數據庫的權限管理一直是很麻煩的一件事情,因爲權限是很分散的,不容易查看,也不容易修改的完善。但是MySQL的權限管理讓人眼前一亮的感覺。因爲什麼都是那麼一目瞭然。
1# 查看權限
比如,我們想要看看MySQL的root用戶,擁有什麼權限:
(root@localhost)[(none)]> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
(root@localhost)[(none)]> show grants;
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*A0F874BC7F54EE086FCE60A37CE7887D8B31086B' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
一條show grants解決了問題,並且連grant語句都給我們了。這樣就是說,我們稍微修修改改就可用重造出另一個和root一樣的超級用戶了。
其中第一條:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*A0F874BC7F54EE086FCE60A37CE7887D8B31086B' WITH GRANT OPTION 不光光grant 了 . 上的ALL PRIVILEGES 給'root'@'localhost' ,甚至還有驗證密碼和 WITH 信息。實際上這條語句是可用拿來創建這個用戶的。這也是一個另類的創建用戶的方法。
查看他人的權限:
(root@localhost)[(none)]> show grants for test1
-> ;
+------------------------------------------------------------------------------------------------------+
| Grants for test1@% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test1'@'%' IDENTIFIED BY PASSWORD '*CFA887C680E792C2DCF622D56FB809E3F8BE63CC' |
+------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
這裏看到用戶'test1'@'%'只有一條權限,這條權限也是默認的創建用戶語句。
2# 授予權限:
用戶必然是需要使用數據庫的。所以如果用戶只有usage這個沒用的權限的話,這個用戶就不需要存在了。
語法:
(root@localhost)[(none)]> help grant
Name: 'GRANT'
Description:
Syntax:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_specification [, user_specification] ...
[REQUIRE {NONE | tsl_option [[AND] tsl_option] ...}]
[WITH {GRANT OPTION | resource_option} ...]
GRANT PROXY ON user_specification #這個代理也是語句也是單獨存在
TO user_specification [, user_specification] ...
[WITH GRANT OPTION]
object_type: { #對象類型
TABLE
| FUNCTION
| PROCEDURE
}
priv_level: { #權限的等級分類
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}
user_specification: #用戶
user [ auth_option ]
auth_option: { #驗證信息
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin AS 'hash_string'
}
tsl_option: { #SSL類型
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: { #資源使用定義
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
用戶權限列表,見官方文檔:https://dev.mysql.com/doc/refman/5.6/en/grant.html
用戶test1當前是沒有任何權限的。假設我們需要讓他訪問mysql.user表
(test1@localhost)[(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
(test1@localhost)[mysql]> select count(*) from user;
+----------+
| count(*) |
+----------+
| 4 |
+----------+
1 row in set (0.00 sec)
(test1@localhost)[mysql]>
建立一個新數據庫,建立一個新表,對這個表進行訪問以及控制:
(root@localhost)[mysql]> create database sample;
Query OK, 1 row affected (0.00 sec)
(root@localhost)[mysql]> use sample;
Database changed
(root@localhost)[sample]> show tables;
Empty set (0.00 sec)
(root@localhost)[sample]> create table smp (id int,name char(20));
Query OK, 0 rows affected (0.07 sec)
(root@localhost)[sample]> grant all privileges on sample.smp to test1;
Query OK, 0 rows affected (0.00 sec)
(root@localhost)[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(root@localhost)[sample]>
更多的怎刪改和刪除表
(test1@localhost)[sample]> insert into smp values (1,'abc');
Query OK, 1 row affected (0.00 sec)
(test1@localhost)[sample]> select * from smp;
+------+------+
| id | name |
+------+------+
| 1 | abc |
+------+------+
1 row in set (0.00 sec)
(test1@localhost)[sample]> delete from smp;
Query OK, 1 row affected (0.00 sec)
(test1@localhost)[sample]> select * from smp;
Empty set (0.00 sec)
(test1@localhost)[sample]> drep table smp;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'drep table smp' at line 1
(test1@localhost)[sample]> drop table smp;
Query OK, 0 rows affected (0.00 sec)
drop table 是DDL, 這個時候table已經刪除了,再看看權限:
(root@localhost)[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
權限依然存在。說明刪除表是不會刪除用戶所擁有的對象權限的。
試試看建回來:
(test1@localhost)[sample]> create table smp (id int,name char(20));
Query OK, 0 rows affected (0.00 sec)
(test1@localhost)[sample]> create table smp1 (id int,name char(20));
ERROR 1142 (42000): CREATE command denied to user 'test1'@'localhost' for table 'smp1'
(test1@localhost)[sample]>
成功建回來。那麼是否可用在這個數據庫中建立另外一張表呢?不行。
對 sample. 層面授予權限。
(root@localhost)[sample]> grant create on sample.* to test1;
Query OK, 0 rows affected (0.00 sec)
(root@localhost)[sample]> select User,Table_name,Table_priv from mysql.tables_priv;
+-------+------------+----------------------------------------------------------------------------------------------+
| User | Table_name | Table_priv |
+-------+------------+----------------------------------------------------------------------------------------------+
| test1 | user | Select |
| test1 | smp | Select,Insert,Update,Delete,Create,Drop,References,Index,Alter,Create View,Show view,Trigger |
+-------+------------+----------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(root@localhost)[sample]> show grants for test1;
+------------------------------------------------------------------------------------------------------+
| Grants for test1@% |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test1'@'%' IDENTIFIED BY PASSWORD '*CFA887C680E792C2DCF622D56FB809E3F8BE63CC' |
| GRANT CREATE ON `sample`.* TO 'test1'@'%' |
| GRANT ALL PRIVILEGES ON `sample`.`smp` TO 'test1'@'%' |
| GRANT SELECT ON `mysql`.`user` TO 'test1'@'%' |
+------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)
(root@localhost)[sample]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
這個時候,test1用戶有了CREATE ON sample. 。嘗試在數據庫中創建表對象。
(test1@localhost)[sample]> create table smp1 (id int,name char(20));
ERROR 1142 (42000): CREATE command denied to user 'test1'@'localhost' for table 'smp1'
失敗!很奇怪,已經有了權限,還是失敗。嘗試重新登陸
(test1@localhost)[sample]> exit
Bye
[mysql@mysql01 ~]$ mysql -utest1 -S /data/mysqldata/3306/mysql.sock -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 25
Server version: 5.6.31-log Source distribution
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(test1@localhost)[(none)]>
(test1@localhost)[(none)]>
(test1@localhost)[(none)]> create table smp1 (id int,name char(20));
ERROR 1046 (3D000): No database selected
(test1@localhost)[(none)]> use sample;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
(test1@localhost)[sample]> create table smp1 (id int,name char(20));
Query OK, 0 rows affected (0.01 sec)
重新登陸後建立表對象成功。說明普通用戶的權限需要在登陸的時候刷新。