MySQL 8.0权限认证(下)

一.设置MySQL用户资源限制

通过设置全局变量max_user_connections可以限制所有用户在同一时间连接MySQL实例的数量,但此参数无法对每个用户区别对待,

所以 MySQL提供了对每个用户的资源限制管理

MAX_QUERIES_PER_HOUR:一个用户在一个小时内可以执行查询的次数(基本包含所有语句) MAX_UPDATES_PER_HOUR:一个用户在一个小时内可以执行修改的次数(仅包含修改数据库或表的语句) MAX_CONNECTIONS_PER_HOUR:一个用户在一个小时内可以连接 MySQL的时间

MAX_USER_CONNECTIONS:一个用户可以在同一时间连接MySQL实例的数量

从5.0.3版本开始,对用户'user'@'%.example.com'的资源限制是指所有 通过example.com域名主机连接user用户的连接,而不是分别指从 host1.example.com和host2.example.com主机过来的连接

通过执行create user/alter user设置/修改用户的资源限制

mysql> CREATE USER 'francis'@'localhost' IDENTIFIED BY 'frank'

-> WITH MAX_QUERIES_PER_HOUR 20

-> MAX_UPDATES_PER_HOUR 10

-> MAX_CONNECTIONS_PER_HOUR 5

-> MAX_USER_CONNECTIONS 2;

mysql> ALTER USER 'francis'@'localhost' WITH MAX_QUERIES_PER_HOUR 100;

取消某项资源限制既是把原先的值修改成0

mysql> ALTER USER 'francis'@'localhost' WITH MAX_CONNECTIONS_PER_HOUR 0;

当针对某个用户的max_user_connections非0时,则忽略全局系统参数 max_user_connections,反之则全局系统参数生效

二.设置MySQL用户的密码

执行create user创建用户和密码

mysql> CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

修改用户密码的方式包括:

mysql> ALTER USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

mysql> SET PASSWORD FOR 'jeffrey'@'localhost' = PASSWORD('mypass');

mysql> GRANT USAGE ON *.* TO 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

shell> mysqladmin -u user_name -h host_name password "new_password"

修改本身用户密码的方式包括:

mysql> ALTER USER USER() IDENTIFIED BY 'mypass';

mysql> SET PASSWORD = PASSWORD('mypass');

三.设置MySQL用户密码过期策略

设置系统参数default_password_lifetime作用于所有的用户账户

default_password_lifetime=180设置180天过期

default_password_lifetime=0 设置密码不过期

如果为每个用户设置了密码过期策略,则会覆盖上述系统参数

ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 90DAY;

ALTER USER'jeffrey'@'localhost'PASSWORD EXPIRE NEVER; 密码不过期

ALTER USER'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT; 默认过期策略

手动强制某个用户密码过期

ALTER USER 'jeffrey'@'localhost'PASSWORD EXPIRE;

mysql> SELECT 1;

ERROR1820 (HY000): You must SET PASSWORD before executing thisstatement

mysql> ALTER USER USER() IDENTIFIED BY 'new_password';

Query OK,0 rows affected (0.01 sec)

四.角色(role)和用户(user)

role是8.0的新特性 NEW!

role可以看做一个权限的集合，这个集合有一个统一的名字role名。可以给多个账户统一的某个role的权限权限的修改直接通过修改role来实现，不需要每个账户一个一个的grant权限，方便运维和管理。role可以创建、删除、修改并作用到他管理的账户上。

mysql>create role app_readonly;

Query OK,0 rows affected (0.09sec)

#创建一个role叫app_readonly只读

mysql> create user app1@localhost identified by 'mysql';

Query OK,0 rows affected (0.01sec)

#创建一个用户app1

mysql> grant select on *.*to app_readonly;

Query OK,0 rows affected (0.02sec)

#给app_readonly这个角色一个select权限

mysql>grant app_readonly to app1@localhost;

Query OK,0 rows affected (0.10sec)

#把用户和角色绑定

mysql> show grants forapp1@localhost;+------------------------------------------------+

| Grants for app1@localhost |

+------------------------------------------------+

| GRANT USAGE ON *.* TO `app1`@`localhost` |

| GRANT `app_readonly`@`%` TO `app1`@`localhost` |

+------------------------------------------------+#查询用户的权限

mysql> show grants for app1@localhost usingapp_readonly;+------------------------------------------------+

| Grants for app1@localhost |

+------------------------------------------------+

| GRANT SELECT ON *.* TO `app1`@`localhost` |

| GRANT `app_readonly`@`%` TO `app1`@`localhost` |

+------------------------------------------------+

2 rows in set (0.00sec)

#查询用户的权限

mysql>create role app_readwrite;

Query OK,0 rows affected (0.04sec)

mysql> create user app2@localhost identified by 'mysql';

Query OK,0 rows affected (0.04sec)

mysql> grant select,insert,delete,update on *.*to app_readwrite;

Query OK,0 rows affected (0.10sec)

mysql>grant app_readwrite to app2@localhost;

Query OK,0 rows affected (0.07sec)

mysql> show grants forapp2@localhost;+-------------------------------------------------+

| Grants for app2@localhost |

+-------------------------------------------------+

| GRANT USAGE ON *.* TO `app2`@`localhost` |

| GRANT `app_readwrite`@`%` TO `app2`@`localhost` |

+-------------------------------------------------+

2 rows in set (0.00sec)

mysql> show grants for app2@localhost usingapp_readwrite;+-------------------------------------------------------------------+

| Grants for app2@localhost |

+-------------------------------------------------------------------+

| GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO `app2`@`localhost` |

| GRANT `app_readwrite`@`%` TO `app2`@`localhost` |

+-------------------------------------------------------------------+

2 rows in set (0.00sec)

mysql> revoke app_readonly fromapp1@localhost;

Query OK,0 rows affected (0.10sec)

#解除绑定关系

mysql> show grants for app1@localhost usingapp_readonly;

ERROR3530 (HY000): `app_readonly`@`%` isnot granted to `app1`@`localhost`

mysql> show grants forapp1@localhost;+------------------------------------------+

| Grants for app1@localhost |

+------------------------------------------+

| GRANT USAGE ON *.* TO `app1`@`localhost` |

+------------------------------------------+