1未命名0

Mysql用户、密码、权限管理

柳三千

文章最后更新时间:2025年06月11日

### 前言

> MySQL 若想登录,用户名与 IP 地址必须同时满足条件才能成功。例如 `admin@192.168.12.12`,若本地 IP 是 `192.168.12.13` 使用 `admin` 账户登录,MySQL 会直接拒绝。

| 用户名@IP地址          | 访问权限说明                     |
|------------------------|----------------------------------|
| 用户名@192.168.1.%     | 用户只能在该 IP 段下访问(`%` 为通配符) |
| 用户名@%               | 用户可在任意 IP 下访问(不安全)       |

---

### 用户管理

#### 1. 查看 MySQL 用户
```sql
mysql> SELECT user, host, authentication_string FROM mysql.user;

2. 新增 MySQL 用户

方法 1(MySQL 8.0+ 不支持):

mysql> GRANT SELECT ON *.* TO 'test'@'192.168.140.131' IDENTIFIED BY "123456";
Query OK, 0 rows affected, 1 warning (0.00 sec)

方法 2(推荐):

mysql> CREATE USER 'test'@'192.168.140.%' IDENTIFIED BY "123456";
Query OK, 0 rows affected (0.00 sec)

3. 测试其他主机登录 MySQL

拒绝登录(防火墙/SELinux 限制):

低权限用户登录(仅授予 SELECT 权限):

权限验证(无法创建/删除数据):

mysql> CREATE DATABASE testdb;
ERROR 1142 (42000): CREATE command denied to user 'test'@'192.168.140.131'

4. 删除用户

方法 1

mysql> DROP USER 'test'@'192.168.140.131';
Query OK, 0 rows affected (0.00 sec)

方法 2

mysql> DELETE FROM mysql.user WHERE user='test' AND host='192.168.140.%';
Query OK, 1 row affected (0.00 sec)

5. 修改用户名

mysql> RENAME USER 'apache'@'192.168.140.131' TO 'httpd'@'192.168.140.131';
Query OK, 0 rows affected (0.00 sec)

mysql> SELECT user, host FROM user;
+---------------+-----------------+
| user          | host            |
+---------------+-----------------+
| httpd         | 192.168.140.131 |
| mysql.session | localhost       |
| mysql.sys     | localhost       |
| root          | localhost       |
+---------------+-----------------+
4 rows in set (0.00 sec)

用户密码管理

1. 安装密码插件

mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Query OK, 0 rows affected (0.01 sec)

2. 查看密码策略

mysql> SHOW VARIABLES LIKE 'validate%';
+--------------------------------------+--------+
| Variable_name                        | Value  |
+--------------------------------------+--------+
| validate_password_dictionary_file    |        |
| validate_password_length             | 8      |
| validate_password_mixed_case_count   | 1      |
| validate_password_number_count       | 1      |
| validate_password_policy             | MEDIUM |
| validate_password_special_char_count | 1      |
+--------------------------------------+--------+
6 rows in set (0.00 sec)

策略说明

参数 说明
validate_password_policy 密码策略类型(LOW/MEDIUM/STRONG)
validate_password_dictionary_file 密码字典文件路径(STRONG 策略生效)
validate_password_length 密码最小长度(默认 8)
validate_password_mixed_case_count 至少包含大小写字母数量(默认 1)
validate_password_number_count 至少包含数字数量(默认 1)
validate_password_special_char_count 至少包含特殊字符数量(默认 1)

3. 密码策略调整

-- 调整密码长度
mysql> SET GLOBAL validate_password_length=4;
Query OK, 0 rows affected (0.00 sec)

-- 调整策略级别
mysql> SET GLOBAL validate_password_policy=0;
Query OK, 0 rows affected (0.00 sec)

-- 验证调整结果
mysql> SHOW VARIABLES LIKE 'validate%';
+--------------------------------------+-------+
| Variable_name                        | Value |
+--------------------------------------+-------+
| validate_password_dictionary_file    |       |
| validate_password_length             | 4     |
| validate_password_mixed_case_count   | 1     |
| validate_password_number_count       | 1     |
| validate_password_policy             | LOW   |
| validate_password_special_char_count | 1     |
+--------------------------------------+-------+
6 rows in set (0.00 sec)

用户授权管理

1. 查看用户权限

mysql> SHOW GRANTS FOR 'zabbix'@'localhost';
+------------------------------------------------------------+
| Grants for zabbix@localhost                                |
+------------------------------------------------------------+
| GRANT USAGE ON *.* TO `zabbix`@`localhost`                 |
| GRANT ALL PRIVILEGES ON `zabbix`.* TO `zabbix`@`localhost` |
+------------------------------------------------------------+
2 rows in set (0.00 sec)

2. 授予权限

-- 授予 SELECT 权限
mysql> GRANT SELECT ON php.* TO 'zabbix'@'localhost';
Query OK, 0 rows affected, 1 warning (0.01 sec)

-- 授予 SELECT + UPDATE 权限
mysql> GRANT SELECT, UPDATE ON php.* TO 'zabbix'@'localhost';
Query OK, 0 rows affected, 1 warning (0.01 sec)

3. 权限下放(WITH GRANT OPTION)

-- 授予权限下放能力
mysql> GRANT ALL ON zabbix.* TO 'zabbix'@'localhost' WITH GRANT OPTION;
Query OK, 0 rows affected, 1 warning (0.01 sec)

-- 测试权限下放(成功)
mysql> GRANT ALL ON zabbix.* TO 'httpd'@'192.168.140.131';
Query OK, 0 rows affected (0.00 sec)

-- 无下放权限的用户操作(失败)
mysql> GRANT ALL ON zabbix.* TO 'httpd'@'192.168.140.131';
ERROR 1044 (42000): Access denied for user 'test'@'localhost' to database 'zabbix'

4. 回收权限

回收指定权限

mysql> REVOKE UPDATE ON zabbix.* FROM 'zabbix'@'localhost';
Query OK, 0 rows affected, 1 warning (0.01 sec)

回收所有权限

mysql> REVOKE ALL ON zabbix.* FROM 'test'@'localhost';
Query OK, 0 rows affected, 1 warning (0.00 sec)

权限类型参考


```

文章版权声明:除非注明,否则均为柳三千运维录原创文章,转载或复制请以超链接形式并注明出处。

相关阅读

  • Mysql 常用日志介绍
  • Mysql重置root密码
  • Mysql用户、密码、权限管理
    • 取消
    微信二维码
    微信二维码
    支付宝二维码