文章最后更新时间:2022年09月27日已超过722天没有更新。
前言
mysql若是想登录,用户名与ip地址必须都满足条件才能登录使用,比如admin@192.168.12.12,如果你的本地ip地址是192.168.12.13使用admin账户登录,是无法登录的,mysql直接拒绝你登录。
| 用户名@IP地址 | 用户只能在该IP地址才能访问 |
| 用户名@192.168.1.% | 用户只能在该IP段下才能访问(通配符%表示任意) |
| 用户名@% | 用户可以在任意ip下访问登录(不安全) |
用户管理:
1、查看mysql用户
mysql> select user,host,authentication_string from mysql.user;
2、新增mysql用户
1、grant select on *.* to '用户名'@'IP地址' identified by "密码";
(mysql8.0以上不支持此条命令,只能create user先创建用户,然后用grant授权)
mysql> grant select on *.* to test@192.168.140.131 identified by "123456"; Query OK, 0 rows affected, 1 warning (0.00 sec)
2、create user '用户名'@'IP地址' [identified by '密码'];
mysql> create user test@'192.168.140.%' identified by "123456"; Query OK, 0 rows affected (0.00 sec)
3、测试其他主机登录mysql
拒绝登录,因为防火墙原因,请关闭selinux和firewalld
虽然登录上,但是权限低的可怜
换test登录,可以正常查询,只因 grant select on *.* to 这句话
但是不能创建也不能删除,因为我们只授权select权限
3、删除用户
drop user '用户名'@'IP地址';
mysql> drop user test@192.168.140.131; Query OK, 0 rows affected (0.00 sec)
delete from mysql.user where user='用户名' and host='IP地址';
mysql> delete from mysql.user where user='test' and host='192.168.140.%'; Query OK, 1 row affected (0.00 sec)
4、修改用户名
rename user '旧用户名'@'IP地址' to '新用户名'@'IP地址';
mysql> rename user apache@192.168.140.131 to httpd@192.168.140.131; Query OK, 0 rows affected (0.00 sec)
mysql> select user,host from user; +---------------+-----------------+ | user | host | +---------------+-----------------+ | httpd | 192.168.140.131 | | mysql.session | localhost | | mysql.sys | localhost | | root | localhost | +---------------+-----------------+ 4 rows in set (0.00 sec)
用户密码管理:
安装密码插件:
mysql> install plugin validate_password soname 'validate_password.so'; Query OK, 0 rows affected (0.01 sec)
查看密码策略参数:
mysql> show variables like 'validate%'; +--------------------------------------+--------+ | Variable_name | Value | +--------------------------------------+--------+ | validate_password_dictionary_file | | | validate_password_length | 8 | | validate_password_mixed_case_count | 1 | | validate_password_number_count | 1 | | validate_password_policy | MEDIUM | | validate_password_special_char_count | 1 | +--------------------------------------+--------+ 6 rows in set (0.00 sec)
1、validate_password_policy | MEDIUM #代表密码策略类型,默认是MEDIUM 0 或 LOW 仅需要符号密码长度(由validate_password_length) 1 或 MEDIUM 满足LOW策略,同时还需要满足至少有1个数字,小写字母,大写字母和特殊字符 2 或 STRONG 满足MEDIUM策略,同时密码不能存在字典文件中 2、validate_password_dictionary_file #用于配置密码的字典文件,当validate_password_policy设置为STRONG时可以配置密码字典文件,字典文件中存在的密码不得使用 3、 validate_password_length #用来设置密码的最小长度,默认值是8 4、validate_password_mixed_case_count #当validate_password_policy设置为STRONG或者MEDIUM时,密码至少同时拥有小写和大写字母的数量,默认值是1最小值是0;默认至少拥有一个小写和一个大写字母 5、validate_password_number_count #当validate_password_policy设置为STRONG或者MEDIUM时,密码中至少拥有的数字个数,默认值1 6、validate_password_special_char_count #当validate_password_policy设置为STRONG或者MEDIUM时,密码中至少拥有的特殊字符个数,默认值1
密码不符合复杂性
mysql> grant select on zabbix.* to admin@'127.0.0.1' identified by '123'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
设置密码策略参数
mysql> set global validate_password_length=2; Query OK, 0 rows affected (0.00 sec) mysql> show variables like 'validate%'; +--------------------------------------+--------+ | Variable_name | Value | +--------------------------------------+--------+ | validate_password_dictionary_file | | | validate_password_length | 4 | | validate_password_mixed_case_count | 1 | | validate_password_number_count | 1 | | validate_password_policy | MEDIUM | | validate_password_special_char_count | 1 | +--------------------------------------+--------+ 6 rows in set (0.00 sec) mysql> set global validate_password_policy=0; Query OK, 0 rows affected (0.00 sec) mysql> show variables like 'validate%'; +--------------------------------------+-------+ | Variable_name | Value | +--------------------------------------+-------+ | validate_password_dictionary_file | | | validate_password_length | 4 | | validate_password_mixed_case_count | 1 | | validate_password_number_count | 1 | | validate_password_policy | LOW | | validate_password_special_char_count | 1 | +--------------------------------------+-------+ 6 rows in set (0.00 sec)
用户授权管理:
查看用户权限: #show grants for '用户名'@'主机地址';
mysql> show grants for zabbix@'localhost'; +------------------------------------------------------------+ | Grants for zabbix@localhost | +------------------------------------------------------------+ | GRANT USAGE ON *.* TO `zabbix`@`localhost` | | GRANT ALL PRIVILEGES ON `zabbix`.* TO `zabbix`@`localhost` | +------------------------------------------------------------+ 2 rows in set (0.00 sec)
用户授权; #grant [权限1,权限2] on 数据库.数据表 to '用户'@'地址';
mysql> grant select on php.* to zabbix@localhost; Query OK, 0 rows affected, 1 warning (0.01 sec) mysql> grant select,update on php.* to zabbix@localhost; Query OK, 0 rows affected, 1 warning (0.01 sec)
with grant option权限下放:
mysql> grant all on zabbix.* to zabbix@localhost with grant option; Query OK, 0 rows affected, 1 warning (0.01 sec) mysql> grant all on test.* to zabbix@localhost; Query OK, 0 rows affected, 1 warning (0.01 sec)
效果测试
使用zabbix、test账户登录,进行权限下放
mysql> show grants for zabbix@localhost; +------------------------------------------------------------------------------+ | Grants for zabbix@localhost | +------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `zabbix`@`localhost` | | GRANT SELECT ON `php`.* TO `zabbix`@`localhost` | | GRANT ALL PRIVILEGES ON `test`.* TO `zabbix`@`localhost` | | GRANT ALL PRIVILEGES ON `zabbix`.* TO `zabbix`@`localhost` WITH GRANT OPTION | +------------------------------------------------------------------------------+ 4 rows in set (0.00 sec) mysql> grant all on zabbix.* to httpd@192.168.140.131; Query OK, 0 rows affected (0.00 sec)
test权限下放失败
mysql> show grants for test@localhost; +------------------------------------------+ | Grants for test@localhost | +------------------------------------------+ | GRANT USAGE ON *.* TO `test`@`localhost` | +------------------------------------------+ 1 row in set (0.00 sec) mysql> grant all on zabbix.* to httpd@192.168.140.131; ERROR 1044 (42000): Access denied for user 'test'@'localhost' to database 'zabbix'
#权限回收:
回收指定的权限:
revoke 权限 on 数据库.数据表 from 账户@主机地址;
mysql> show grants for zabbix@localhost; +------------------------------------------------------------------------------+ | Grants for zabbix@localhost | +------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `zabbix`@`localhost` | | GRANT SELECT, UPDATE ON `php`.* TO `zabbix`@`localhost` | | GRANT ALL PRIVILEGES ON `zabbix`.* TO `zabbix`@`localhost` WITH GRANT OPTION | +------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
mysql> revoke update on zabbix.* from zabbix@localhost; Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> show grants for zabbix@localhost; +------------------------------------------------------------------------------+ | Grants for zabbix@localhost | +------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `zabbix`@`localhost` | | GRANT SELECT ON `php`.* TO `zabbix`@`localhost` | | GRANT ALL PRIVILEGES ON `zabbix`.* TO `zabbix`@`localhost` WITH GRANT OPTION | +------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
#回收所有权限
mysql> show grants for test@localhost; +----------------------------------------------------------+ | Grants for test@localhost | +----------------------------------------------------------+ | GRANT USAGE ON *.* TO `test`@`localhost` | | GRANT ALL PRIVILEGES ON `zabbix`.* TO `test`@`localhost` | +----------------------------------------------------------+ 2 rows in set (0.00 sec)
mysql> revoke all on zabbix.* from test@localhost; Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> show grants for test@localhost; +------------------------------------------+ | Grants for test@localhost | +------------------------------------------+ | GRANT USAGE ON *.* TO `test`@`localhost` | +------------------------------------------+ 1 row in set (0.00 sec)
权限类型参考图
文章版权声明:除非注明,否则均为柳三千运维录原创文章,转载或复制请以超链接形式并注明出处。
