1、权限列表
1.1、只允许做“权力”范围之内的事情,不可越界
1.2、相关权限如下所述:
mysql> show privileges;
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege | Context | Comment |
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create role | Server Admin | To create new roles |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Drop role | Server Admin | To drop roles |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
| XA_RECOVER_ADMIN | Server Admin | |
| SHOW_ROUTINE | Server Admin | |
| SET_USER_ID | Server Admin | |
| RESOURCE_GROUP_USER | Server Admin | |
| APPLICATION_PASSWORD_ADMIN | Server Admin | |
| SYSTEM_VARIABLES_ADMIN | Server Admin | |
| AUDIT_ADMIN | Server Admin | |
| SERVICE_CONNECTION_ADMIN | Server Admin | |
| CLONE_ADMIN | Server Admin | |
| PERSIST_RO_VARIABLES_ADMIN | Server Admin | |
| FLUSH_USER_RESOURCES | Server Admin | |
| BINLOG_ADMIN | Server Admin | |
| ROLE_ADMIN | Server Admin | |
| SESSION_VARIABLES_ADMIN | Server Admin | |
| BINLOG_ENCRYPTION_ADMIN | Server Admin | |
| FLUSH_STATUS | Server Admin | |
| SYSTEM_USER | Server Admin | |
| ENCRYPTION_KEY_ADMIN | Server Admin | |
| REPLICATION_SLAVE_ADMIN | Server Admin | |
| GROUP_REPLICATION_ADMIN | Server Admin | |
| BACKUP_ADMIN | Server Admin | |
| RESOURCE_GROUP_ADMIN | Server Admin | |
| FLUSH_OPTIMIZER_COSTS | Server Admin | |
| TABLE_ENCRYPTION_ADMIN | Server Admin | |
| FLUSH_TABLES | Server Admin | |
| CONNECTION_ADMIN | Server Admin | |
| INNODB_REDO_LOG_ENABLE | Server Admin | |
| INNODB_REDO_LOG_ARCHIVE | Server Admin | |
| REPLICATION_APPLIER | Server Admin | |
+----------------------------+---------------------------------------+-------------------------------------------------------+
62 rows in set (0.01 sec)
create和drop权限:可以创建新的数据库和表,或删除已有的数据库和表。将此权限授予用户,用户可以对权限内的数据库和表进行创建和删除insert、update、delete权限:将允许在一个数据库现有表上进行实施操作select权限:只有真正从一个表中检索行时才会被用到index权限:允许创建和删除索引,适用于已有的相关表。若某个表具有create权限,则可以在create table语句中定义索引结构alter权限:可以使用alter table语句改变表结构或重新命名create routine权限:用来创建保存的程序,用来更改和删除保存的程序execute权限:用来执行保存的程序grant权限:允许授权给其他用户,用于数据库、表和保存的程序file权限:使用户可以使用load data infile和select ···into outfile语句读或写服务器上的文件,任何被授予file权限的用户都能读或写MySQL服务器上的任何文件(即数据目录下的文件)
1.3、权限分布
| 权限分布 | 可设置权限 |
|---|
| 表权限 | select,insert,update,delete,create,drop,grant,references,index,alter |
| 列权限 | select,insert,update,references |
| 过程权限 | execute,alter routine,grant |
2、权限授予的相关原则
- 授予
满足需要的最小权限,如只给select权限 - 创建用户
限制用户的登录主机,一般限制指定IP或内网IP段 - 为用户
设置满足密码复杂度的密码 定期清理无效用户,回收权限或删除用户
3、授予权限
3.1角色赋予用户给用户授权
3.2直接给用户授权
- 授权命令:
grant 权限1,权限2,···,权限n(all privileges) on 数据库名(* 表示所有).表名(* 表示所有) to '用户名'@'hostname/hostIP'
mysql> grant select on rqtanc.* to 'rqtanc1'@'192.168.%';
Query OK, 0 rows affected (0.19 sec)
- 该权限如果发现没有该用户,则需要创建用户。见用户管理
- ALL PRIVILEGES: 表示所有权限
- on :表示指定权限针对那些库和表
- to : 表示将权限赋予给某个用户
- 如果要赋予
包括grant 的权限,添加参数 with grant option 选项
4、查看权限
mysql> show grants;
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`%` WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (10.35 sec)
mysql> show grants for current_user;
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`%` WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (1.59 sec)
mysql> show grants for current_user();
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`%` WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> show grants for 'rqtanc1'@'192.168.%';
+-----------------------------------------------------+
| Grants for rqtanc1@192.168.% |
+-----------------------------------------------------+
| GRANT USAGE ON *.* TO `rqtanc1`@`192.168.%` |
| GRANT SELECT ON `rqtanc`.* TO `rqtanc1`@`192.168.%` |
+-----------------------------------------------------+
2 rows in set (0.00 sec)
5、回收权限
- 回收用户不必要的权限可以在一定程度上保证系统的安全性
- 可以使用
revoke语句 取消用户的某些权限,将用户账户从user表删除之前,应该回收相应用户的所有权限 - 回收权限命令:
revoke 相关权限 on 数据库.表名 from ‘用户名'@'hostname/hostIP'; 例如:
mysql> revoke all privileges on *.* from 'rqtanc1'@'192.168.%';
Query OK, 0 rows affected (3.07 sec)
mysql> show grants for 'rqtanc1'@'192.168.%';
+---------------------------------------------+
| Grants for rqtanc1@192.168.% |
+---------------------------------------------+
| GRANT USAGE ON *.* TO `rqtanc1`@`192.168.%` |
+---------------------------------------------+
1 row in set (0.00 sec)
6、权限表
- MySQL通过
权限表 控制用户对数据库的访问,相关权限表放在 mysql数据库中 - MySQL在启动时,服务器将这些数据库中权限信息的内容读入内存中
- 包含 user,db,table_priv,column_priv,procs_priv等相关表
| 表名 | 描述 |
|---|
| user | 用户账号及权限信息 |
| global_grant | 动态全局授权 |
| db | 数据库层级权限 |
| tables_priv | 表层级权限 |
| column | 列层级权限 |
| prcos_priv | 存储过程和函数 |
| proxics_priv | 代理用户权限 |
| default_roles | 账号连接并认证后默认授予的角色 |
| role_edges | 角色子图边界 |
| password_history | 密码更改信息 |
7、访问控制
连接核实阶段: 匹配user表中的 host ,user,authentication_string 匹配客户端提供的信息请求核实阶段:建立连接后,检查user表,如果指定权限在user表中没有被授予,继续检查db表,该层级没有找到相关权限,则检查 tables_priv表和 column_priv 表,若均未找到允许的权限操作,则返回错误信息。
