show grants for app1@localhost;
+------------------------------------------------+
| Grants for app1@localhost |
+------------------------------------------------+
| GRANT USAGE ON *.* TO `app1`@`localhost` |
| GRANT `app_readonly`@`%` TO `app1`@`localhost` |
+------------------------------------------------+
2 rows in set (0.00 sec)
1.查看数据库中允许访问的IP地址.
show variables like "bind_address";
+---------------------+-------+
| Variable_name | Value |
+---------------------+-------+
| bind_address | * |
+---------------------+-------+
如果返回值中bind_address一栏为* 表示对所有地址开发.允许所有地址进行访问.
2. 查看数据库中某个用户所对应的权限信息.
show grants for root@"%";
表示查看root对公网段用户对应的信息.
show grants for root@"localhost";
表示root对本地主机用户对应的权限信息.
3.从数据库的mysql.user表中也可以看到数据库用户的所有信息.
查看所有用户
select *from mysql.user;
查看所有用户的两个指定字段.的信息.()主要是查看有没有这个用户的存在.
select user,host from mysql.user;
查看所有root用户,将user字段对应的信息筛选即可.
select user,host from mysql.user where user = "root";
+------+-----------+
| user | host |
+------+-----------+
| root | localhost |
+------+-----------+
4.如果已经知道某个用户的存在.想要查询这个用户对应的权限的话.
show grants for "mysql.sys"@"localhost";
+---------------------------------------------------------------+
| Grants for mysql.sys@localhost |
+---------------------------------------------------------------+
| GRANT USAGE ON *.* TO `mysql.sys`@`localhost` |
| GRANT TRIGGER ON `sys`.* TO `mysql.sys`@`localhost` |
| GRANT SELECT ON `sys`.`sys_config` TO `mysql.sys`@`localhost`
表示mysql.sys默认会创建一个连接权限.
在sys数据库下面的所有表上都可以使用触发器的权限.
可以查看sys.sys_config表.
5.创建用户.
create user cdq@"localhost" identified by "mysql";
如果不进行权限分配的话默认创建的用户是只有连接权限的.
+-----------------------------------------+
| Grants for cdq@localhost |
+-----------------------------------------+
| GRANT USAGE ON *.* TO `cdq`@`localhost` |
+-----------------------------------------+
1 row in set (0.00 sec)
6.给指定用户赋予权限.
grant all on *.* to cdq@localhost;
表示将所有数据库的所有表的所有权限授权给cdq@localhost,用户.
7.创建好的用户分配好权限后进行用户权限的查看.
可以在系统中直接进行查询.
show grants for cdq@localhost\G;
也可以在mysql.user表中进行数据库用户权限的查看.
select * from mysql.user where user="cdq" and host = "localhost"\G
声明:在mysql数据库中的user表中存放的是mysql数据库中用户的全局权限.在mysql.db表中存放的是数据库级别的权限.
mysql> select * from mysql.db where user="mysql.sys" and host ="localhost"\G
*************************** 1. row ***************************
Host: localhost
Db: sys
User: mysql.sys
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: Y
1 row in set (0.00 sec)
这条语句用来查看这个用户对那些数据库有哪些权限.
其中DB:sys表示这个用户mysql.sys,对sys数据库有trigger_priv的权限.
8.权限回收
revoke all privileges on *.* from cdq@localhost;
表示将cdq用户的所有数据库的所有表的所有权限全部回收.
9.给某个指定用户赋予某个指定的权限.
这里在进行赋予指定权限的时候可以先查看一下指定用户目前已经有了那些权限.
然后参照已经查到的权限进行语句改造即可赋予新的权限.例如:
show grants for cdq@localhost;
+-----------------------------------------+
| Grants for cdq@localhost |
+-----------------------------------------+
| GRANT USAGE ON *.* TO `cdq`@`localhost` |
+-----------------------------------------+
表示这个用户只是拥有连接权限.
10.那么参照这条已经查询好的权限SQL语句进行用户新权限的授予.
grant select on *.* to cdq@localhose;
表示给这个用户授予所有数据库的查询权限.
+------------------------------------------+
| Grants for cdq@localhost |
+------------------------------------------+
| GRANT SELECT ON *.* TO `cdq`@`localhost` |
+------------------------------------------+
11.同理在进行指定用户指定权限回收的时候将grant更改成revoke 将to改成from.就可以将已经授予好的权限进行回收.
revoke select on *.* from cdq@localhost;
+-----------------------------------------+
| Grants for cdq@localhost |
+-----------------------------------------+
| GRANT USAGE ON *.* TO `cdq`@`localhost` |
+-----------------------------------------+
12.也可以给指定用户授予指定数据库下的各种权限.
grant select on course.* to cdq@localhost;
表示授权一个sqlect权限给cdq@localhost用户,作用范围仅限于course;
show grants for cdq@localhost;
+-------------------------------------------------+
| Grants for cdq@localhost |
+-------------------------------------------------+
| GRANT USAGE ON *.* TO `cdq`@`localhost` |
| GRANT SELECT ON `course`.* TO `cdq`@`localhost` |
+-------------------------------------------------+
13.同理授权某个库的某张表
grant select on course.students to cdq@localhost;
select * from tables_priv where user="cdq" and host = "localhost";
+-----------+--------+------+------------+----------------+---------------------+------------+-------------+
| Host | Db | User | Table_name | Grantor | Timestamp | Table_priv | Column_priv |
+-----------+--------+------+------------+----------------+---------------------+------------+-------------+
| localhost | course | cdq | students | root@localhost | 0000-00-00 00:00:00 | Select | |
+-----------+--------+------+------------+----------------+---------------------+------------+-------------+
所有用户关于数据库级别的权限保存在mysql.db数据库中.所有用户对于表级别的权限全部保存在table_priv表中.但是设置全局权限的时候例如*.* 不会再这两张表中进行显示.全局权限会在user表中提现.
14.给某个用户授予某个指定数据库的指定表的指定字段的查看权限.
grant select(sid) on course.students to cdq@localhost;
select * from columns_priv where user="cdq" and host="localhost";
+-----------+--------+------+------------+-------------+---------------------+-------------+
| Host | Db | User | Table_name | Column_name | Timestamp | Column_priv |
+-----------+--------+------+------------+-------------+---------------------+-------------+
| localhost | course | cdq | students | sid | 0000-00-00 00:00:00 | Select |
+-----------+--------+------+------------+-------------+---------------------+-------------+
14.mysql数据库中限制权限最细化的级别是column权限.在column_priv表中体现.细化的下级权限会在上级权限表中显示.
15.mysql8.0用户用户创建与与连接与5.7 不同.因为采用了更牛逼的加密方式.更改了加密属性.所以要使用用户进行连接的时候需要创建mysql_native_password格式的用户密码才可以连接.
mysql> create user repl@"192.168.15.%" identified with mysql_native_password by "mysql";
Query OK, 0 rows affected (0.07 sec)
mysql> select user,host,plugin from mysql.user;
+------------------+-----------+-----------------------+
| user | host | plugin |
+------------------+-----------+-----------------------+
| cdq | % | mysql_native_password |
| cdq | localhost | caching_sha2_password |
| mysql.infoschema | localhost | caching_sha2_password |
| mysql.session | localhost | caching_sha2_password |
| mysql.sys | localhost | caching_sha2_password |
| root | localhost | caching_sha2_password |
+------------------+-----------+-----------------------+
6 rows in set (0.00 sec)
直接创建用户的话在连接的时候会出现如下报错信息.
16.创建用户进行授权
grant all on *.* to root@"%";
或者使用
grant all on privileges *.* to root@"%";
不需要刷新权限
17.锁定用户
alter user cdq@"localhost" account lock;
Query OK, 0 rows affected (0.11 sec)
连接时就会出现报错信息提示用户被锁.
ERROR 3118 (HY000): Access denied for user \'cdq\'@\'localhost\'. Account is locked.
18.解锁用户
alter user cdq@localhost account unlock;
Query OK, 0 rows affected (0.05 sec)
用户就被解锁了.
查看用户是否处于被锁定状态
select user,host,account_locked from mysql.user;
+------------------+-----------+----------------+
| user | host | account_locked |
+------------------+-----------+----------------+
| cdq | % | N |
| root | % | N |
| cdq | localhost | Y |
| mysql.infoschema | localhost | Y |
| mysql.session | localhost | Y |
| mysql.sys | localhost | Y |
| root | localhost | N |
+------------------+-----------+----------------+
7 rows in set (0.00 sec)
19.mysql8.0引入角色概念(可以理解成分组.)
作用是给某些用户分配已经规定好的用户角色.或者将某些用户划分到指定分组中.这些分组中有已经划分好的权限.
create role app_readonly;
Query OK, 0 rows affected (0.04 sec)
创建一个角色 role.名字叫app_readonly.
mysql> grant select on *.* to app_readonly;
Query OK, 0 rows affected (0.02 sec)
给刚刚创建好的角色赋予相应的权限.(权限大小自己定.)
mysql> create user app1@"localhost" identified by "mysql";
Query OK, 0 rows affected (0.01 sec)
创建用户app1@localhost.密码mysql
mysql> create user app2@"localhost" identified by "mysql";
Query OK, 0 rows affected (0.01 sec)
创建用户app2@localhost.密码mysql
mysql> grant app_readonly to app1@localhost;
Query OK, 0 rows affected (0.05 sec)
将app_readonly角色分配给app1@localhost.
mysql> grant app_readonly to app1@localhost;
Query OK, 0 rows affected (0.05 sec)
将app2加入到app_readonly组中
20.查看用户权限信息
show grants for app1@localhost;
+------------------------------------------------+
| Grants for app1@localhost |
+------------------------------------------------+
| GRANT USAGE ON *.* TO `app1`@`localhost` |
| GRANT `app_readonly`@`%` TO `app1`@`localhost` |
+------------------------------------------------+
2 rows in set (0.00 sec)
21.查看角色权限信息
show grants for app_readonly;
+-------------------------------------------+
| Grants for app_readonly@% |
+-------------------------------------------+
| GRANT SELECT ON *.* TO `app_readonly`@`%` |
+-------------------------------------------+
1 row in set (0.00 sec)
22.将用户移除角色组中.
revoke app_readonly from app1@localhost;
Query OK, 0 rows affected (0.03 sec)
23.一个用户可以添加多个角色.一个角色也可以分发给多个用户.