRANT select,insert on `testdb`.tb to 'test_user'@'%';

#列权限
GRANT select (col1), insert (col1, col2) ON `testdb`.mytbl to 'test_user'@'%';

5. Recycling authority

In MySQL, you can use the REVOKE statement to recover a user's permissions, this user will not be deleted.

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    FROM user [, user] ...

REVOKE ALL [PRIVILEGES], GRANT OPTION
    FROM user [, user] ...

Syntax is as follows:

GRANT and REVOKE syntax statement syntax is similar, but has the opposite effect.
The first syntax format for the recovery of certain privileges.
The second syntax format for the recovery of all rights of a particular user.
To use the REVOKE statement, you must have a MySQL database global CREATE USER privilege or the UPDATE privilege.

Under normal circumstances we will use to show grants permission to the user's query syntax, if found too much authority will revoke permission to use the syntax recovery. Examples are as follows:

#查看用户权限
mysql> show grants for 'test_user'@'%';
+-----------------------------------------------------------------------------------------------------+
| Grants for test_user@%                                                                              |
+-----------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test_user'@'%'                                                               |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, EXECUTE ON `testdb`.* TO 'test_user'@'%' |
+-----------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

#发现权限过大，想回收drop，alter权限 则可以这样回收：
REVOKE drop,alter on `testdb`.* from 'test_user'@'%';

to sum up:

本篇文章为大家介绍了如何创建，更改，删除用户以及如何授于和回收权限。希望大家能对MySQL中用户管理这一块能有更深的认识。入门MySQL系列文章写了好几篇了，一开始并没有想好写多少篇的准备，可能逻辑也不太合理，还是感谢大家的阅读。最后一篇打算写备份与恢复相关内容，大家期待一下哦！