首页 > 代码库 > 创建MySQL用户及赋予用户权限
创建MySQL用户及赋予用户权限
创建MySQL用户及赋予用户权限
1、通过help查看grant命令帮助
……
CREATE USER ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘;
GRANT SELECT ON db2.invoice TO ‘jeffrey‘@‘localhost‘;
GRANT USAGE ON *.* TO ‘jeffrey‘@‘localhost‘ WITH MAX_QUERIES_PER_HOUR 90;
……
2、运维人员比较常用的创建用户的方法是
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;
3、先创建用户再授权
CREATE USER ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘;
GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘;
4、创建用户并授权
grant命令简单语法如下
grant all privileges on bdname.* to username@localhost identified by ‘passwd’;
表格说明:
grant | all privileges | on dbname.* | to username@localhost | identified by ‘passwd’ |
授权命令 | 对应权限 | 目标:库和表 | 用户和客户端主机 | 用户密码 |
授权用户solin对solin_utf8库所有权限:
mysql> grant all privileges on solin_utf8.* to ‘solin‘@‘localhost‘ identified by‘ubuntu‘;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
5、查看用户权限
mysql> show grants for solin@localhost;
+--------------------------------------------------------------------------------------------------------------+
| Grants for solin@localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘solin‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘*3CD53EE62F8F7439157DF288B55772A2CA36E60C‘ |
| GRANT ALL PRIVILEGES ON `solin_utf8`.* TO ‘solin‘@‘localhost‘ |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
6、create和grant配合法
①首先创建用户solin01及密码ubuntu,授权主机localhost
CREATE USER ‘solin01‘@‘localhost‘ IDENTIFIED BY ‘ubuntu‘;
②授权
mysql> create user solin01@localhost identified by ‘ubuntu‘;
Query OK, 0 rows affected (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| solin_utf8 |
+--------------------+
4 rows in set (0.00 sec)
mysql> grant all on solin_utf8.* to ‘solin01‘@‘localhost‘;
Query OK, 0 rows affected (0.00 sec)
7、授权局域网内主机远程连接
solin@localhost位置为授权访问数据库的主机,localhost可以用域名,IP地址或者IP段来替代。
①IP配置方式
[root@db-server ~]# mysql -uroot -pcentos #登陆MySQL(-u用户,-p,密码)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3928
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> create user test@‘192.168.119.%‘ identified by ‘test‘; #创建新的数据库授权192.168.119.%段主机登陆
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges; #刷新
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
root@db-Client:~# mysql -utest -ptest -h 192.168.119.224 #远程连接数据库
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3930
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> \q #退出数据库
Bye
②子网掩码配置方式
grant all on test@’192.168.119.224/255.255.255.0’ indentified by ‘test’;
flush privileges;
MySQL客户端连接异地数据库服务
本地:mysql -uroot -pcentos=mysql -uroot -pcentos -h localhost
远程:mysql -utest -ptest -h 192.168.119.224
通过php服务器连接mysql服务器的代码
<?php
//$link_id=mysql_connect(‘主机名‘,‘用户‘,‘密码‘);
$link_id=mysql_connect(‘192.168.119.224‘,‘test‘‘centos‘) or mysql_error();
if($link_id){
echo "mysql successful by oldboy !";
}else{
echo mysql_error();
}
?>
8、MySQL用户的权限有哪些
权限表
权限 | 权限级别 | 权限说明 |
CREATE | 数据库、表或索引 | 创建数据库、表或索引权限 |
DROP | 数据库或表 | 删除数据库或表权限 |
GRANT OPTION | 数据库、表或保存的程序 | 赋予权限选项 |
REFERENCES | 数据库或表 | |
ALTER | 表 | 更改表,比如添加字段、索引等 |
DELETE | 表 | 删除数据权限 |
INDEX | 表 | 索引权限 |
INSERT | 表 | 插入权限 |
SELECT | 表 | 查询权限 |
UPDATE | 表 | 更新权限 |
CREATE VIEW | 视图 | 创建视图权限 |
SHOW VIEW | 视图 | 查看视图权限 |
ALTER ROUTINE | 存储过程 | 更改存储过程权限 |
CREATE ROUTINE | 存储过程 | 创建存储过程权限 |
EXECUTE | 存储过程 | 执行存储过程权限 |
FILE | 服务器主机上的文件访问 | 文件访问权限 |
CREATE TEMPORARY TABLES | 服务器管理 | 创建临时表权限 |
LOCK TABLES | 服务器管理 | 锁表权限 |
CREATE USER | 服务器管理 | 创建用户权限 |
PROCESS | 服务器管理 | 查看进程权限 |
RELOAD | 服务器管理 | 执行flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, reload等命令的权限 |
REPLICATION CLIENT | 服务器管理 | 复制权限 |
REPLICATION SLAVE | 服务器管理 | 复制权限 |
SHOW DATABASES | 服务器管理 | 查看数据库权限 |
SHUTDOWN | 服务器管理 | 关闭数据库权限 |
SUPER | 服务器管理 | 执行kill线程权限 |
MYSQL的权限如何分布,就是针对表可以设置什么权限,针对列可以设置什么权限等等,这个可以从官方文档中的一个表来说明:
权限分布 | 可能的设置的权限 |
表权限 | ‘Select‘, ‘Insert‘, ‘Update‘, ‘Delete‘, ‘Create‘, ‘Drop‘, ‘Grant‘, ‘References‘, ‘Index‘, ‘Alter‘ |
列权限 | ‘Select‘, ‘Insert‘, ‘Update‘, ‘References‘ |
过程权限 | ‘Execute‘, ‘Alter Routine‘, ‘Grant‘ |
企业生产环境环境如何授权用户权限
1、博客,CMS等产品授权的数据库授权
对于web连接用户权限尽量采用最小化原则,很多开源软件都是web界面安装,因此,在安装期间除了select,insert,update,delete4个权限外,还需要create、drop等比较危险的权限
2、常规情况下授权select,insert,update,delete4个权限即可,
生成数据库表后,要收回create、drop权限
mysql> grant select,insert,update,delete,create,drop on test.* to ‘solin‘@‘192.168.119.%‘ identified by‘centos‘;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for ‘solin‘@‘192.168.119.%‘;
+------------------------------------------------------------------------------------------------------------------+
| Grants for solin@192.168.119.% |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘solin‘@‘192.168.119.%‘ IDENTIFIED BY PASSWORD ‘*128977E278358FF80A246B5046F51043A2B1FCED‘ |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON `test`.* TO ‘solin‘@‘192.168.119.%‘ |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> REVOKE create,drop ON test.* FROM ‘solin‘@‘192.168.119.%‘;
Query OK, 0 rows affected (0.00 sec)
mysql> show grants for ‘solin‘@‘192.168.119.%‘;
+------------------------------------------------------------------------------------------------------------------+
| Grants for solin@192.168.119.% |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ‘solin‘@‘192.168.119.%‘ IDENTIFIED BY PASSWORD ‘*128977E278358FF80A246B5046F51043A2B1FCED‘ |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `test`.* TO ‘solin‘@‘192.168.119.%‘ |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> \q
Bye
(1)生产环境针对主库(写为主读为辅)用户的授权
普通环境:
本机:LNMP、LAMP环境数据库授权
GRANT all privileges ON ‘test.*’ TO ‘solin’@’localhost’ identified by ‘centos’;
应用服务器和数据库服务器不在一个主机上的授权
GRANT all privileges ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ’centos’;
严格的授权:重视安全,忽略了方便:
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘test.*’ to ‘solin’@’192.168.119.%’ identified by ‘centos’;
(2)生产环境从库(只读)用户的授权:
CRANT SELECT ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ‘centos’;
(3)主从高级授权策略
第一种使用简单方法
写库 | |||
solin | Ysolin456 | 3306 | 192.168.119.224 |
读库 | |||
solin | Ysolin456 | 3306 | 192.168.119.225 |
第二种配置方法
写库 | |||
solin_w | Ysolin456 | 3306 | 192.168.119.224 |
读库 | |||
solin_r | Ysolin789 | 3306 | 192.168.119.225 |
主库授权的命令
GRANT SELECT,INSERT,UPDATE,DELETE ON ‘test.*’@’192.168.119.%’ identified by ‘centos’;
从库授权的命令
GRANT SELECT ON ‘test.*’ TO ‘solin’@’192.168.119.%’ identified by ‘centos’;
当从库除了做select的授权外,还可以加read-only等只读参数,严格web用户写从库
(4)问题:
就是主从库的mysql库和表示同步的,无法针对同一个用户授权不同的权限,因为主从库授权后会自动同步到从库上,导致从库的授权只读失败
解决办法:
a.取消mysql库的同步
b.授权主库权限后,从库执行回收增删改权限
c.不在授权上控制增删改,而是用read-only参数,控制普通用户更新,注意,read-only参数对超级用户无效。
本文出自 “运维小当家” 博客,转载请与作者联系!
创建MySQL用户及赋予用户权限