mysql权限管理（实例） -

LJ你是唯一LT

浏览: 243343 次

最近访客更多访客>>

zyi74

woimovie

znufe2010

bjccdsrlcr

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

mysql权限管理（实例）

博客分类：

mysql

mysql

mysql权限管理实例

本文并没有很详细的介绍对具体的对象授权，只是简单的限制了大的权限。

1.目前现状：
研发一直使用root用户进行操作。不变修改代码，因此我们采用新建一个超级用户，回收root的部分权限来实现对研发用户的限制

mysql> select user,host from user;
+-----------+---------------+
| user      | host          |
+-----------+---------------+
| mydba     | %             | ---我新建的超级用户
| root      | %             | ---安装就自带
| server    | %             | ---无用用户
| repli     | 192.168.1.3   | ---我创建的主从复制的用户
| root      | 192.168.1.9   | ---无用用户
| mysql.sys | localhost     |
| root      | localhost     | ---安装就自带
+-----------+---------------+
7 rows in set (0.00 sec)

回收前，先用root进入，创建一个超级用户：
grant all privileges on *.* to mydba@'%' identified by 'tina' with grant option;
grant all privileges on mysql.* to mydba@'%' identified by 'tina' with grant option;

2.删除无用的用户：（上班时先回收所有权限，下班后再删除)
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show grants for server;
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for server@%                                                                                                                                                                                                                                                                                                     |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER ON *.* TO 'server'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION

mysql> revoke all privileges on *.* from 'server'@'%';
Query OK, 0 rows affected (0.07 sec)

mysql> show grants for server;
+---------------------------------------------------------------------+
| Grants for server@%                                                 |
+---------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION                |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> revoke all privileges on mysql.* from 'server'@'%';    ---操作会同步到从库，因此不需要到从库执行，因为主从同步的库包括mysql库
Query OK, 0 rows affected (0.10 sec)

mysql> show grants for server;
+------------------------------------------------------------+
| Grants for server@%                                        |
+------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'server'@'%' WITH GRANT OPTION       |
| GRANT USAGE ON `mysql`.* TO 'server'@'%' WITH GRANT OPTION |
+------------------------------------------------------------+
2 rows in set (0.00 sec)

删除：delete from mysql.user where user='server' and host='%';
      delete from mysql.user where user='root' and host='192.168.1.9';

3.主从复制用户权限
mysql> show grants for repli@'192.168.1.3';
+--------------------------------------------------------------------------------+
| Grants for repli@192.168.1.3                                                   |
+--------------------------------------------------------------------------------+
| GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'repli'@'192.168.1.3'    |             --repli因为是用于主从复制的，因此需要这两个权限。
+--------------------------------------------------------------------------------+
1 row in set (0.01 sec)

4.回收root用户的file,process,super,drop,create 权限，依然可以创建、删除临时表

原始权限：
--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@%                                                                                                                                                                                                                                                                                                                                                 |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'%' WITH GRANT OPTION |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION                                                                                                                                                                                                                                                                                                 |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

| Grants for root@localhost                                                                                                                                                                                                                                                                                                                                                 |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION

回收了root远程主机的部分权限：（process权限保留了，因为要用来监控主从同步状态）
revoke file,process,super,drop,create,create view,reload, shutdown,index, alter, replication slave, replication client, create view,create routine,
alter routine, create user,create tablespace on *.* from 'root'@'%';

回收本地root对mysql库的所有权限:
revoke all privileges on mysql.* from 'root'@'localhost';

测试一下：
mysql> select * from t1 into outfile '/tmp/a.txt' fields terminated by ',';
ERROR 1045 (28000): Access denied for user 'root'@'%' (using password: YES)    --load的权限被禁用了

mysql> create view v_2 as select id from t2 where id<5;
ERROR 1142 (42000): CREATE VIEW command denied to user 'root'@'192.168.1.4' for table 'v_2'; ---不能创建视图

mysql> create index i_2 on t2(id);
ERROR 1142 (42000): INDEX command denied to user 'root'@'192.168.1.4' for table 't2' --不能创建索引

mysql> show index from t1;          --可以查看索引
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+
| Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | Index_comment |
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+
| t1    |          1 | i_1      |            1 | id          | A         |           0 |     NULL | NULL   | YES | BTREE      |         |               |
+-------+------------+----------+--------------+-------------+-----------+-------------+----------+--------+------+------------+---------+---------------+
1 row in set (0.03 sec)

6.刷新权限
flush privileges;

7.回收后：
mysql> select user,host from user;
+-----------+---------------+
| user      | host          |
+-----------+---------------+
| mydba     | %             |
| root      | %             |
| repli     | 192.168.1.4 |
| mysql.sys | localhost     |
| root      | localhost     |
+-----------+---------------+
5 rows in set (0.00 sec)

mysql> show grants for root;
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@%                                                                                                                                                                 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process ，SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'%' WITH GRANT OPTION |
| GRANT USAGE ON `mysql`.* TO 'root'@'%' WITH GRANT OPTION                                                                                                                          |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> show grants for root@'localhost';
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                                                                                                                 |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES,process， SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION                                                                                                                              |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> show grants for mydba; --超级用户：
+--------------------------------------------------------------------+
| Grants for mydba@%                                                 |
+--------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'mydba'@'%' WITH GRANT OPTION       |
| GRANT ALL PRIVILEGES ON `mysql`.* TO 'mydba'@'%' WITH GRANT OPTION |
+--------------------------------------------------------------------+
2 rows in set (0.00 sec)

补充说明：
1.usage权限：可以连接db，可以show databases和tables，但是没有其他权限，select都不行
2.mysql的权限是会叠加的，如果第一次授予了这个用户select权限，第二次授予了全部权限，当你回收所有权限后，会发现还有select权限，必须逐条回收

分享到：

使用eclipse远程连接hive | mysql简单的碎片清理脚本

2016-05-10 17:21
浏览 1513
评论(0)
分类:数据库
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

mysql权限管理（实例）

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

mysql权限管理（实例）

评论

发表评论

相关推荐

mysql设置外键约束on delete cascade on update cascade

mysql简单的碎片清理脚本

mysql qpress压缩备份恢复

mysql xtrabackup在线搭建主从

mysql xtrabackup在线备份还原（全备+增备）

mysql主库清理数据，从库保留

oracle，postgresql，mysql一些使用上的区别记录

数据库调优分享-mysql

mysql 安装-tina

mysqldump 只导入数据或只导结构

mysql server has gone away

mysql optimize 清理碎片

mysql binlog

mysql远程连接设置

Last_SQL_Error: Error 'Duplicate entry '1' for key 'PRIMARY''

[ERROR] Slave I/O: error connecting to master

MySQL常用函数

MySQL触发器简介

MySQL主从切换

MySQL主从搭建

最近访客更多访客>>