mysql权限系统 分为3个不同层级:
a、全局性权限 针对整个mysql实例
b、数据库级别权限 针对某个具体的mysql数据库
c、对象级别权限 针对某个具体的数据库对象 如表 列 存储过程和存储函数等
1、mysql权限系统表及其作用
权限相关信息存储在mysql系统表中
mysql.user 保存用户的账号信息和全局权限信息
mysql.db 保存数据库级别的权限信息
mysql.tables_priv 保存表级别的权限信息
mysql.columns_priv 保存列级别的权限信息
mysql.procs_priv 保存存储过程和存储函数相关的权限信息
mysql.proxis_priv 保存代理用户的权限信息
mysql权限验证的流程:
首先 根据mysql.user 表信息 验证链接的ip 用户名 密码是否存在
存在按照user db tables_priv columns_priv 顺序进行权限验证
其次,验证权限时,检查全局权限表mysql.user 如果对应权限为Y 将不再验证后续系统表
最后,如果mysql.user 对应权限为N 则继续验证mysql.db表对应的数据库权限 如果为Y
不再验证后续系统表,否则继续验证tables_priv表等
2、权限验证过程
查询mysql.user 表中root用户的权限
mysql> use mysql;
Database changed
mysql> select * from user where user='root' and host='localhost'\G
检查mysql.db系统表存储的信息
select * from db where user='root' and host='localhost';
检查mysql.tables_priv 系统表存储的信息
select * from tables_priv where user = 'root' and host ='localhost';
查看root用户的权限
show grants for root@localhost \G;
3、权限授予与撤销
提示:mysql创建用户后,需要进行授权才可以操作,也可以直接通过dml语句(insert update delete)
直接修改权限系统表完成对用户的授权和撤销
mysql授权用户的组成:
用户名和登录主机名
'user_name'@'host_name'
注意:单引号不是必须的 如果包含特殊字符则必需
host_name 可以使用localhost 代表本机 或者 127.0.0.1 表示IPv4地址
或者使用::1 表示IPv6 地址
host_name 允许使用通配符 % _ %代表所有主机 %.oracle.com 表示 来自oracle.com这个域名下的所有主机
192.168.79.% 表示来自192.168.79网段的主机
4、使用grant和 revoke语句
创建一个新用户
mysql> create user user003 identified by '123456789';
Query OK, 0 rows affected (0.01 sec)
查看用户的授权
mysql> show grants for user003;
+-------------------------------------+
| Grants for user003@% |
+-------------------------------------+
| GRANT USAGE ON *.* TO `user003`@`%` |
+-------------------------------------+
1 row in set (0.00 sec)
此时登录mysql用户user003查看权限:
C:\Users\Administrator>mysql -u user003 -p -h localhost --skip-ssl
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Enter password: *********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 32
Server version: 8.0.34 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| performance_schema |
+--------------------+
2 rows in set (0.01 sec)
登录root用户,使用grant语句给user003授权,让其可以查询dbtest.user表
mysql> grant select on dbtest.user to user003;
Query OK, 0 rows affected (0.01 sec)
重新查看user003用户的权限
mysql> show grants for user003;
+--------------------------------------------------+
| Grants for user003@% |
+--------------------------------------------------+
| GRANT USAGE ON *.* TO `user003`@`%` |
| GRANT SELECT ON `dbtest`.`user` TO `user003`@`%` |
+--------------------------------------------------+
2 rows in set (0.00 sec)
这里可以看到 user003用户可以查看dbtest.user 表
C:\Users\Administrator>mysql -u user003 -p -h localhost --skip-ssl
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Enter password: *********
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 8.0.34 MySQL Community Server - GPL
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use dbtest;
Database changed
mysql> select * from user;
+------+--------+
| id | name |
+------+--------+
| 1 | 张三 |
+------+--------+
1 row in set (0.00 sec)
查看全局权限:
mysql> use mysql;
Database changed
mysql> select user,host,select_priv from user where user='user003';
+---------+------+-------------+
| user | host | select_priv |
+---------+------+-------------+
| user003 | % | N |
+---------+------+-------------+
1 row in set (0.00 sec)
mysql> select user,db,select_priv from db where user='user003';
Empty set (0.00 sec)
mysql> select user,db,table_name,table_priv from tables_priv where user='user003';
+---------+--------+------------+------------+
| user | db | table_name | table_priv |
+---------+--------+------------+------------+
| user003 | dbtest | user | Select |
+---------+--------+------------+------------+
1 row in set (0.00 sec)
使用revoke语句撤销user003权限
mysql> revoke select on dbtest.user from user003;
Query OK, 0 rows affected (0.00 sec)
再次执行语句查询 mysql.tables_priv表 将没有授权记录
mysql> select user,db,table_name,table_priv from tables_priv where user='user003';
Empty set (0.00 sec)
5、Mysql权限生效机制
2种方式:
通过grant语句或者revoke语句对用户进行授权和撤销权限操作 权限会立即生效
通过DML(insert update delete) 直接修改权限表完成授权和撤销授权 需要手动执行flush privileges 让mysql重新装载权限洗表或者重启mysql数据库后,权限才会生效
mysql生成新的权限时,对客户端的影响:
全局性的权限更改和新密码的设置会在下一次客户端连接的时候生效
数据库级别的权限更改会在下一次使用“use DatabaseName”语句时生效。
对象级别的权限更改,如表和列的权限,会在客户端下一次请求该对象时生效