8.2 访问控制和账户管理
- 8.2.1 账户用户名和密码
- 8.2.2 MySQL 提供的权限
- 8.2.3 授权表
- 8.2.4 指定账户名称
- 8.2.5 指定角色名称
- 8.2.6 访问控制,第一阶段:连接验证
- 8.2.7 访问控制,第二阶段:请求验证
- 8.2.8 添加账户、分配权限和删除账户
- 8.2.9 保留的帐户
- 8.2.10 使用角色
- 8.2.11 账户分类
- 8.2.12 使用部分撤销的权限限制
- 8.2.13 当权限更改生效
- 8.2.14 分配帐户密码
- 8.2.15 密码管理
- 8.2.16 密码过期的服务器处理
- 8.2.17 插件式认证
- 8.2.18 多因素认证
- 8.2.19 代理用户
- 8.2.20 账户锁定
- 8.2.21 设置帐户资源限制
- 8.2.22 解决连接 MySQL 问题
- 8.2.23 基于 SQL 的帐户活动审计
MySQL enables the creation of accounts that permit client users to connect to the server and access data managed by the server. The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as SELECT
, INSERT
, UPDATE
, and DELETE
. Additional functionality includes the ability to grant privileges for administrative operations.
To control which users can connect, each account can be assigned authentication credentials such as a password. The user interface to MySQL accounts consists of SQL statements such as CREATE USER
, GRANT
, and REVOKE
. See Section 15.7.1, “Account Management Statements”.
The MySQL privilege system ensures that all users may perform only the operations permitted to them. As a user, when you connect to a MySQL server, your identity is determined by the host from which you connect and the user name you specify. When you issue requests after connecting, the system grants privileges according to your identity and what you want to do.
MySQL considers both your host name and user name in identifying you because there is no reason to assume that a given user name belongs to the same person on all hosts. For example, the user joe
who connects from office.example.com
need not be the same person as the user joe
who connects from home.example.com
. MySQL handles this by enabling you to distinguish users on different hosts that happen to have the same name: You can grant one set of privileges for connections by joe
from office.example.com
, and a different set of privileges for connections by joe
from home.example.com
. To see what privileges a given account has, use the SHOW GRANTS
statement. For example:
SHOW GRANTS FOR 'joe'@'office.example.com';
SHOW GRANTS FOR 'joe'@'home.example.com';
Internally, the server stores privilege information in the grant tables of the mysql
system database. The MySQL server reads the contents of these tables into memory when it starts and bases access-control decisions on the in-memory copies of the grant tables.
MySQL access control involves two stages when you run a client program that connects to the server:
Stage 1: The server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password.
Stage 2: Assuming that you can connect, the server checks each statement you issue to determine whether you have sufficient privileges to perform it. For example, if you try to select rows from a table in a database or drop a table from the database, the server verifies that you have the SELECT
privilege for the table or the DROP
privilege for the database.
For a more detailed description of what happens during each stage, see Section 8.2.6, “Access Control, Stage 1: Connection Verification”, and Section 8.2.7, “Access Control, Stage 2: Request Verification”. For help in diagnosing privilege-related problems, see Section 8.2.22, “Troubleshooting Problems Connecting to MySQL”.
If your privileges are changed (either by yourself or someone else) while you are connected, those changes do not necessarily take effect immediately for the next statement that you issue. For details about the conditions under which the server reloads the grant tables, see Section 8.2.13, “When Privilege Changes Take Effect”.
There are some things that you cannot do with the MySQL privilege system:
-
You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.
-
You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.
-
A password applies globally to an account. You cannot associate a password with a specific object such as a database, table, or routine.