爱站程序员基地• 允许root从192.168.4.0/24网段 访问,对所有库/表有完全权限,密码为tarena
• 添加一个管理账号dba007,完全控制及授权
• 撤销root从本机访问的权限,然后恢复
• 允许webuser从任意客户机登录,只对webdb库有完全权限,密码为 888888
• 撤销webuser的完全权限,改为查询权限
用户授权及撤销
1)允许root从192.168.4.0/24访问,对所有库表有完全权限,密码为tarena。
授权之前,从192.168.4.0/24网段的客户机访问时,将会被拒绝:
[root@zhangyx ~]# mysql -u root -p -h 192.168.4.10Enter password: //输入正确的密码ERROR 1130 (HY000): Host \'124.70.165.39\' is not allowed to connect to this MySQL server
授权操作,此处可设置与从localhost访问时不同的密码:
mysql> GRANT all ON *.* TO root@\'192.168.4.%\' IDENTIFIED BY \'tarena\';Query OK, 0 rows affected (0.00 sec)
再次从192.168.4.0/24网段的客户机访问时,输入正确的密码后可登入:
[root@zhangyx ~]# mysql -u root -p -h 192.168.4.10Enter password:Welcome to the MySQL monitor. Commands end with ; or \\g.Your MySQL connection id is 20Server version: 5.7.17 MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type \'help;\' or \'\\h\' for help. Type \'\\c\' to clear the current input statement.mysql>
从网络登入后,测试新建一个库、查看所有库:
mysql> CREATE DATABASE rootdb; //创建新库rootdbQuery OK, 1 row affected (0.06 sec)mysql> SHOW DATABASES;+--------------------+| Database |+--------------------+| information_schema || home || mysql || performance_schema || rootdb | //新建的rootdb库| sys || userdb |+--------------------+7 rows in set (0.01 sec)
2)在Mysql服务器上建立一个管理账号dba007,对所有库完全控制,并赋予其授权的权限
新建账号并授权:
mysql> GRANT all ON *.* TO dba007@localhost-> IDENTIFIED BY \'1234567\'-> WITH GRANT OPTION;Query OK, 0 rows affected (0.00 sec)
查看dba007的权限:
mysql> SHOW GRANTS FOR dba007@localhost;+-----------------------------------------------------------------------+| Grants for dba007@localhost |+-----------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO \'dba007\'@\'localhost\' WITH GRANT OPTION |+-----------------------------------------------------------------------+1 row in set (0.00 sec)
3)撤销root从本机访问的权限,然后恢复
注意:如果没有事先建立其他管理账号,请不要轻易撤销root用户的本地访问权限,否则恢复起来会比较困难,甚至不得不重装数据库。
撤销root对数据库的操作权限:
mysql> REVOKE all ON *.* FROM root@localhost;Query OK, 0 rows affected (0.00 sec)mysql> SHOW GRANTS FOR root@localhost;+--------------------------------------------------------------+| Grants for root@localhost |+--------------------------------------------------------------+| GRANT USAGE ON *.* TO \'root\'@\'localhost\' WITH GRANT OPTION || GRANT PROXY ON \'\'@\'\' TO \'root\'@\'localhost\' WITH GRANT OPTION |+--------------------------------------------------------------+2 rows in set (0.00 sec)
验证撤销后的权限效果:
mysql> exit //退出当前MySQL连接Bye[root@dbsvr1 ~]# mysql -u root -p //重新以root从本地登入Enter password:Welcome to the MySQL monitor. Commands end with ; or \\g.Your MySQL connection id is 6Server version: 5.6.15 MySQL Community Server (GPL)Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type \'help;\' or \'\\h\' for help. Type \'\\c\' to clear the current input statement.mysql> CREATE DATABASE newdb2014; //尝试新建库失败ERROR 1044 (42000): Access denied for user \'root\'@\'localhost\' to database \'newdb2014\'mysql> DROP DATABASE rootdb; //尝试删除库失败ERROR 1044 (42000): Access denied for user \'root\'@\'localhost\' to database \'rootdb\'
尝试以当前的root用户恢复权限,也会失败(无权更新授权表):
mysql> GRANT all ON *.* TO root@localhost IDENTIFIED BY \'1234567\';ERROR 1045 (28000): Access denied for user \'root\'@\'localhost\' (using password: YES)
怎么办呢?
退出当前MySQL连接,以上一步添加的管理账号dba007登入:
mysql> exit //退出当前MySQL连接Bye[root@dbsvr1 ~]# mysql -u dba007 -p //以另一个管理账号登入Enter password:Welcome to the MySQL monitor. Commands end with ; or \\g.Your MySQL connection id is 24Server version: 5.7.17 MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type \'help;\' or \'\\h\' for help. Type \'\\c\' to clear the current input statement.
由管理账号dba007重新为root添加本地访问权限:
mysql> GRANT all ON *.* TO root@localhost IDENTIFIED BY \'1234567\';Query OK, 0 rows affected (0.00 sec)mysql> SHOW GRANTS FOR root@localhost; //查看恢复结果+---------------------------------------------------------------------+| Grants for root@localhost |+---------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO \'root\'@\'localhost\' WITH GRANT OPTION || GRANT PROXY ON \'\'@\'\' TO \'root\'@\'localhost\' WITH GRANT OPTION |+---------------------------------------------------------------------+2 rows in set (0.00 sec)
退出,再重新以root登入,测试一下看看,权限又恢复了吧:
mysql> exit //退出当前MySQL连接Bye[root@dbsvr1 ~]# mysql -u root -p //重新以root登入Enter password:Welcome to the MySQL monitor. Commands end with ; or \\g.Your MySQL connection id is 25Server version: 5.7.17 MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type \'help;\' or \'\\h\' for help. Type \'\\c\' to clear the current input statement.mysql> CREATE DATABASE newdb2014; //成功创建新库Query OK, 1 row affected (0.00 sec)
4)允许webuser从任意客户机登录,只对webdb库有完全权限,密码为 888888
添加授权:
mysql> GRANT all ON webdb.* TO webuser@\'%\' IDENTIFIED BY \'888888\';Query OK, 0 rows affected (0.00 sec)
查看授权结果:
mysql> SHOW GRANTS FOR webuser@\'%\';+----------------------------------------------------+| Grants for webuser@% |+----------------------------------------------------+| GRANT USAGE ON *.* TO \'webuser\'@\'%\' || GRANT ALL PRIVILEGES ON `webdb`.* TO \'webuser\'@\'%\' |+----------------------------------------------------+2 rows in set (0.00 sec)
5)撤销webuser的完全权限,改为查询权限
撤销所有权限:
mysql> REVOKE all ON webdb.* FROM webuser@\'%\';Query OK, 0 rows affected (0.00 sec)
只赋予查询权限:
mysql> GRANT select ON webdb.* TO webuser@\'%\';Query OK, 0 rows affected (0.00 sec)
确认授权更改结果:
mysql> SHOW GRANTS FOR webuser@\'%\';+--------------------------------------------+| Grants for webuser@% |+--------------------------------------------+| GRANT USAGE ON *.* TO \'webuser\'@\'%\' || GRANT SELECT ON `webdb`.* TO \'webuser\'@\'%\' |+--------------------------------------------+2 rows in set (0.00 sec)
