账号权限
1.是否能连接数据库 合法用户都可以连接
2.是否能够操作数据 需要授权
创建用户并设置密码
create user tong identified by '123';
create user tong@localhost identified by '123'; 只能本地登录
mysql> create user tong@'192.168.206.0/255.255.255.0' identfied by '123'; 192.168.206.0/24 #网段
mysql> create user tong@'192.168.206.10' identfied by '123'; 只允许192.168.206.10该ip登录
create user tom@'%' identified by '123'; 所有能连接主机
查询
select user from mysql.user;
修改用户名
rename user tom to jerry;
select user from mysql.user;
删除
drop user tong;
drop user tong@'192.168.206.10';
修改用户密码
mysql> create user tong identified by '123';
Query OK, 0 rows affected (0.00 sec)
mysql> set password for 'tong'@'%' = password('456');
Query OK, 0 rows affected, 1 warning (0.00 sec)
重置root口令
跳过授权表
方式1
shell> /usr/local/mysql/bin/mysqld_safe --skip-grant-tables --skip-networking &
方式2
shell>vim /etc/my.cnf
[mysqld]
skip-grant-tables=1
shell>systemctl restart mysqldd
登录修改密码
mysql>update mysql.user set authentication_string=password('123') where User='root' and Host='localhost';
查询用户权限
mysql> show grants for tong \G
*************************** 1. row ***************************
Grants for tong@%: GRANT USAGE ON *.* TO 'tong'@'%'
1 row in set (0.00 sec)
USAGE表示没有任何权限
连接测试
mysql -u tong -p123 -h ip
权限
MySQL存取控制包含2个阶段:
阶段1:服务器检查是否允许你连接。
阶段2:假定你能连接,服务器检查你发出的每个请求。看你是否有足够的权限实施它。例如,如果你从数据库表中选择(select)行或从数据库删除表,服务器确定你对表有SELECT权限或对数据库有DROP权限。
授权grant
命令格式
grant 权限 on 库.表 to 用户@主机 [密码]
grant select on mydb.* to tong@'localhost'; #授权查看的权限
show grants for tong\G
*************************** 1. row ***************************
Grants for tong@%: GRANT USAGE ON *.* TO 'tong'@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257'
*************************** 2. row ***************************
Grants for tong@%: GRANT SELECT ON `mydb`.* TO 'tong'@'%'
移除权限revoke
命令格式
revoke 权限 on 库.表 from 用户@主机;
revoke select on mydb.* from tong'localhost';
远程主机授权
grant all on mydb.* to tom@'192.168.206.10' identified by '123';
grant all on mydb.* to tom@'%' identified by '123';
grant和revoke可在几个层次上控制访问权限
整个服务器 grant all 和 revoke all
整个数据库 on databases.*
grant select,insert on mydb.* to jerry@'localhost' identified by '123';
特定的表 on database.table;
grant select,insert on mydb.test to tom@'localhost' identified by '123';
其他方法:
mysql> INSERT INTO user (Host,User,Password) VALUES('localhost','dummy',password());
mysql> FLUSH PRIVILEGES;
用户信息mysql.user存储所有用户信息,权限信息分布不同的表中
user1 user2 user3
grant all on *.* to user1@localhost identified by '123';
user1 权限保存在 mysql.user
grant all on db.* to user2@localhost identified by '123';
user2 权限保存在 mysql.db
grant all on db.dpt to userc3@localhost identified by '123';
user3 权限保存在 mysql.tables_priv
grant select(dpt_name) on db.dpt to user4@localhost identified by '123';
user4 权限保存在 mysql.columns_priv
刷新授权表
mysql> flush privileges;