1. User Management
1.1 Creating a User
# 创建完默认情况下不能本地登录,只能远程登录
create user 用户名 identified by 密码
# 创建用户并只能可以通过某个地址的客户端登录
create user 用户名@主机地址 identified by 密码
# 使用授权命令授权的时候创建新用户并授权
grant all privileges on xxxx.* to dddd@'%' identified by '654321';
1.2 Authorization
# 使用授权命令授权的时候创建新用户并授权
grant 权限类型 on 数据库.数据表 to 用户@主机地址 identified by 密码;
# 给已经存在的用户授权
grant 权限类型 on 数据库.数据表 to 已存在的用户名;
# 给用aaa在xxxx数据库中的所有表都授有select权限
grant select on xxxx.* to aaa;
# 对于有些权限的设置 需要加上host地址,这个地址一般和该用户在mysql.user表中的host字段的值相同
grant select on xxxx.* to aaa@'host地址';
# 给用aaa在xxxx数据库中的所有表都授有update和delete权限
grant update,delete on xxxx.* to aaa;
Commonly used types of permission:
| Permission type | Explanation |
|---|---|
| all privileges | All rights |
| all | All rights |
| select | Read Permissions |
| delete | Delete permissions |
| update | Update permissions |
| create | Create permission |
| drop | Delete the database, data table permissions |
Host address
| Host Type | meaning |
|---|---|
| localhost | Only allow the user to log on locally, not remotely log in |
| % | Allowed to log in at any remote machine in addition to the unit |
| 192.168.52.32 | Specific IP represents only allow the user to log in from a particular IP |
1.3 revoke privileges
The basic format:
revoke 权限类型 on 数据库.数据表 from 用户名;
example:
# 撤销某一类权限
revoke update on xxxx.* from aaa;
# 一次性多个权限
revoke select,insert,delete on xxxx.* from aaa;
# 一次性撤销所有权限
revoke all on xxxx.* from aaa;
revoke all privileges on xxxx.* from aaa;
1.4 refresh permission
flush privileges;
Note: After permission to update, if the user has previously been connected to the server, and the new authority will not take effect immediately change. Log in again after only exit to take effect.
2. Annex: MySQL permission type
| Competence | meaning |
|---|---|
| usage | Connection (landing) rights, the establishment of a user, it will automatically granted usage rights (granted by default). This privilege can only be used for database login, you can not do anything; and usage rights can not be recovered, that REVOKE user does not delete users. |
| file | Have file permissions to perform select ... into outfile and load data infile ... operation, but do not grant file, process, super administrator privileges account outside, so there is a serious security risk. |
| super | This permission allows the user to terminate any queries; SET statement to modify global variables; use CHANGE MASTER, PURGE MASTER LOGS. |
| select | You must have select permission before they can use the select table |
| insert | You must have permission to insert before they can use insert into ...... values .... |
| update | You must have update permission before they can use the update table |
| delete | Must have permission to delete before they can use the delete from ... .where .... (Delete records in the table) |
| alter | You must have alter permission before they can use the alter table |
| alter routine | You must have permission to alter routine before they can use {alter | drop} {procedure | function} |
| create | Must have create privileges, you can use create table |
| drop | You must have permission to drop before they can delete databases, tables, indexes, views, etc. |
| create routine | You must have permission to create routine before they can use {create | alter |
| create temporary tables | (Note that this is tables, not table) must have permission to create temporary tables before they can use the create temporary tables. |
| create view | There must create view permission before they can use the create view |
| create user | To use the CREATE USER, you must have the global CREATE USER privilege mysql database, or have INSERT permission. |
| show database | By show database you can only see the database you have certain rights, unless you have the global SHOW DATABASES privilege. For root @ localhost user, no permissions mysql database, so in this capacity when landing a query, you can not see mysql database: |
| show view | Show view must have permission to perform the show create view |
| index | Index must have permission to perform [create | drop] index |
| excute | Implementation of existing Functions, Procedures |
| event | The event is recommended to use a lower frequency of use root user to create and maintain. To function event, MySQL GLOBAL event_scheduler must be constant on either 1 |
| lock tables | You must have permission to lock tables, can use lock tables |
| references | With REFERENCES permission, the user can be a field in another table as a foreign key constraint of a table. |
| reload | Reload must have permission before they can perform the flush [tables | logs | privileges] |
| replication client | 拥有此权限可以查询master server、slave server状态。 |
| replication slave | 拥有此权限可以查看从服务器,从主服务器读取二进制日志。 |
| Shutdown | 关闭mysql权限 |
| grant option | 拥有grant option,就可以将自己拥有的权限授予其他用户(仅限于自己已经拥有的权限) |
| process | 通过这个权限,用户可以执行SHOW PROCESSLIST和KILL命令。默认情况下,每个用户都可以执行SHOW PROCESSLIST命令,但是只能查询本用户的进程。 |
| all privileges | 所有权限。with grant option 可以连带授权 |
