MySQL的授權
grant 授權
什麼是使用者授權:在資料庫伺服器上新增新的連線使用者,並設定許可權和密碼。
為什麼要用授權:如果沒有授權使用者,那麼只能有root使用者在本機登陸資料庫,其它使用者無法登陸。
沒有授權時,其它主機也無法訪問資料庫。
指令格式:
mysql> grant 許可權列表 on 庫名 to 使用者名稱@"客戶端地址"identified by "密碼" ;
許可權列表:
all 所有許可權
usage 只能連線上資料庫,沒有任何許可權
select,update(欄位1,欄位2...) 只能對指定的欄位有相應的權
庫名:
*.* 所有庫所有表
庫名.* 一個庫
庫名.表名 一張表
使用者名稱:
授權時可以自定義,要有標識性,容易記,可以名中看出用途儲存在mysql庫的user表裡
客戶端地址:
% 表示網際網路上的所有主機0
192.168.4.% 網段內的所有主機
192.168.4.1 1臺主機
localhost 資料庫伺服器本機
授權舉例1:
新增admin使用者,允許從192.168.4.0/24網段連線,對db3庫的user表有查詢許可權,密碼為123456
mysql> grant select on db3.user to admin@"192.168.4.%" identified by "123456";
授權舉例2:
新增admin2,允許從本機連線,允許以db3庫的所有表有 查詢,更新,插入刪除記錄許可權,密碼為123456
mysql> grant select ,insert,update,delete on db3.* to admin2@"localhost" identified by "123456";
授權庫
grant授權的資訊是儲存在授權庫中的,mysql庫記錄了授權資訊,主要的表如下:
user 記錄已有的授權使用者及許可權
db 記錄已有授權使用者對資料庫的訪問許可權
tables_priv 記錄已有授權使用者對錶的訪問許可權
columns_priv 記錄已有授權使用者對欄位的訪問許可權
一 檢視當前columns_priv,tables_priv,db,user表中的授權使用者
mysql> select user,host,db,table_name,column_name from mysql.columns_priv;
Empty set (0.00 sec) #columns_priv表當前為空,說明當前資料庫沒有真對某些欄位的授權
mysql> select user,host,db,table_name from mysql.tables_priv;
+-----------+-----------+-----+------------+ #tables_priv表中只有系統預設的授權使用者msyql.sys
| user | host | db | table_name |
+-----------+-----------+-----+------------+
| mysql.sys | localhost | sys | sys_config |
+-----------+-----------+-----+------------+
mysql> select user,host,db from mysql.db;
+-----------+-----------+-----+ #db表中也是系統預設授權使用者mysql.sys
| user | host | db |
+-----------+-----------+-----+
| mysql.sys | localhost | sys |
+-----------+-----------+-----+
mysql> select user,host from mysql.user;
+-----------+-----------+ #user表中有系統預設使用者mysql.sys和root
| user | host |
+-----------+-----------+
| mysql.sys | localhost |
| root | localhost |
+-----------+-----------+
二 新增真對school.student表中“學號”,“姓名”,“性別”這三個欄位的授權使用者col_user
mysql> grant select,update(學號,姓名,性別),insert on school.student to col_user@'%' identified by "123456";
mysql> select user,host,db,table_name,column_name from mysql.columns_priv;
#在columns_priv表中檢視授權使用者,每條記錄是一個授權欄位
+----------+------+--------+------------+-------------+
| user | host | db | table_name | column_name |
+----------+------+--------+------------+-------------+
| col_user | % | school | student | 姓名 |
| col_user | % | school | student | 學號 |
| col_user | % | school | student | 性別 |
+----------+------+--------+------------+-------------+
mysql> select user,host,db,table_name from mysql.tables_priv;
+-----------+-----------+--------+------------+ #在tables_priv表中也可以看到該使用者對school.student表有訪問許可權
| user | host | db | table_name | #具體許可權需要用show grants檢視
+-----------+-----------+--------+------------+
| col_user | % | school | student |
| mysql.sys | localhost | sys | sys_config |
+-----------+-----------+--------+------------+
mysql> show grants for col_user@'%'; #通過show grants檢視col_user對school.student的具體許可權
+-----------------------------------------------------------------------------------------------+
| Grants for col_user@% |
+-----------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'col_user'@'%' |
| GRANT SELECT, INSERT, UPDATE (性別, 學號, 姓名) ON `school`.`student` TO 'col_user'@'%' |
+-----------------------------------------------------------------------------------------------+
mysql> select user,host,db from mysql.db;
+-----------+-----------+-----+ #db表中看不到該使用者
| user | host | db |
+-----------+-----------+-----+
| mysql.sys | localhost | sys |
+-----------+-----------+-----+
mysql> select user,host from mysql.user;
+-----------+-----------+ #在user表中可以看到該使用者
| user | host |
+-----------+-----------+
| col_user | % |
| mysql.sys | localhost |
| root | localhost |
+-----------+-----------+
mysql>
三 新增授權使用者tab_user1,tab_user2對錶school.teacher,school.student的訪問許可權
mysql> grant all on school.teacher to tab_user1@'%' identified by "123456";
mysql> grant select on school.student to tab_user2@'%' identified by "123456";
mysql> select user,host,db,table_name,column_name from mysql.columns_priv;
#colunm_priv表中授權記錄的使用者沒有變化
+----------+------+--------+------------+-------------+
| user | host | db | table_name | column_name |
+----------+------+--------+------------+-------------+
| col_user | % | school | student | 姓名 |
| col_user | % | school | student | 學號 |
| col_user | % | school | student | 性別 |
+----------+------+--------+------------+-------------+
#tables_priv表中可以看到tab_user1,tab_user2使用者
mysql> select user,host,db,table_name from mysql.tables_priv;
+-----------+-----------+--------+------------+
| user | host | db | table_name |
+-----------+-----------+--------+------------+
| col_user | % | school | student |
| tab_user1 | % | school | teacher |
| tab_user2 | % | school | student |
| mysql.sys | localhost | sys | sys_config |
+-----------+-----------+--------+------------+
mysql> show grants for tab_user1@'%'; #通過show grants可以看出tab_user1,tab_user2的具體授權許可權
+---------------------------------------------------------------+
| Grants for tab_user1@% |
+---------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tab_user1'@'%' |
| GRANT ALL PRIVILEGES ON `school`.`teacher` TO 'tab_user1'@'%' |
+---------------------------------------------------------------+
mysql> show grants for tab_user2@'%';
+-------------------------------------------------------+
| Grants for tab_user2@% |
+-------------------------------------------------------+
| GRANT USAGE ON *.* TO 'tab_user2'@'%' |
| GRANT SELECT ON `school`.`student` TO 'tab_user2'@'%' |
+-------------------------------------------------------+
mysql> select user,host,db from mysql.db; #db表中沒有變化
+-----------+-----------+-----+
| user | host | db |
+-----------+-----------+-----+
| mysql.sys | localhost | sys |
+-----------+-----------+-----+
mysql> select user,host from mysql.user; #user表中可以看到tab_user1,tab_user2
+-----------+-----------+
| user | host |
+-----------+-----------+
| col_user | % |
| tab_user1 | % |
| tab_user2 | % |
| mysql.sys | localhost |
| root | localhost |
+-----------+-----------+
mysql>
四 新增授權使用者db_user1,db_user2使用者對庫school,school2的訪問許可權
mysql> grant all on school.* to db_user1@'%' identified by "123456";
mysql> grant select on school2.* to db_user2@'%' identified by "123456";
mysql> select user,host,db,table_name,column_name from mysql.columns_priv;
#只要沒有對任意表中欄位的授權,column_priv表不會有變化
+----------+------+--------+------------+-------------+
| user | host | db | table_name | column_name |
+----------+------+--------+------------+-------------+
| col_user | % | school | student | 姓名 |
| col_user | % | school | student | 學號 |
| col_user | % | school | student | 性別 |
+----------+------+--------+------------+-------------+
mysql> select user,host,db,table_name from mysql.tables_priv;
#添加了真對庫的授權使用者,沒有對錶的授權使用者所以db表中也不會變化
+-----------+-----------+--------+------------+
| user | host | db | table_name |
+-----------+-----------+--------+------------+
| col_user | % | school | student |
| tab_user1 | % | school | teacher |
| tab_user2 | % | school | student |
| mysql.sys | localhost | sys | sys_config |
+-----------+-----------+--------+------------+
mysql> select user,host,db from mysql.db; #db表中可以看到新增的授權使用者
+-----------+-----------+---------+
| user | host | db |
+-----------+-----------+---------+
| db_user1 | % | school |
| db_user2 | % | school2 |
| mysql.sys | localhost | sys |
+-----------+-----------+---------+
mysql> select user,host from mysql.user; #只要添加了授權使用者user表中都會有記錄
+-----------+-----------+
| user | host |
+-----------+-----------+
| col_user | % |
| db_user1 | % |
| db_user2 | % |
| tab_user1 | % |
| tab_user2 | % |
| mysql.sys | localhost |
| root | localhost |
+-----------+-----------+
mysql>
五 新增授權使用者user對所有庫和表有訪問許可權
mysql> grant all on *.* to user@'%' identified by "123456";
mysql> select user,host,db,table_name,column_name from mysql.columns_priv;
+----------+------+--------+------------+-------------+
| user | host | db | table_name | column_name |
+----------+------+--------+------------+-------------+
| col_user | % | school | student | 姓名 |
| col_user | % | school | student | 學號 |
| col_user | % | school | student | 性別 |
+----------+------+--------+------------+-------------+
3 rows in set (0.00 sec)
mysql> select user,host,db,table_name from mysql.tables_priv;
+-----------+-----------+--------+------------+
| user | host | db | table_name |
+-----------+-----------+--------+------------+
| col_user | % | school | student |
| tab_user1 | % | school | teacher |
| tab_user2 | % | school | student |
| mysql.sys | localhost | sys | sys_config |
+-----------+-----------+--------+------------+
4 rows in set (0.01 sec)
mysql> select user,host,db from mysql.db;
+-----------+-----------+---------+
| user | host | db |
+-----------+-----------+---------+
| db_user1 | % | school |
| db_user2 | % | school2 |
| mysql.sys | localhost | sys |
+-----------+-----------+---------+
3 rows in set (0.00 sec)
mysql> select user,host from mysql.user; #只有在user表中可以看到use_user
+-----------+-----------+
| user | host |
+-----------+-----------+
| col_user | % |
| db_user1 | % |
| db_user2 | % |
| tab_user1 | % |
| tab_user2 | % |
| use_user | % |
| mysql.sys | localhost |
| root | localhost |
+-----------+-----------+
mysql>