Foreword
Learning mysql database for its rights management is a key part. So, here is the management of MySQL privileges.
MySQL privilege tables
MySQL database is actually written by the user mysql database corresponding permission table to control access.
Permissions table are: user, db, table_priv, columns_priv and host.
- user: recording permission information of the user to connect to the server, which is a global level permissions
- db: Record operating authority of each user for each database level
- table_priv: recording data to each user rights table level
- columns_priv: Record every user operating authority for column-level data
- host: stores a host operating authority to the database, db table with the authority to operate on a given host database level to do more detailed control, but the host table is rarely used, the new version of MySQL has no host table
Significance database rights management
In short, the management authority of the mysql database, just as Linux system user rights management system or window.
Grant / revoke a user to a database or an authority of a table (read, write, change, delete, etc.)
Implications for the management of permissions various databases:
- On the one hand it is to secure data for database backup and prohibit certain actions not related to the user;
- On the one hand it is to allow some projects, some users manage a relational database;
- One is to separate read and write, reduce the pressure on the database.
MySQL database permissions command format
Note: sql statement size can, of personal habits, rights management about the database is done by setting the permissions of the user's
MySQL to create a user base format:
When the management of rights, the wording is usually created and authorized users will not re-create a user empowerment, it is commonly used under the first two formats command.
MySQL to create a user-friendly format:
create user username identified by 'user password';
MySQL empowerment foundation format:
grant permission on authorization objects (database table.) to address user @ segment identified by "the user's password";
MySQL revoke privileges base format:
When revoke revoke the appropriate permissions, just the opposite and authorization.
As long as the authorization statement "grant" was changed to "revoke", "to" read "from"
MySQL database and analytical permissions example
[1] granted permission
all privileges of all rights except with grant option (let authorized users, you can also grant these permissions to other users, permission to copy) of
alter table modify the data permission
alter routine change or delete the stored function or stored procedure permissions
create permission to create databases and tables
The ability to create routine changes and deprecated stored procedures
create temporary tables permission to create a temporary table
create user to create, rename, and revoke user privileges
create view permission to create a view
delete the data table to delete data permissions
It allows you to delete permissions drop databases, tables, views
execute execute a stored procedure or function call permissions
event allows you to query, create, modify, delete MySQL permissions event
file on the file system (local file) permissions to read and write operations;
User permissions grant option to delegate permissions
index create, delete indexes rights
Insert permission insert data into the table
lock tables allow permissions on the table have select permissions are lock table
View all privileged user process threads / connections
After references 5.7.6 version, whether to allow permission to create foreign keys
reload allowed to perform flush, reload privilege tables authority
replication client allows users to query the location from the primary server and server permissions
Replication allows slave master authority from the slave host establishes a connection through the user master
select allows you to view data from a table permissions
show databases permission to view all database names
show view View Details View permissions
shutdown allowed permission to shut down the database instance
super permit authority to perform a series of database management commands (change, master, kill thread, mysqladmindebug, purge master logs, set global ...)
After trigger MySQL5.1.6, allows you to create, delete, execute, display trigger permissions
update the data table are modified to allow permissions
After the default permissions to create a user usage, represent connection, without any other authority
[2] Authorized MySQL database Notes
grant select on database table data * to user @ '%' identified by "password" with grant option.;
with grant option is to allow the authorized user, or you can give it permission to other users
Such authorization is not encouraged, and in fact little or almost no. Should be the best authority is in the hands of the DBA, in order to secure and facilitate management
Note 2:
grant may act on a single database and a single data table, writing authorized range
- *. * Refers to all databases and tables
- The database name. * Meaning that all the tables in the database
- The database name. Data table name means that the data in the database table
Note 3:
Authorized user wording
% instead of an entire segment
- 'Username' @ '%' means all subnet can use the database user login
- 'Username' @ '192.168.123.234' This means that only IP can use the database user login
- All the hosts 'username' @ '192.168.122.%' Means the 192.168.122 network segment can use the database user login
[3] database authorization
<1> create a user and grant read-only access
grant select on the database name * to user @ '%' identified by "password.";
<2> creating users and granting permission to insert data
grant insert on the database name * to user @ '%' identified by "password.";
<3> creating users and granting permission to change the original data
grant update on the database name * to user @ '%' identified by "password.";
<4> creating users and granting permission to delete data
grant delete on the database name * to user @ '%' identified by "password.";
To have all of the above privileges, can be written as one, with inter-authority "," separated by commas.
grant select, insert, update, delete on the database name * to user @ '%' identified by "password.";
<5> to create a user and grant all privileges
. Grant all privileges on the database to the user name data show @ 'network or ip' identified by "password";
<6> Creating users and granting them permission to create data tables
grant create on the database name * to user @ 'network segment or IP' identified by 'password';
<7> Creating users and granting them permission to modify data table
. Grant alter on the database name * to user @ 'network segments or IP' identified by 'password';
<8> Creating users and granting them permission to delete the database / table / view
. Grant drop on the name of the database user @ * to 'network segment or IP' identified by 'password';
<9> to create a user and grant permissions for the next set of database tables foreign keys
. Grant references on the database name * to user @ 'network segment or IP' identified by 'password';
<10> Creating users and granting them temporary tables set up on the database permissions
grant create temporary tables on the database name @ * to the user 'segment / IP' identified by 'password' ;
<11> Creating users and granting them permission to set the table index of a database range
. Grant index on the database name * to user @ 'network segment or IP' identified by 'password';
<12> Creating users and granting them permission to create a view of a database within range
. grant create view on the database name * to user @ 'network segment or IP' identified by 'password ';
<13> Creating users and granting them to see the view of a database within the scope of authority
grant show view on the database name @ * to the user 'segment / IP' identified by 'password';
<14> to create a user and grant permissions to the database within a range of stored procedures, functions
. Grant create routine on the database name * to user @ 'network segment or IP'; - now, can show procedure status
. Grant alter routine on the database name * to user @ 'network segment or IP'; - now, you can drop a procedure
. Grant execute on the database name * to user @ 'network segment or IP';
<15> to create a user and grant permission for the columns in the table
If many columns, separated by commas
. Grant select (column name) on the database table data to user @ 'network or ip' identified by 'password';
<16> creating users and granting permissions to the data tables stored procedures and functions
grant execute on procedure name of the database table name to 'user' @ 'network segments or IP' identified by 'password';
grant execute on function name of the database table name to 'user' @ 'network segments or IP' identified by 'password';